Skip to main content
  • Ensure that you have completed all Transit FireNet steps up to but not including the launch of the Check Point firewall instance.
  • Current Aviatrix requirements mean that a Management Server needs to be configured along with the Gateway Server.

Recommendations and Caveats

Check Point CloudGuard Prerequisites

Ensure that you have completed all Transit FireNet steps up to but not including the launch of the Check Point firewall instance. Current Aviatrix requirements mean that a Management Server needs to be configured along with the Gateway Server. You have access to a Windows client so you can run the SmartConsole, which is provided by Check Point and is specific per version of CloudGuard being installed. You can use this link: R80.10.

Recommendations and Caveats

Check Point versions R77.30 and R80.10 support standalone deployments. For more information see Download Details: R77 Versions Installation and Upgrade Guide for Gaia Platforms. For more information on the differences across the available models/versions see Check Point Default Version and Release Terminology. Check Point has recommended the upgrade to R80 as part of their roadmap. For more information regarding such advisories, check the Check Point R80 image updates FAQ. For the purpose of this installation guide, we are going to consider only version R80.10 in standalone mode using the latest CloudFormation template available at the time this document was written. Currently we do not have a full integration between the Aviatrix dashboard and the CloudGuard, which means that you will not be able to update the firewall routing table via API, as it is currently possible with the Palo Alto VM-Series.

Setup Firewall Network (FireNet)

After you have prepared your FireNet VPCs and added the necessary Transit FireNet gateways, you can prepare your Check Point firewall as follows.

Deploying Check Point Instance From AWS Marketplace

Go to aws.amazon.com/marketplace and search for the chosen instance model/version in AWS Marketplace. Click Continue to Subscribe. image1 On the next screen, accept the terms and you should be able to continue. If you have chosen any of the R80 versions, you should be able to launch it using one of the CloudFormation templates. image2 For the purpose of this guide, we are going to use template 15 (standalone into existing VPC). If you have a Management Server deployed already you should use template 2 instead. This template will configure the first interface (eth0) as “external” and the second (eth1) as “internal”. For consistency purposes we suggest keeping eth0 as egress and management and eth1 for LAN. The template should look like this (if you have selected an existing VPC). Make sure your interfaces are in the same AZ. image3 For the next part of the template, make sure you have created/downloaded your pem key, as well as selected the proper instance size. For information on the networking features of each instance type, go here. image4 After you click on Create stack you can navigate to CloudFormation to monitor the stack creation. The status after creation should be CREATE COMPLETE. You can troubleshoot any warnings by checking the details in the “Outputs” tab. image5 Now go to the EC2 instances to monitor the status check – once they are done, you should be able to SSH into the instance. image6 Now that the instance is up – open your preferred terminal and SSH into the instance using the proper keys and the user “admin”. It takes only two commands to set a new password. image7

Logging into the Gaia Portal

Open a browser and go to https://management_eip/ to log into the Gaia Portal. You should be prompted with a screen like the one below. Enter the user name as admin and the password you configured in the previous step. image8 Go to Network Management > Network Interfaces. You should simply double-check whether all interfaces are active with a valid IP address. image9

Updating the Route Table

The next step is to update the route table. In this example, you add three return routes, each for a RFC 1918 address pointing back to the VPC router of the subnet aviatrixdmz-firewall (or aviatrixhagw-dmz-firewall if you are attaching the instance to the backup gateway instead). Go to the AWS console > VPC > Subnets and filter by “dmz-firewall” – that will allow you to determine the VPC router IP, which is the first host of each subnet. image10 Once you have determined the IP of the next hop, just go to IPv4 Static Routes and click on “Add”. Repeat this step for all three RFC 1918 subnets. 400

Downloading and Installing the SmartConsole

Download and install the SmartConsole (if you have not done so already) using this link: R80.10. On SmartConsole you need to define a security policy that will allow the traffic to be inspected/logged and update the topology. In the SmartConsole go to via Security Policies and then Policy and change the default policy to accept and log traffic. This should be customized to comply with your project requirements. Install the policy on the gateway(s) in question. Your basic policy should look like this: image12 As per the topology page, it can be reached via Gateways & Servers by double-clicking on the gateway. Then click on Network Management > Get Interfaces. image13 The final step is to monitor your traffic to confirm that the inspection is being performed as configured. Go to Logs & Monitor. image14 You can repeat this process to attach another CloudGuard instance to the backup Aviatrix gateway. For backup Aviatrix gateways, the subnets should be in a different AZ.