CloudGuard WAF
Search
K

AWS

Overview

If you are deploying a CloudGuard WAF AppSec Gateway to protect an existing production website, we recommend you also read the HOW-TO guide for this particular deployment.
CloudGuard WAF can be deployed as either a single virtual machine or Auto-Scaling Group in AWS. It acts as a reverse proxy where before / after you can deploy AWS Load Balancers:
When deploying an auto-scaling group, the external load balancer is deployed automatically

Installation

Follow these steps to deploy CloudGuard WAF in AWS using a supplied CloudFormation Template:

Step 1: AWS Console Log in

Log in to AWS Console and select the relevant region.

Step 2: Activate CloudGuard WAF through the AWS Marketplace (Once per Region)

Search for CloudGuard WAF (or the previous name CloudGuard AppSec) in AWS Marketplace. During activation, a form with a field to select one of the AWS regions, is shown. Select the region in which you wish to deploy CloudGuard WAF's AppSec Gateway.

Step 3: Verify required permissions

Verify that you have the required IAM permissions:
IAM permissions
CloudFormation::DescribeStackEvents
CloudFormation::DescribeStacks
CloudFormation::ListStacks
CloudFormation::ListStackResources
CloudFormation::CreateStack
elasticloadbalancing::DescribeLoadBalancers
elasticloadbalancing::DescribeListeners
elasticloadbalancing::DescribeTargetGroups
elasticloadbalancing::CreateTargetGroup
elasticloadbalancing::CreateListener
elasticloadbalancing::CreateLoadBalancer
elasticloadbalancing::ModifyTargetGroupAttributes
elasticloadbalancing::ModifyLoadBalancerAttributes
SNS::CreateTopic
SNS::GetTopicAttributes
SNS::Subscribe
IAM::GetRolePolicy
IAM::PutRolePolicy
IAM::CreateInstanceProfile
IAM::CreateRole
IAM::AddRoleToInstanceProfile
EC2::DescribeInternetGateways
EC2::DescribeLaunchTemplates
EC2::DescribeLaunchTemplateVersions
EC2::DescribeKeyPairs
EC2::DescribeSecurityGroups
EC2::DescribeSubnets
EC2::DescribeVpcs
EC2::DescribeAccountAttributes
EC2::CreateTags
EC2::AuthorizeSecurityGroupIngress
EC2::CreateLaunchTemplate
EC2::CreateSecurityGroup
EC2::RunInstances
CloudWatch::PutMetricAlarm
Health::DescribeEventAggregates
If you want AutoScaling setup:
AutoScaling::UpdateAutoScalingGroup
AutoScaling::CreateAutoScalingGroup
AutoScaling::DescribeAutoScalingGroups
AutoScaling::DescribeScalingActivities
AutoScaling::PutScalingPolicy
AutoScaling::PutNotificationConfiguration
If you want to store certificates in AWS:
KMS::CreateGrant
KMS::DescribeKey

Step 4: Deployment using CloudFormation

Choose one of three deployment options :
Single Gateway into new VPC
Single Gateway into existing VPC
Auto-Scaling group into existing VPC

VPC Network Configuration
  • Availability Zone - The availability zone in which to deploy the instance.
  • VPC CIDR - If you launched the CloudFormation template to create a new VPC - The CIDR of the new VPC.
  • Public Subnet CIDR - The Public (Frontend) subnet of the CloudGuard WAF's AppSec Gateway.
  • Private Subnet CIDR - The Private (Backend) subnet of the CloudGuard WAF's AppSec Gateway.
EC2 Instance Configuration
  • Gateway Name - EC2 name.
  • Gateway Instance type - The machine size of the VM. Each machine size has its own compute price. See Amazon EC2 Instance Types.
    • Minimum requirements: c5.large
  • Key name - The EC2 Key Pair you created for this region.
  • Auto Assign Public IP - If selected Yes, then the solution has a public IP address.
  • Enable AWS Instance Connect - Amazon EC2 Instance Connect is a simple and secure way to connect to your instances using Secure Shell (SSH). See the AWS EC2 User Guide.
Check Point Settings
  • Gateway’s Password hash – The hashed password for the Gaia Administration Portal. User is set to ‘admin’. Use this command to create the hash: openssl passwd -1 <password>. It is also possible to create a password using the SHA512 algorithm as follows: openssl passwd -6 <password>.
  • Infinity Next Agent Token - The token copied from the profile.
    Make sure you obtain the <token> from the Enforcement Profile page, Authentication section.
  • Fog Address (optional) - Not used in production installations. The production cloud address is determined automatically.
Advanced Settings
  • Gateway Hostname (Optional) - The Gaia Hostname.
  • Bootstrap Script (Optional)
The default Security Group associated to the created VPC is defined with these ports for Inbound traffic:
  • TCP Port 22 - for SSH.
  • TCP Port 443 - for HTTPS.
  • TCP Port 30443 - The CloudGuard WAF AppSec Gateway's Web UI.
  • TCP Port 80 - for HTTP.
  • To configure a single CloudGuard WAF AppSec gateway installation with SSL, refer to Infinity Next Deployment and Configuration.

VPC Network Configuration
  • VPC - Select an existing Virtual Private Network from your region.
  • Public Subnet CIDR - Select the Public (Frontend) subnet of the CloudGuard WAF's AppSec Gateway from the available list.
  • Private Subnet CIDR - Select the Private (Backend) subnet of the CloudGuard WAF's AppSec Gateway from the available list.
  • Internal route table (optional) - keep empty.
EC2 Instance Configuration
  • Gateway Name - EC2 name.
  • Gateway Instance type - The machine size of the VM. Each machine size has its own compute price. See Amazon EC2 Instance Types.
    • Minimum requirements: c5.large
  • Key name - The EC2 Key Pair you created for this region.
  • Auto Assign Public IP - If selected Yes, then the solution has a public IP address.
  • Enable AWS Instance Connect - Amazon EC2 Instance Connect is a simple and secure way to connect to your instances using Secure Shell (SSH). See the AWS EC2 User Guide.
Check Point Settings
  • Gateway’s Password hash – The hashed password for the Gaia Administration Portal. User is set to ‘admin’. Use this command to create the hash: openssl passwd -1 <password>.
  • Infinity Next Agent Token - The token copied from the profile.
    Make sure you obtain the <token> from the Enforcement Profile page, Authentication section.
  • Fog Address (optional) - Not used in production installations. The production cloud address is determined automatically
Advanced Settings
  • Gateway Hostname (Optional) - The Gaia Hostname
  • Bootstrap Script (Optional)
A security group with the name suffix "*_PermissiveSecurityGroup" will be created and associated with the existing VPC. This security group is defined with these ports for Inbound traffic:
  • TCP Port 22 - for SSH.
  • TCP Port 443 - for HTTPS.
  • TCP Port 30443 - The CloudGuard WAF AppSec Gateway's Web UI.
  • TCP Port 80 - for HTTP.
  • To configure a single CloudGuard WAF AppSec gateway installation with SSL, refer to Infinity Next Deployment and Configuration.

VPC Network Configuration

  • VPC - Select an existing Virtual Private Network from your region.
  • Gateways subnets – Select at least two subnets in your VPC.
    The subnets must allow outbound traffic to the internet for communicating with CloudGuard WAF's Cloud.
EC2 Instance Configuration
  • Auto Scaling Group name - The name of the Auto Scaling Group. This name determines the VM's hostname prefix.
  • Gateway Instance type - The machine size of the VM. Each machine size has its own compute price. See Amazon EC2 Instance Types. Minimum requirements: c5.large
  • Volume encryption - EBS encryption of the instances volumes using AWS managed KMS key. Custom KMS keys are not supported. If regional encryption is used then both AWS managed and Custom KMS keys are supported.
  • Allow access from - Specifies the client IP addresses that can reach your instance. This IP address range must be in CIDR notation.
    • To add IP addresses after the deployment:
      1. 1.
        Go to your deployed Stack > Resources or go to Services > EC2 > Security Groups and select the relevant Security Group.
      2. 2.
        Click Edit inbound rules.
      3. 3.
        Below the Source field, enter a list of IP addresses.
  • Key name - The EC2 Key Pair you created for this region.
  • Enable EC2 Instance Connect - Amazon EC2 Instance Connect is a simple and secure way to connect to your instances using Secure Shell (SSH). See the AWS EC2 User Guide.

Check Point Settings

  • Gateway’s Password hash (Optional) – The hashed password for the Gaia Administration Portal. User is set to ‘admin’.
    Use this command to create the hash:
    openssl passwd -1 <password>.
  • Infinity Next Agent Token - The token copied from the profile.
    Make sure you obtain the <token> from the Enforcement Profile page, Authentication section.
  • Fog Address (optional) - Not used in production installations. The production cloud address is determined automatically.

Auto Scaling Group Settings

  • Type of the Load Balancer - Choose whether you want to deploy a solution with network or application load balancer.
Note - For application load balancer, in order to configure the HTTP health checks the following settings must be added to the Infinity Next profile:
Key: agent.rpmanager.nginxIncludeLines
Value: server {listen 8117; return 200;}
Key: agent.config.orchestration.healthCheckProbe.enable
Value: false
  • Scheme of the Load Balancer - Choose if the load balancer should be Internal or External.
  • Initial number of gateways – The initial number of EC2 instances that is deployed together with the Auto Scaling Group.
  • Maximum number of gateways – The maximum number of EC2 instances the Auto Scaling Group can scale to.
  • Bootstrap script (Optional) - An optional script to run on the initial boot.
  • Administrator email address (Optional) - An email address to notify users about scaling events.
Creating the stack in AWS takes about 6-8 minutes. When the CloudGuard WAF EC2 loads it will automatically connect to Check Point, register using the token you provided and fetch your policy. Then, either Store Certificates in AWS or Store Certificates on the Gateway. If successful, you will see a green notification bar in this portal with a message that your Agent/Gateway successfully connected.
Troubleshooting Tips
  • After launching the CloudFormation, you can monitor AWS resources creation progress in AWS console under the 'Resources' tab of the deployed parent and nested stacks. In any case of provisioning failure, the created resources will be deleted, and the reason of failure can be viewed under 'Events' tab of the failed stack.
  • Verify that you entered the correct Token taken from the profile page. Otherwise your AppSec Gateway will not be able to connect to Check Point cloud
  • Verify that the subnet where you deploy the AppSec Gateway have outbound internet connectivity
  • Verify that the chosen EC2 instance type is available in your region
  • Verify that you have sufficient IAM permissions as listed above to run the CloudFormation stack

Step 5: SSL Certificates

Choose the desired SSL Certificates storage method:

Step 6: Launch the stack

To launch the Stack, select these two checkboxes: