Bootstrap Configuration Example for Check Point Security Gateway in AWS/Azure

This document applies to both AWS and Azure.

Using the bootstrap option significantly simplifies Check Point Security Gateway initial configuration setup. In this document, we provide a basic bootstrap example for Check Point. Bootstrap Configuration can be a vendor specific script or configuration.

For a manual setup of Check Point in AWS, follow Configuring Check Point in AWS.

For a manual setup of Check Point in Azure, follow Configuring Check Point in Azure.

If you plan to select AWS S3 Bucket for your AWS or Azure-based Check Point firewall, you must do the following in the AWS console first:

  • Create IAM Role and Policy

  • Create Bootstrap Bucket Structure

You then:

  • Deploy the firewall instance

  • Upload Config Files

If you plan to select User Data for your firewall, click here to complete the bootstrap configuration.

Creating an IAM Role and Policy

  1. Log in to the AWS console and create an IAM role with the name: for example, "bootstrap-Checkpoint-S3-role".

  2. Attach an IAM policy with the name: for example, "bootstrap-Checkpoint-S3-policy". The policy has the following statements.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "s3:ListBucket"
            ],
            "Resource": [
                "arn:aws:s3:::*"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "s3:GetObject"
            ],
            "Resource": [
                "arn:aws:s3:::*"
            ]
        }
    ]
}

Creating Bootstrap Bucket Structure

In AWS S3, at the top level create a bucket for bootstrap with a unique name, for example "bootstrap-fortigate-bucket", with the following structure:

bootstrap-checkpoint-bucket/
    init.conf
    license.lic

Upload Config Files

  1. The example init.conf file contains the "Allow All" setup. To download the file, click init.conf.

  2. For the example license.lic file, click license.lic. For Metered AMI, this file is not required.

  3. Upload these two files to your config folder in the bootstrap-checkpoint-bucket.

  4. Navigate to Security > FireNet > Firewall to launch and deploy your Check Point firewall (for AWS or Azure) using the bootstrap configuration (selecting the AWS S3 Bucket option).

Validate Check Point Security Gateway Configuration

Now that you have deployed your Check Point firewall instance in AWS/Azure, your firewall is ready to receive packets. The next step is to validate your configurations in the Check Point Security Gateway, and configure polices for Ingress and Egress inspection.

By default, all traffic is allowed in Check Point that can be verified by launching one instance in PROD Spoke VPC/VNet and DEV Spoke VPC/VNet. Start pinging packets from an instance in DEV Spoke VPC/VNet to the private IP of another instance in PROD Spoke VPC/VNet. The ICMP traffic should go through Check Point and be inspected in the Security Gateway.

Additional References

Check Point Reference Custom Data