Check Point CloudGuard Auto Scaling on AWS

Partner Solution Deployment Guide

February 2023
Check Point Software Technologies
Vinod Shukla, AWS Integration & Automation team

Refer to the GitHub repository to view source files, report bugs, submit feature ideas, and post feedback about this Partner Solution. To comment on the documentation, refer to Feedback.

This Partner Solution was created by Check Point Software Technologies in collaboration with Amazon Web Services (AWS). Partner Solutions are automated reference deployments that help people deploy popular technologies on AWS according to AWS best practices. If you’re unfamiliar with AWS Partner Solutions, refer to the AWS Partner Solution General Information Guide.

Overview

This reference deployment guide provides step-by-step instructions for deploying a web service secured by an Auto Scaling group of Check Point CloudGuard Security Gateways on the AWS Cloud.

AWS Auto Scaling monitors your applications and automatically adjusts capacity to maintain steady, predictable performance at the lowest possible cost. For example, a web application might be served by multiple web servers that are deployed across multiple Availability Zones.

This deployment is for users who want to publish an automatically scaled and dynamically secured web service on AWS, defining content-level access policy, monitoring incoming requests to the service, applying intrusion prevention system (IPS) protections for web servers, enforcing geo-based policy, preventing malicious bots activity, and more.

The deployment deploys an Auto Scaling group of Check Point CloudGuard Security Gateways in front of a workload of web servers, because a security solution should be as scalable as the setup it is protecting. Additionally, you can select to deploy either an external Application Load Balancer that operates at the application layer, or a Network Load Balancer that operates at the transport layer, to route traffic from the internet to the Security Gateways.

To manage the CloudGuard Security Gateways, you can choose to deploy a preconfigured Check Point CloudGuard Security Management Server, use an existing Security Management Server, or deploy one later.

If you choose to deploy your workload of web servers, this deployment will also include an internal Application Load Balancer, to route traffic from the Security Gateways to your workload. Otherwise, you can use existing internal load balancers, or deploy those later, by tagging them in the AWS Management Console.

Check Point CloudGuard for AWS

Check Point CloudGuard for AWS extends comprehensive threat prevention security to the AWS Cloud. It protects assets in the cloud from attacks while enabling secure connectivity.

CloudGuard lets you enforce consistent security policies across your entire organization by protecting data between the corporate network and your virtual private cloud (VPC). CloudGuard can also inspect data entering and leaving the private subnet in the VPC to prevent attacks and to mitigate data loss or leakage.

Check Point CloudGuard for AWS meets an organization’s cloud security needs with flexible and manageable security options, including Firewall, Intrusion Prevention System (IPS), Application Control, Antivirus, Anti-Bot, URL filtering, Identity Awareness, advanced Threat Prevention, and Threat Extraction Software for known threats and zero-day attacks. CloudGuard protects services in the public cloud from the most sophisticated threats and from unauthorized access while preventing application layer denial-of-service attacks.

Costs and licenses

There is no cost to use this Partner Solution, but you will be billed for any AWS services or resources that this Partner Solution deploys. For more information, refer to the AWS Partner Solution General Information Guide.

The Check Point CloudGuard Security Gateways, which are launched by the Auto Scaling group, and the optional Check Point CloudGuard Security Management Server, require a license.

Because this deployment uses Amazon Machine Images (AMIs) from AWS Marketplace, you must subscribe to Check Point CloudGuard in AWS Marketplace before you launch. There are two licensing options: Pay As You Go (PAYG) and Bring Your Own License (BYOL). See the predeployment steps deployment section for details and links.

To purchase BYOL licenses, contact Check Point Sales. If you already have a BYOL license and you’d like to use it for this deployment, visit the Licensing section of Check Point’s CloudGuard Auto Scaling in AWS documentation.

Architecture

Deploying this Partner Solution with default parameters builds the following CloudGuard environment in the AWS Cloud.

Figure 1. Partner Solution architecture for CloudGuard on AWS

As shown in Figure 1, this Partner Solution sets up the following:

A highly available architecture that spans two Availability Zones.*
A virtual private cloud (VPC) configured with public and private subnets, according to AWS best practices, to provide you with your own virtual network on AWS.*
In the private subnets:
- CloudGuard Security Gateways in an Auto Scaling group.
- Either an external Application Load Balancer that operates at the application layer or a Network Load Balancer that operates at the transport level, to route traffic from the internet to the CloudGuard Security Gateways.
- An optional Auto Scaling group of web servers.
  - If you choose to deploy your workload of web servers, an internal Application Load Balancer, to route traffic from the Security Gateways to your workload.
In the public subnets:
- An optional, preconfigured CloudGuard Security Management Server, to manage the Security Gateways.

* The template that deploys this Partner Solution into an existing VPC skips the components marked by asterisks and prompts you for your existing VPC configuration.

Deployment options

This Partner Solution provides the following deployment options:

Deploy CloudGuard into a new VPC. This option builds a new AWS environment that consists of the VPC, subnets, NAT gateways, security groups, bastion hosts, and other infrastructure components. It then deploys CloudGuard into this new VPC.
Deploy CloudGuard into an existing VPC. This option provisions CloudGuard in your existing AWS infrastructure.

This Partner Solution provides separate templates for these options. It also lets you configure Classless Inter-Domain Routing (CIDR) blocks, instance types, and CloudGuard settings.

Predeployment steps

Subscribe to Check Point CloudGuard IaaS

Log in to AWS Marketplace at https://aws.amazon.com/marketplace.
Open the page for one of the following licensing options for Check Point CloudGuard Security Gateway:

Choose Continue to Subscribe.
Choose Accept Terms to confirm your acceptance of the AWS Marketplace license agreement.
If you want to deploy a Check Point CloudGuard Security Management Server, open the AWS Marketplace page for one of the following licensing options, and repeat steps 3 and 4:
- CloudGuard IaaS Security Management - BYOL
- CloudGuard IaaS Security Management for 25 Security Gateways - PAYG-MGMT

If you want to manage more than 25 Security Gateways, either in the Auto Scaling group deployed here or in another environment, select the BYOL option and purchase a license. To purchase BYOL licenses, contact Check Point Sales.

Deployment steps

Sign in to your AWS account, and launch this Partner Solution, as described under Deployment options. The AWS CloudFormation console opens with a prepopulated template.
Choose the correct AWS Region, and then choose Next.
On the Create stack page, keep the default setting for the template URL, and then choose Next.

On the Specify stack details page, change the stack name if needed. Review the parameters for the template. Provide values for the parameters that require input. For all other parameters, review the default settings and customize them as necessary. When you finish reviewing and customizing the parameters, choose Next.

Unless you’re customizing the Partner Solution templates or are instructed otherwise in this guide’s Predeployment section, don’t change the default settings for the following parameters: QSS3BucketName, QSS3BucketRegion, and QSS3KeyPrefix. Changing the values of these parameters will modify code references that point to the Amazon Simple Storage Service (Amazon S3) bucket name and key prefix. For more information, refer to the AWS Partner Solutions Contributor’s Guide.

On the Configure stack options page, you can specify tags (key-value pairs) for resources in your stack and set advanced options. When you finish, choose Next.
On the Review page, review and confirm the template settings. Under Capabilities, select all of the check boxes to acknowledge that the template creates AWS Identity and Access Management (IAM) resources that might require the ability to automatically expand macros.
Choose Create stack. The stack takes about 30 minutes to deploy.
Monitor the stack’s status, and when the status is CREATE_COMPLETE, the Check Point CloudGuard Auto Scaling deployment is ready.
To view the created resources, choose the Outputs tab.

Postdeployment steps

Test the deployment

To test the deployment, verify that the protected web service is accessible via the external Application or Network Load Balancer DNS address, as specified in the CloudFormation stack Outputs tab.

Check Point Security Management Server

The CloudGuard Security Gateways are automatically managed by a Check Point Security Management Server that can be deployed either on AWS or on premises.

During scale-out events, in which new Security Gateway instances are launched to meet an increase in current load, the Security Management Server performs the necessary configuration of the Security Gateways and security policies to facilitate the inspection and routing of traffic.

During scale-in events, in which existing Security Gateway instances are terminated as a result of a decrease in current load, the Management Server cleans up any settings that were created when the Security Gateways were launched.

For more information about scale-out and scale-in, see Check Point’s CloudGuard Auto Scaling in AWS documentation.

If you have chosen to deploy a Check Point Security Management Server by accepting the default setting of the Deploy Management Server parameter, it is deployed and configured to automatically provision the Security Gateways so they will inspect and route traffic to the workload of web servers placed behind them. The IAM policy that will be attached to the Security Management Server’s IAM role will enable it to read Amazon EC2, Elastic Load Balancing, and Auto Scaling properties.

If you set the Deploy Management Server parameter to No, you can either use an existing Management Server or deploy one later.

To manually deploy and configure a CloudGuard Security Management Server, either on AWS or on premises, see the section Installing and configuring the Check Point Security Management Server in Check Point’s CloudGuard Auto Scaling for AWS documentation.

The CloudFormation stack Outputs tab specifies the tags and values with which the resources were deployed. You may use this information if you are configuring the Auto Provisioning service for the first time.

If you are configuring the Security Management Server manually, make sure that the values for the management name and the configuration template name in the Management Server configuration match the tags and values of the load balancers and the Auto Scaling group of Security Gateways.

For advanced configuration, such as enabling and disabling Software Blades, see Check Point’s Security Management Server with CloudGuard for AWS documentation.

Web Servers Workload

If you have chosen to deploy a workload of web servers by setting the Deploy Servers parameter to Yes, an internal Application Load Balancer will also be deployed to route traffic to the workload from the Security Gateways. The Auto Scaling settings of the web servers, such as the minimum and maximum group sizes, will match those of the Auto Scaling group of Security Gateways, as specified by the Minimum Group Size and Maximum Group Size parameters during deployment. These settings can be modified from the Auto Scaling Groups tab in the AWS Management Console.

The Auto Scaling group of CloudGuard Security Gateways will be automatically provisioned by the Security Management Server so that the Security Gateways will forward the inspected traffic to the internal Application Load Balancer.

To protect an existing workload of web servers, see the FAQ section.

Troubleshooting

For troubleshooting common Partner Solution issues, refer to the AWS Partner Solution General Information Guide and Troubleshooting CloudFormation.

FAQ

How can I use this deployment to protect an existing workload of web servers?

You can place an existing workload of web servers, or manually deploy a new workload, behind the CloudGuard Auto Scaling group of Security Gateways. To do so, follow these steps:

Select No for the Deploy Servers parameter when launching.
Place the web server workload in private subnets.
Create an internal load balancer that listens to the internal port, as specified in the CloudFormation stack Outputs tab.
Attach the load balancer’s target group to the web server workload.
Tag the internal load balancer as described in the section Adding tags to your Internal Elastic Load Balancer in Check Point’s CloudGuard Auto Scaling for AWS documentation. The values required to complete this step are described in the CloudFormation stack Outputs tab, if you have chosen to deploy a Security Management Server. Otherwise, you can determine these values when you configure the Management Server, as described in the section Installing and configuring the Check Point Security Management Server in Check Point’s CloudGuard Auto Scaling for AWS documentation.

It is also possible to have the web servers workload deployed in a different AWS account. See the section Connecting with Additional AWS accounts in Check Point’s Security Management Server with CloudGuard for AWS documentation.

How do I manually deploy a Check Point Security Management Server to manage the CloudGuard Security Gateways?

Choose No for the Deploy Management Server parameter during deployment, and follow the steps described in the Check Point Security Management Server section.

How do I configure an existing Check Point Security Management Server to manage the CloudGuard Security Gateways?

Choose No for the Deploy Management Server parameter during deployment, and follow the steps described in the Check Point Security Management Server section.

How do I enable additional Software Blades or disable active ones?

See the section Enabling and disabling Software Blades in Check Point’s Security Management Server with CloudGuard for AWS documentation.

Resources

CloudGuard Auto Scaling for AWS https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewso lutiondetails=&solutionid=sk112575
Security Management Server with CloudGuard for AWS https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewso lutiondetails=&solutionid=sk130372
AWS CloudFormation Templates https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewso lutiondetails=&solutionid=sk111013
Configuration of AWS STS to Delegate Access across two AWS accounts https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk122074
Secure Cloud Blueprint: Agile Security Architecture for the Cloud https://pages.checkpoint.com/secure-cloud-blueprint.html

Customer responsibility

After you deploy a Partner Solution, confirm that your resources and services are updated and configured—including any required patches—to meet your security and other needs. For more information, refer to the Shared Responsibility Model.

Feedback

To submit feature ideas and report bugs, use the Issues section of the GitHub repository for this Partner Solution. To submit code, refer to the Partner Solution Contributor’s Guide. To submit feedback on this deployment guide, use the following GitHub links:

Notices

This document is provided for informational purposes only. It represents current AWS product offerings and practices as of the date of issue of this document, which are subject to change without notice. Customers are responsible for making their own independent assessment of the information in this document and any use of AWS products or services, each of which is provided "as is" without warranty of any kind, whether expressed or implied. This document does not create any warranties, representations, contractual commitments, conditions, or assurances from AWS, its affiliates, suppliers, or licensors. The responsibilities and liabilities of AWS to its customers are controlled by AWS agreements, and this document is not part of, nor does it modify, any agreement between AWS and its customers.

The software included with this paper is licensed under the Apache License, version 2.0 (the "License"). You may not use this file except in compliance with the License. A copy of the License is located at https://aws.amazon.com/apache2.0/ or in the accompanying "license" file. This code is distributed on an "as is" basis, without warranties or conditions of any kind, either expressed or implied. Refer to the License for specific language governing permissions and limitations.