This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
israelsc
Collaborator
Collaborator
‎2025-02-18 06:34 PM

How can I add an AWS AutoScaling Firewall from a new AWS account to an SMS in a existing AWS Account

Hello everyone,
I hope you are all well.

I am developing a lab on an AWS account where there is an SMS and AWS AutoScaling Group Security Gateways. Both in a CIDR VPC with 172.168.0.0/16 network.
Let's call it “SMS + AutoScaling A”.

Create another AWS AutoScaling Group Security Gateways on the same AWS account with another VPC CIDR 10.0.0.0.0/16
Let's call it “AutoScaling B”.

I'm a bit at a loss as to,  how I can add this new “AutoScaling B” to the current CME template for “SMS + AutoScaling A”. ?

=========================================================================================================
=========================================================================================================

According to the CME syntax, it shows the following options to add a new driver on top of the current template:

  • autoprov_cfg add controller AWS -cn <NAME> -r eu-west-1,us-east-1,eu-central-1 -fi <FILE-PATH>

 

  • autoprov_cfg add controller AWS -cn <NAME> -r eu-west-1,eu-central-1 -ak <ACCESS-KEY> -sk <SECRET-KEY> autoprov_cfg add controller AWS -cn <NAME> -r eu-west-1,eu-central-1 -ak <ACCESS-KEY> -sk <SECRET-KEY>

 

  • autoprov_cfg add controller AWS -cn <NAME> -r eu-west-1 -iam -sn <SUB-ACCOUNT-NAME> -sak <SUB-ACCOUNT-ACCESS-KEY> -ssk <SUB-ACCOUNT-SECRET-KEY>

Do I need to create an IAM user in the same AWS account and use these credentials in the controller configuration?
First I want to know how to solve this: Add AutoScaling B to SMS from AutoScaling A

I see something on this sk but I'm still a bit lost.
https://support.checkpoint.com/results/sk/sk130372

=========================================================================================================
=========================================================================================================

As a second question on this topic:
-I am developing this lab now on a single AWS account.
-The purpose of this lab is to carry it out in a project with a customer, where customer has “SMS + AutoScaling A” in an existing AWS Account and is going to deploy “AutoScaling B” in another VPC of another new AWS Account different from the AWS Account of “SMS + AutoScaling A”.

In this scenario, how do I integrate “AutoScaling B” to the CME template controller of “SMS + AutoScaling A”?
Is this possible?

Below is a high level topology to explain our environment:

Duda AWS AutoScaling ''B'' integration with SMS ''A''.png

 

0 Kudos
3 Replies
Nir_Shamir
Employee Employee
Employee
‎2025-02-18 09:40 PM

Hi,

for the first question.

You already created a Controller that has access to the account so you only need to add a new template:

autoprov_cfg add template -tn <template_name> ......and the rest of the template variables.

for the 2nd question.

You need to create roles that has trust between the accounts so they can scan these accounts and create the GW's.

https://support.checkpoint.com/results/sk/sk122074

 

0 Kudos
israelsc
Collaborator
Collaborator
‎2025-02-20 08:57 AM
In response to Nir_Shamir

Hello @Nir_Shamir ,
Thank you very much for your help.

Following the sk https://support.checkpoint.com/results/sk/sk122074

I have a couple of doubts in the step “Configuration of AWS STS to Delegate Access across two AWS accounts”:

-In step 2 it mentions “Provide the 12 digits number that represents the ID of the trusted account, in the Trusted Account ID field”.
*Is this account the AWS target account where the SMS is located?
I mean, I have to create the STS role in the account where the new autoscaling is located and the Trusted Account ID is where the SMS is located?

-In step 3 it mentions “Select what type of permissions to grant the management server, in the IAM role field.”
*On the sk https://support.checkpoint.com/results/sk/sk130372, I see that in section “(3) Creating an AWS IAM User and IAM Role” in the step “Creating AWS IAM policies”, there is a JSON to certify permissions for “CloudGuard Network Auto Scaling and CloudGuard Network for AWS Gateway Load Balancer Security VPC for Transit Gateway”.
JSON contains the following permissions:

{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"autoscaling:DescribeAutoScalingGroups",
"ec2:DescribeInstances",
"ec2:DescribeNetworkInterfaces",
"ec2:DescribeSubnets",
"ec2:DescribeRegions",
"elasticloadbalancing:DescribeLoadBalancers",
"elasticloadbalancing:DescribeTags",
"elasticloadbalancing:DescribeListeners",
"elasticloadbalancing:DescribeTargetGroups",
"elasticloadbalancing:DescribeRules",
"elasticloadbalancing:DescribeTargetHealth"
],
"Resource": "*",
"Effect": "Allow"
}
]
}

These are the permissions I need to define in the STS role?

======================================================================================================
======================================================================================================


For the template https://cgi-cfts.s3.amazonaws.com/gwlb/cme-iam-role-gwlb.yaml

https://support.checkpoint.com/results/sk/sk122074

-We will run the CFT on the AWS account “B” where the new autoscaling is located, correct?

-We will select the option “Create with read-write permissions” because our SMS will manage a CloudGuard Network for AWS Gateway Load Balancer Security VPC for Transit Gateway.

-I understand that in the “STS Roles” field we will paste the ARN Role value that we generated when we created the STS role, correct?

-In the “Trusted Account ID” field, this will be the AWS account “A” where the correct SMS is located?

======================================================================================================
======================================================================================================


Once we deploy the CFT Template with IAM Role, STS role and Trusted Account values defined, I see that in Check Point CME it is necessary to add a new driver to add the new autoscaling “B” to the SMS where autoscaling “A” is located.
The command mentions the following examples:

*autoprov_cfg add controller AWS -cn <NAME> -r eu-west-1,us-east-1,eu-central-1 -fi <FILE-PATH>
*autoprov_cfg add controller AWS -cn <NAME> -r eu-west-1,eu-central-1 -ak <ACCESS-KEY> -sk <SECRET-KEY> -sk <SECRET-KEY>
*autoprov_cfg add controller AWS -cn <NAME> -r eu-west-1 -iam -sn <SUB-ACCOUNT-NAME> -sak <SUB-ACCOUNT-ACCESS-KEY> -ssk <SUB-ACCOUNT-SECRET-KEY>

With this CFT Template, which option would we select?
Where we could obtain these values for complete CME configuration?

Below is a high level topology to explain our environment:

Duda AWS AutoScaling ''B'' integration with SMS ''A''.png

Greetings.

0 Kudos
Nir_Shamir
Employee Employee
Employee
‎2025-02-23 11:46 PM
In response to israelsc

Ok,

1) create on your GW's account a new role that will trust the Management account. you can use this cloudformation:

https://console.aws.amazon.com/cloudformation/home#/stacks/create/review?templateURL=https://cgi-cft...

Give this role permissions to scan for the GWLB GW's, like you have in your other account.

 

2) add the new sts role to your CME configuration. Example:

ontrollers:

  tgw:

    class: AWS

    communities:

    - "Transit_VPC"

    cred-file: IAM

    regions:

    - us-east-1

    sub-creds:

      SpokeVPC1:

        sts-role: "arn:aws:iam::581109049297:role/Check_Point_Transit_VPC"

 

3) add the same role the your SMS role. example:

{

            "Action": [

                "sts:AssumeRole"

            ],

            "Resource": [

                "arn:aws:iam::581109049297:role/Check-Point-IAM-Role-IAMRole-1L8H5XDKP5VQS"

            ],

            "Effect": "Allow"

        },

 

 

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Trending Discussions
Multi Cloud Cluster GCP+Azure
Upcoming Events

    CheckMates Events