AWS
Overview
If you are deploying a CloudGuard WAF AppSec Gateway to protect an existing production website, we recommend you also read the HOW-TO guide for this particular deployment.
CloudGuard WAF can be deployed as either a single virtual machine or Auto-Scaling Group in AWS. It acts as a reverse proxy where before / after you can deploy AWS Load Balancers:
When deploying an auto-scaling group, the external load balancer is deployed automatically
Installation
Follow these steps to deploy CloudGuard WAF in AWS using a supplied CloudFormation Template:
Step 1: AWS Console Log in
Log in to AWS Console and select the relevant region.
Step 2: Activate CloudGuard WAF through the AWS Marketplace (Once per Region)
Search for CloudGuard WAF (or the previous name CloudGuard AppSec) in AWS Marketplace. During activation, a form with a field to select one of the AWS regions, is shown. Select the region in which you wish to deploy CloudGuard WAF's AppSec Gateway.
Step 3: Verify required permissions
Verify that you have the required IAM permissions:
Step 4: Deployment using CloudFormation
Choose one of three deployment options :
CloudFormation Link
VPC Network Configuration
Availability Zone - The availability zone in which to deploy the instance.
VPC CIDR - If you launched the CloudFormation template to create a new VPC - The CIDR of the new VPC.
Public Subnet CIDR - The Public (Frontend) subnet of the CloudGuard WAF's AppSec Gateway.
Private Subnet CIDR - The Private (Backend) subnet of the CloudGuard WAF's AppSec Gateway.
EC2 Instance Configuration
Gateway Name - EC2 name.
Gateway Instance type - The machine size of the VM. Each machine size has its own compute price. See Amazon EC2 Instance Types.
Minimum requirements: c5.large
Key name - The EC2 Key Pair you created for this region.
Auto Assign Public IP - If selected Yes, then the solution has a public IP address.
Enable AWS Instance Connect - Amazon EC2 Instance Connect is a simple and secure way to connect to your instances using Secure Shell (SSH). See the AWS EC2 User Guide.
Check Point Settings
Gateway’s Password hash – The hashed password for the Gaia Administration Portal. User is set to ‘admin’. Use this command to create the hash:
openssl passwd -1 <
password
>
. It is also possible to create a password using the SHA512 algorithm as follows:openssl passwd -6 <
password
>
.Infinity Next Agent Token - The token copied from the profile.
Make sure you obtain the <token> from the Enforcement Profile page, Authentication section.
Fog Address (optional) - Not used in production installations. The production cloud address is determined automatically.
Advanced Settings
Gateway Hostname (Optional) - The Gaia Hostname.
Bootstrap Script (Optional)
The default Security Group associated to the created VPC is defined with these ports for Inbound traffic:
TCP Port 22 - for SSH.
TCP Port 443 - for HTTPS.
TCP Port 30443 - The CloudGuard WAF AppSec Gateway's Web UI.
TCP Port 80 - for HTTP.
To configure a single CloudGuard WAF AppSec gateway installation with SSL, refer to Infinity Next Deployment and Configuration.
Creating the stack in AWS takes about 6-8 minutes. When the CloudGuard WAF EC2 loads it will automatically connect to Check Point, register using the token you provided and fetch your policy. Then, either Store Certificates in AWS or Store Certificates on the Gateway. If successful, you will see a green notification bar in this portal with a message that your Agent/Gateway successfully connected.
Step 5: SSL Certificates
Choose the desired SSL Certificates storage method:
pageStore Certificates in AWSpageStore certificates on CloudGuard WAF's AppSec GatewayStep 6: Launch the stack
To launch the Stack, select these two checkboxes:
Last updated