topic Re: CloudGuard ASG AWS Gateway LB Transit GW - AWS CFT Error when launching stack with R80.40 for AS in Cloud Firewall

CloudGuard ASG AWS Gateway LB Transit GW - AWS CFT Error when launching stack with R80.40 for ASG SG

israelsc — Tue, 05 Nov 2024 06:18:22 GMT

Hello everyone,

I am developing a lab to create Security Gateways with the AWS CFT for CloudGuard ASG Security Gateways AWS Gateway LB and Transit GW with a Mananagement Server.
I am choosing R80.40-BYOL for my ASG Security Gateways and R81.10-BYOL for the Management Server.

The goal is to create the environment with my Management Server and ASG Gateways to upgrade them both to R81.20.
This will then become a production activity with a customer.

I am using an AWS CFT yaml that I see from the workshop:
Check Point CloudGuard Network Security - Integration with AWS Gateway Load Balancer

YAML template is:
https://gwlb.s3.us-east-2.amazonaws.com/CGNS-GWLB-WS.yaml

The problem is, when I launch the stack with those values I mentioned (80.40-BYOL for my ASG Security Gateways and R81.10-BYOL for the Management Server.) the stack fails and the resources deletes due to a rollback action for CFT.
The error mentions something related to the stack failing due to a missing AMI resource:

In the AWS account subscriptions, I have Check Point products for Security Gateway and Management Server:

Is it possible that my deployment is failing because R80.40 is no longer available in the AMI repositories for these VMs for Security Gateways?

I know that R80.40 is out of support, I guess that is why it is failing but I would like to know if someone could give me some idea to investigate further.

Greetings to all!

Re: CloudGuard ASG AWS Gateway LB Transit GW - AWS CFT Error when launching stack with R80.40 for AS

Edan_Leventhal — Tue, 05 Nov 2024 07:07:23 GMT

Hi Israelsc,

To my knowledge all our modern templates won't let you deploy R80.40 as it was removed from our templates.

I would also like to point out you are trying to deploy an ASG using a GWLB (Gateway load balancer) template, so that won't help you with the replication either.

The only path I can think of trying to execute such an environment is by going to EC2 > AMI in the AWS portal and searching for "R80.40" in the search bar under "public images" which will find you R80.40 images. However this will not deploy a ASG automatically and you will have to play around to make it work. (Unfortunately this is a bit outside of the scope to provide further steps)

BR,

Re: CloudGuard ASG AWS Gateway LB Transit GW - AWS CFT Error when launching stack with R80.40 for AS

noamcoh — Tue, 05 Nov 2024 07:48:33 GMT

Hi Israelsc,

Your assumptions are correct, the deployment fails because R80.40 is no longer supported.

You can search for R80.40 AMI under "public images", and then insert the AMI ID in the dedicated field in the CFT ("ImageId"). That way the CFT won't search for the AMI dynamically, but will have it hard-coded.

Let me know if you need help with the CFT modification.

Best regards,

Noam Cohen

Re: CloudGuard ASG AWS Gateway LB Transit GW - AWS CFT Error when launching stack with R80.40 for AS

israelsc — Wed, 13 Nov 2024 23:38:14 GMT

Hello @noamcoh

Thank you very much for your comments.
It makes a lot of sense to me what you comment, maybe “harcoding” the AMI ID of R80.40 in the CFT can solve the problem when trying to launch the template.

I review in the AWS Marketplace and I see this information for the AMI:

Ami Id: ami-03a6e51a7f4357779
Ami Alias: /aws/service/marketplace/prod-sip6fjeetm76y/r80.40-294.1564
Product Code: 263gtcd87e2xefwbacsdwvorx

I don't see the “ImageId” parameter in the CFT
Sorry for the inconvenience, could you help me with the modification of the CFT or guide me how to do it?

This is the base CFT: https://gwlb.s3.us-east-2.amazonaws.com/CGNS-GWLB-WS.yaml

This was extracted from the workshop: Check Point CloudGuard Network Security - Integration with AWS Gateway Load Balancer

If you could share with me some email or some way to contact you, that would be great!

Greetings!

Re: CloudGuard ASG AWS Gateway LB Transit GW - AWS CFT Error when launching stack with R80.40 for AS

noamcoh — Thu, 14 Nov 2024 07:11:13 GMT

Hi Israelsc,

I sent you a private message with email to contact us.

Thanks,

Noam

Re: CloudGuard ASG AWS Gateway LB Transit GW - AWS CFT Error when launching stack with R80.40 for AS

israelsc — Thu, 14 Nov 2024 20:17:04 GMT

Hello @noamcoh

Thank you very much I replied to your private message and I have sent you an email.
I hope you could please help me, I would appreciate it very much.

Greetings!

Re: CloudGuard ASG AWS Gateway LB Transit GW - AWS CFT Error when launching stack with R80.40 for AS

israelsc — Wed, 11 Dec 2024 18:35:35 GMT

Hello everyone,
After several revisions directly with @NoaD and @almogar we managed to deploy the environment with a SMS and AWS ASG Gateway LB Security Gateways with R80.40.
The solution, another CFT was shared with me and with that we were able to launch the stack successfully.

I share here the CFT I launched.
Please use for lab purposes only, R80.40 is already an unsupported version by Check Point.

Greetings to all!