Are you a member of CheckMates?
×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Hello everyone,
I hope you are all well.
I am developing a lab on an AWS account where there is an SMS and AWS AutoScaling Group Security Gateways. Both in a CIDR VPC with 172.168.0.0/16 network.
Let's call it “SMS + AutoScaling A”.
Create another AWS AutoScaling Group Security Gateways on the same AWS account with another VPC CIDR 10.0.0.0.0/16
Let's call it “AutoScaling B”.
I'm a bit at a loss as to, how I can add this new “AutoScaling B” to the current CME template for “SMS + AutoScaling A”. ?
=========================================================================================================
=========================================================================================================
According to the CME syntax, it shows the following options to add a new driver on top of the current template:
- autoprov_cfg add controller AWS -cn <NAME> -r eu-west-1,us-east-1,eu-central-1 -fi <FILE-PATH>
- autoprov_cfg add controller AWS -cn <NAME> -r eu-west-1,eu-central-1 -ak <ACCESS-KEY> -sk <SECRET-KEY> autoprov_cfg add controller AWS -cn <NAME> -r eu-west-1,eu-central-1 -ak <ACCESS-KEY> -sk <SECRET-KEY>
- autoprov_cfg add controller AWS -cn <NAME> -r eu-west-1 -iam -sn <SUB-ACCOUNT-NAME> -sak <SUB-ACCOUNT-ACCESS-KEY> -ssk <SUB-ACCOUNT-SECRET-KEY>
Do I need to create an IAM user in the same AWS account and use these credentials in the controller configuration?
First I want to know how to solve this: Add AutoScaling B to SMS from AutoScaling A
I see something on this sk but I'm still a bit lost.
https://support.checkpoint.com/results/sk/sk130372
=========================================================================================================
=========================================================================================================
As a second question on this topic:
-I am developing this lab now on a single AWS account.
-The purpose of this lab is to carry it out in a project with a customer, where customer has “SMS + AutoScaling A” in an existing AWS Account and is going to deploy “AutoScaling B” in another VPC of another new AWS Account different from the AWS Account of “SMS + AutoScaling A”.
In this scenario, how do I integrate “AutoScaling B” to the CME template controller of “SMS + AutoScaling A”?
Is this possible?
Below is a high level topology to explain our environment:
Hello @Nir_Shamir ,
Thank you very much for your help.
Following the sk https://support.checkpoint.com/results/sk/sk122074
I have a couple of doubts in the step “Configuration of AWS STS to Delegate Access across two AWS accounts”:
-In step 2 it mentions “Provide the 12 digits number that represents the ID of the trusted account, in the Trusted Account ID field”.
*Is this account the AWS target account where the SMS is located?
I mean, I have to create the STS role in the account where the new autoscaling is located and the Trusted Account ID is where the SMS is located?
-In step 3 it mentions “Select what type of permissions to grant the management server, in the IAM role field.”
*On the sk https://support.checkpoint.com/results/sk/sk130372, I see that in section “(3) Creating an AWS IAM User and IAM Role” in the step “Creating AWS IAM policies”, there is a JSON to certify permissions for “CloudGuard Network Auto Scaling and CloudGuard Network for AWS Gateway Load Balancer Security VPC for Transit Gateway”.
JSON contains the following permissions:
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"autoscaling:DescribeAutoScalingGroups",
"ec2:DescribeInstances",
"ec2:DescribeNetworkInterfaces",
"ec2:DescribeSubnets",
"ec2:DescribeRegions",
"elasticloadbalancing:DescribeLoadBalancers",
"elasticloadbalancing:DescribeTags",
"elasticloadbalancing:DescribeListeners",
"elasticloadbalancing:DescribeTargetGroups",
"elasticloadbalancing:DescribeRules",
"elasticloadbalancing:DescribeTargetHealth"
],
"Resource": "*",
"Effect": "Allow"
}
]
}
These are the permissions I need to define in the STS role?
======================================================================================================
======================================================================================================
For the template https://cgi-cfts.s3.amazonaws.com/gwlb/cme-iam-role-gwlb.yaml
https://support.checkpoint.com/results/sk/sk122074
-We will run the CFT on the AWS account “B” where the new autoscaling is located, correct?
-We will select the option “Create with read-write permissions” because our SMS will manage a CloudGuard Network for AWS Gateway Load Balancer Security VPC for Transit Gateway.
-I understand that in the “STS Roles” field we will paste the ARN Role value that we generated when we created the STS role, correct?
-In the “Trusted Account ID” field, this will be the AWS account “A” where the correct SMS is located?
======================================================================================================
======================================================================================================
Once we deploy the CFT Template with IAM Role, STS role and Trusted Account values defined, I see that in Check Point CME it is necessary to add a new driver to add the new autoscaling “B” to the SMS where autoscaling “A” is located.
The command mentions the following examples:
*autoprov_cfg add controller AWS -cn <NAME> -r eu-west-1,us-east-1,eu-central-1 -fi <FILE-PATH>
*autoprov_cfg add controller AWS -cn <NAME> -r eu-west-1,eu-central-1 -ak <ACCESS-KEY> -sk <SECRET-KEY> -sk <SECRET-KEY>
*autoprov_cfg add controller AWS -cn <NAME> -r eu-west-1 -iam -sn <SUB-ACCOUNT-NAME> -sak <SUB-ACCOUNT-ACCESS-KEY> -ssk <SUB-ACCOUNT-SECRET-KEY>
With this CFT Template, which option would we select?
Where we could obtain these values for complete CME configuration?
Below is a high level topology to explain our environment:
Greetings.
