topic How can I add an AWS AutoScaling Firewall from a new AWS account to an SMS in a existing AWS Account in Cloud Firewall

How can I add an AWS AutoScaling Firewall from a new AWS account to an SMS in a existing AWS Account

israelsc — Thu, 20 Feb 2025 21:19:34 GMT

Hello everyone,
I hope you are all well.

I am developing a lab on an AWS account where there is an SMS and AWS AutoScaling Group Security Gateways. Both in a CIDR VPC with 172.168.0.0/16 network.
Let's call it “SMS + AutoScaling A”.

Create another AWS AutoScaling Group Security Gateways on the same AWS account with another VPC CIDR 10.0.0.0.0/16
Let's call it “AutoScaling B”.

I'm a bit at a loss as to, how I can add this new “AutoScaling B” to the current CME template for “SMS + AutoScaling A”. ?

=========================================================================================================
=========================================================================================================

According to the CME syntax, it shows the following options to add a new driver on top of the current template:

autoprov_cfg add controller AWS -cn <NAME> -r eu-west-1,us-east-1,eu-central-1 -fi <FILE-PATH>

autoprov_cfg add controller AWS -cn <NAME> -r eu-west-1,eu-central-1 -ak <ACCESS-KEY> -sk <SECRET-KEY> autoprov_cfg add controller AWS -cn <NAME> -r eu-west-1,eu-central-1 -ak <ACCESS-KEY> -sk <SECRET-KEY>

autoprov_cfg add controller AWS -cn <NAME> -r eu-west-1 -iam -sn <SUB-ACCOUNT-NAME> -sak <SUB-ACCOUNT-ACCESS-KEY> -ssk <SUB-ACCOUNT-SECRET-KEY>

Do I need to create an IAM user in the same AWS account and use these credentials in the controller configuration?
First I want to know how to solve this: Add AutoScaling B to SMS from AutoScaling A

I see something on this sk but I'm still a bit lost.
https://support.checkpoint.com/results/sk/sk130372

=========================================================================================================
=========================================================================================================

As a second question on this topic:
-I am developing this lab now on a single AWS account.
-The purpose of this lab is to carry it out in a project with a customer, where customer has “SMS + AutoScaling A” in an existing AWS Account and is going to deploy “AutoScaling B” in another VPC of another new AWS Account different from the AWS Account of “SMS + AutoScaling A”.

In this scenario, how do I integrate “AutoScaling B” to the CME template controller of “SMS + AutoScaling A”?
Is this possible?

Below is a high level topology to explain our environment:

Re: How can I add an AWS AutoScaling Firewall from a new AWS account to an SMS in a existing AWS Acc

Nir_Shamir — Wed, 19 Feb 2025 05:40:40 GMT

Hi,

for the first question.

You already created a Controller that has access to the account so you only need to add a new template:

autoprov_cfg add template -tn <template_name> ......and the rest of the template variables.

for the 2nd question.

You need to create roles that has trust between the accounts so they can scan these accounts and create the GW's.

https://support.checkpoint.com/results/sk/sk122074

Re: How can I add an AWS AutoScaling Firewall from a new AWS account to an SMS in a existing AWS Acc

israelsc — Thu, 20 Feb 2025 21:18:34 GMT

Hello @Nir_Shamir ,
Thank you very much for your help.

Following the sk https://support.checkpoint.com/results/sk/sk122074

I have a couple of doubts in the step “Configuration of AWS STS to Delegate Access across two AWS accounts”:

-In step 2 it mentions “Provide the 12 digits number that represents the ID of the trusted account, in the Trusted Account ID field”.
*Is this account the AWS target account where the SMS is located?
I mean, I have to create the STS role in the account where the new autoscaling is located and the Trusted Account ID is where the SMS is located?

-In step 3 it mentions “Select what type of permissions to grant the management server, in the IAM role field.”
*On the sk https://support.checkpoint.com/results/sk/sk130372, I see that in section “(3) Creating an AWS IAM User and IAM Role” in the step “Creating AWS IAM policies”, there is a JSON to certify permissions for “CloudGuard Network Auto Scaling and CloudGuard Network for AWS Gateway Load Balancer Security VPC for Transit Gateway”.
JSON contains the following permissions:

{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"autoscaling:DescribeAutoScalingGroups",
"ec2:DescribeInstances",
"ec2:DescribeNetworkInterfaces",
"ec2:DescribeSubnets",
"ec2:DescribeRegions",
"elasticloadbalancing:DescribeLoadBalancers",
"elasticloadbalancing:DescribeTags",
"elasticloadbalancing:DescribeListeners",
"elasticloadbalancing:DescribeTargetGroups",
"elasticloadbalancing:DescribeRules",
"elasticloadbalancing:DescribeTargetHealth"
],
"Resource": "*",
"Effect": "Allow"
}
]
}

These are the permissions I need to define in the STS role?

======================================================================================================
======================================================================================================

For the template https://cgi-cfts.s3.amazonaws.com/gwlb/cme-iam-role-gwlb.yaml

https://support.checkpoint.com/results/sk/sk122074

-We will run the CFT on the AWS account “B” where the new autoscaling is located, correct?

-We will select the option “Create with read-write permissions” because our SMS will manage a CloudGuard Network for AWS Gateway Load Balancer Security VPC for Transit Gateway.

-I understand that in the “STS Roles” field we will paste the ARN Role value that we generated when we created the STS role, correct?

-In the “Trusted Account ID” field, this will be the AWS account “A” where the correct SMS is located?

======================================================================================================
======================================================================================================

Once we deploy the CFT Template with IAM Role, STS role and Trusted Account values defined, I see that in Check Point CME it is necessary to add a new driver to add the new autoscaling “B” to the SMS where autoscaling “A” is located.
The command mentions the following examples:

*autoprov_cfg add controller AWS -cn <NAME> -r eu-west-1,us-east-1,eu-central-1 -fi <FILE-PATH>
*autoprov_cfg add controller AWS -cn <NAME> -r eu-west-1,eu-central-1 -ak <ACCESS-KEY> -sk <SECRET-KEY> -sk <SECRET-KEY>
*autoprov_cfg add controller AWS -cn <NAME> -r eu-west-1 -iam -sn <SUB-ACCOUNT-NAME> -sak <SUB-ACCOUNT-ACCESS-KEY> -ssk <SUB-ACCOUNT-SECRET-KEY>

With this CFT Template, which option would we select?
Where we could obtain these values for complete CME configuration?

Below is a high level topology to explain our environment:

Greetings.

Re: How can I add an AWS AutoScaling Firewall from a new AWS account to an SMS in a existing AWS Acc

Nir_Shamir — Mon, 24 Feb 2025 07:47:55 GMT

Ok,

1) create on your GW's account a new role that will trust the Management account. you can use this cloudformation:

https://console.aws.amazon.com/cloudformation/home#/stacks/create/review?templateURL=https://cgi-cfts.s3.amazonaws.com/iam/cme-iam-role.yaml&stackName=Check-Point-IAM-Role

Give this role permissions to scan for the GWLB GW's, like you have in your other account.

2) add the new sts role to your CME configuration. Example:

ontrollers:

tgw:

class: AWS

communities:

- "Transit_VPC"

cred-file: IAM

regions:

- us-east-1

sub-creds:

SpokeVPC1:

sts-role: "arn:aws:iam::581109049297:role/Check_Point_Transit_VPC"

3) add the same role the your SMS role. example:

{

"Action": [

"sts:AssumeRole"

"Resource": [

"arn:aws:iam::581109049297:role/Check-Point-IAM-Role-IAMRole-1L8H5XDKP5VQS"

"Effect": "Allow"