From d47da3338ccb251b48f8722d8fb7a8da44195414 Mon Sep 17 00:00:00 2001 From: yizhako Date: Tue, 7 May 2024 12:12:33 +0300 Subject: [PATCH 1/6] add GWLB QS support --- aws/templates/gwlb-asg/README.md | 16 + aws/templates/gwlb-asg/qs-gwlb-master.yaml | 957 +++++++++++++++++++++ aws/templates/gwlb-asg/qs-gwlb.yaml | 923 ++++++++++++++++++++ 3 files changed, 1896 insertions(+) create mode 100644 aws/templates/gwlb-asg/qs-gwlb-master.yaml create mode 100644 aws/templates/gwlb-asg/qs-gwlb.yaml diff --git a/aws/templates/gwlb-asg/README.md b/aws/templates/gwlb-asg/README.md index 9ba04ddf..31fd7827 100644 --- a/aws/templates/gwlb-asg/README.md +++ b/aws/templates/gwlb-asg/README.md @@ -37,6 +37,22 @@ Deploys a Gateway Load Balancer, Check Point CloudGuard IaaS Security Gateway Auto Scaling Group, and optionally a Security Management Server, Gateway Load Balancer Endpoints and NAT Gateways for each AZ, for Transit Gateway into an existing VPC. + + + Deploys and configures an AWS Auto Scaling group configured for Gateway Load Balancer in a Centralized Security VPC, and Customer Web Service in Servers VPC

For more details, refer to CloudGuard Network for AWS Centralized Gateway Load Balancer R80.40 Deployment Guide. + +
Creates a new Security VPC and deploys into it a Gateway Load Balancer, Check Point CloudGuard IaaS Security Gateway Auto Scaling Group, and optionally a Security Management Server.
+ Creates a new Servers VPC, configure subnets and endpoints and deploys into it Customer Web Service. + + + + + Deploys and configures an AWS Auto Scaling group configured for Gateway Load Balancer in a Centralized Security VPC, and Customer Web Service in Servers VPC.

For more details, refer to CloudGuard Network for AWS Centralized Gateway Load Balancer R80.40 Deployment Guide. + +
Deploys a Gateway Load Balancer, Check Point CloudGuard IaaS Security Gateway Auto Scaling Group, and optionally a Security Management Server into an existing Security VPC.
+ Configure Servers endpoints and deploys into it Customer Web Service into an existing Servers VPC. + +
diff --git a/aws/templates/gwlb-asg/qs-gwlb-master.yaml b/aws/templates/gwlb-asg/qs-gwlb-master.yaml new file mode 100644 index 00000000..e689fb6c --- /dev/null +++ b/aws/templates/gwlb-asg/qs-gwlb-master.yaml @@ -0,0 +1,957 @@ +AWSTemplateFormatVersion: 2010-09-09 +Description: Deploy a Gateway Load Balancer, Check Point CloudGuard IaaS Security Gateway Auto Scaling Group, and optionally a Security Management Server, in a new VPC (05072024) +Metadata: + AWS::CloudFormation::Interface: + ParameterGroups: + - Label: + default: Security VPC Network Configuration + Parameters: + - AvailabilityZones + - NumberOfAZs + - SecurityVPCCIDR + - SecurityPublicSubnet1CIDR + - SecurityPublicSubnet2CIDR + - SecurityPublicSubnet3CIDR + - SecurityPublicSubnet4CIDR + - Label: + default: Servers VPC Network Configuration + Parameters: + - ServersVPCCIDR + - ServersPublicSubnet1CIDR + - ServersPublicSubnet2CIDR + - ServersPublicSubnet3CIDR + - ServersPublicSubnet4CIDR + - GWLBeSubnet1CIDR + - GWLBeSubnet2CIDR + - GWLBeSubnet3CIDR + - GWLBeSubnet4CIDR + - SubnetTagsInboundCIDR + - SubnetTagsOutboundCIDR + + - Label: + default: General Settings + Parameters: + - KeyName + - EnableVolumeEncryption + - VolumeSize + - VolumeType + - EnableInstanceConnect + - TerminationProtection + - AllowUploadDownload + - ManagementServer + - ConfigurationTemplate + - AdminEmail + - Shell + - Label: + default: Gateway Load Balancer Configuration + Parameters: + - GWLBName + - TargetGroupName + - AcceptConnectionRequired + - CrossZoneLoadBalancing + - Label: + default: Check Point CloudGuard IaaS Security Gateways Auto Scaling Group Configuration + Parameters: + - GatewayName + - GatewayInstanceType + - GatewaysMinSize + - GatewaysMaxSize + - GatewayVersion + - GatewayPasswordHash + - GatewayMaintenancePasswordHash + - GatewaySICKey + - ControlGatewayOverPrivateOrPublicAddress + - AllocatePublicAddress + - CloudWatch + - Label: + default: Check Point CloudGuard IaaS Security Management Server Configuration + Parameters: + - ManagementDeploy + - ManagementInstanceType + - ManagementVersion + - ManagementPasswordHash + - ManagementMaintenancePasswordHash + - GatewaysPolicy + - GatewaysBlades + - AdminCIDR + - GatewayManagement + - GatewaysAddresses + - Label: + default: Web Servers Auto Scaling Group Configuration + Parameters: + - ServerAMI + - ALBProtocol + - ServicePort + - ServerInstanceType + - ResourcesTagName + ParameterLabels: + AvailabilityZones: + default: Availability Zones + NumberOfAZs: + default: Number of AZs + SecurityVPCCIDR: + default: Security VPC CIDR + SecurityPublicSubnet1CIDR: + default: Security Auto Scaling Group Public Subnet 1 + SecurityPublicSubnet2CIDR: + default: Security Auto Scaling Group Public Subnet 2 + SecurityPublicSubnet3CIDR: + default: Security Auto Scaling Group Public Subnet 3 + SecurityPublicSubnet4CIDR: + default: Security Auto Scaling Group Public Subnet 4 + ServersVPCCIDR: + default: Servers VPC CIDR + ServersPublicSubnet1CIDR: + default: Servers Auto Scaling Group Public Subnet 1 + ServersPublicSubnet2CIDR: + default: Servers Auto Scaling Group Public Subnet 2 + ServersPublicSubnet3CIDR: + default: Servers Auto Scaling Group Public Subnet 3 + ServersPublicSubnet4CIDR: + default: Servers Auto Scaling Group Public Subnet 4 + SubnetTagsOutboundCIDR: + default: Outbound Subnet tagging for Inspection + SubnetTagsInboundCIDR: + default: Inbound Subnet tagging for Inspection + GWLBeSubnet1CIDR: + default: GWLBe subnet 1 CIDR + GWLBeSubnet2CIDR: + default: GWLBe subnet 2 CIDR + GWLBeSubnet3CIDR: + default: GWLBe subnet 3 CIDR + GWLBeSubnet4CIDR: + default: GWLBe subnet 4 CIDR + KeyName: + default: Key name + EnableVolumeEncryption: + default: Enable environment volume encryption + VolumeSize: + default: Root volume size (GB) + VolumeType: + default: Volume Type + EnableInstanceConnect: + default: Enable AWS Instance Connect + TerminationProtection: + default: Termination Protection + AllowUploadDownload: + default: Allow upload & download + ManagementServer: + default: Management Server + ConfigurationTemplate: + default: Configuration template + AdminEmail: + default: Email address + Shell: + default: Admin shell + GWLBName: + default: Gateway Load Balancer Name + TargetGroupName: + default: Target Group Name + AcceptConnectionRequired: + default: Connection Acceptance Required + CrossZoneLoadBalancing: + default: Enable Cross Zone Load Balancing + GatewayName: + default: Gateways instance name + GatewayInstanceType: + default: Gateways instance type + GatewaysMinSize: + default: Minimum group size + GatewaysMaxSize: + default: Maximum group size + GatewayVersion: + default: Gateways version & license + GatewayPasswordHash: + default: Gateways Password hash + GatewayMaintenancePasswordHash: + default: Gateway Maintenance Password hash + GatewaySICKey: + default: Gateways SIC key + ControlGatewayOverPrivateOrPublicAddress: + default: Gateways addresses + AllocatePublicAddress: + default: Allocate Public IPs + CloudWatch: + default: CloudWatch metrics + GatewaysBlades: + default: Default Blades + ManagementDeploy: + default: Deploy Management Server + ManagementInstanceType: + default: Management instance type + ManagementVersion: + default: Management version & license + ManagementPasswordHash: + default: Management password hash + ManagementMaintenancePasswordHash: + default: Management Maintenance Password hash + GatewaysPolicy: + default: Security Policy + AdminCIDR: + default: Administrator addresses + GatewayManagement: + default: Manage Gateways + GatewaysAddresses: + default: Gateways addresses + ALBProtocol: + default: ALB Protocol + ServicePort: + default: Custom service port + ServerInstanceType: + default: Servers instance type + ServerAMI: + default: AMI ID + ResourcesTagName: + default: Resources tag name +Parameters: + AvailabilityZones: + Description: List of Availability Zones (AZs) to use for the subnets in the VPC. Select at least two. + Type: List + MinLength: 2 + NumberOfAZs: + Description: Number of Availability Zones to use in the VPC. This must match your selections in the list of Availability Zones parameter. + Type: Number + Default: 2 + MinValue: 2 + MaxValue: 4 + SecurityVPCCIDR: + Description: CIDR block for the VPC. + Type: String + Default: 10.0.0.0/16 + AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$' + ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28. + SecurityPublicSubnet1CIDR: + Description: CIDR block for public subnet 1 located in the 1st Availability Zone. If you choose to deploy a Security Management Server it will be deployed in this subnet. + Type: String + Default: 10.0.10.0/24 + AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$' + ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28. + SecurityPublicSubnet2CIDR: + Description: CIDR block for public subnet 2 located in the 2nd Availability Zone. + Type: String + Default: 10.0.20.0/24 + AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$' + ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28. + SecurityPublicSubnet3CIDR: + Description: CIDR block for public subnet 3 located in the 3rd Availability Zone. + Type: String + Default: 10.0.30.0/24 + AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$' + ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28. + SecurityPublicSubnet4CIDR: + Description: CIDR block for public subnet 4 located in the 4th Availability Zone. + Type: String + Default: 10.0.40.0/24 + AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$' + ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28. + ServersVPCCIDR: + Description: CIDR block for the VPC. + Type: String + Default: 192.168.0.0/16 + AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$' + ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28. + ServersPublicSubnet1CIDR: + Description: CIDR block for public subnet 1 located in the 1st Availability Zone. + Type: String + Default: 192.168.10.0/24 + AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$' + ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28. + ServersPublicSubnet2CIDR: + Description: CIDR block for public subnet 2 located in the 2nd Availability Zone. + Type: String + Default: 192.168.20.0/24 + AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$' + ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28. + ServersPublicSubnet3CIDR: + Description: CIDR block for public subnet 3 located in the 3rd Availability Zone. + Type: String + Default: 192.168.30.0/24 + AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$' + ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28. + ServersPublicSubnet4CIDR: + Description: CIDR block for public subnet 4 located in the 4th Availability Zone. + Type: String + Default: 192.168.40.0/24 + AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$' + ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28. + GWLBeSubnet1CIDR: + Description: CIDR block for the GWLBe subnet 1 located in Availability Zone 1. + Type: String + Default: 192.168.70.0/24 + AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$' + ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28. + GWLBeSubnet2CIDR: + Description: CIDR block for the GWLBe subnet 2 located in Availability Zone 2. + Type: String + Default: 192.168.80.0/24 + AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$' + ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28. + GWLBeSubnet3CIDR: + Description: CIDR block for the GWLBe subnet 3 located in Availability Zone 3. + Type: String + Default: 192.168.90.0/24 + AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$' + ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28. + GWLBeSubnet4CIDR: + Description: CIDR block for the GWLBe subnet 4 located in Availability Zone 4. + Type: String + Default: 192.168.100.0/24 + AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$' + ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28. + KeyName: + Description: The EC2 Key Pair to allow SSH access to the instances created by this stack. + Type: AWS::EC2::KeyPair::KeyName + MinLength: 1 + ConstraintDescription: Must be the name of an existing EC2 KeyPair. + EnableVolumeEncryption: + Description: Encrypt Environment instances volume with default AWS KMS key. + Type: String + Default: true + AllowedValues: + - true + - false + VolumeSize: + Type: Number + MinValue: 100 + Default: 100 + VolumeType: + Description: General Purpose SSD Volume Type + Type: String + Default: gp3 + AllowedValues: + - gp3 + - gp2 + EnableInstanceConnect: + Description: Enable SSH connection over AWS web console. + Type: String + Default: false + AllowedValues: + - true + - false + TerminationProtection: + Description: Prevents an instance from accidental termination. + Type: String + Default: false + AllowedValues: + - true + - false + AllowUploadDownload: + Description: Automatically download updates and share statistical data for product improvement purpose. + Type: String + Default: true + AllowedValues: + - true + - false + ManagementServer: + Description: The name that represents the Security Management Server in the automatic provisioning configuration. + Type: String + Default: gwlb-management-server + MinLength: 1 + ConfigurationTemplate: + Description: A name of a gateway configuration template in the automatic provisioning configuration. + Type: String + Default: gwlb-ASG-configuration + MinLength: 1 + MaxLength: 30 + AdminEmail: + Description: Notifications about scaling events will be sent to this email address. (optional) + Type: String + Default: '' + AllowedPattern: '^(([a-zA-Z0-9_\-\.]+)@((\[[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.)|(([a-zA-Z0-9\-]+\.)+))([a-zA-Z]{2,4}|[0-9]{1,3})(\]?))?$' + Shell: + Description: Change the admin shell to enable advanced command line configuration. Applies for Security Gateways and Security Management Server if deployed. + Type: String + Default: /etc/cli.sh + AllowedValues: + - /etc/cli.sh + - /bin/bash + - /bin/csh + - /bin/tcsh + GWLBName: + Description: Gateway Load Balancer name. This name must be unique within your AWS account and can have a maximum of 32 alphanumeric characters and hyphens. A name cannot begin or end with a hyphen. + Type: String + AllowedPattern: '^([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9])$' + Default: gwlb1 + MaxLength: 32 + ConstraintDescription: Must be a valid GWLB Name. + TargetGroupName: + Description: Target Group Name. This name must be unique within your AWS account and can have a maximum of 32 alphanumeric characters and hyphens. A name cannot begin or end with a hyphen. + Type: String + AllowedPattern: '^([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9])$' + Default: tg1 + MaxLength: 32 + ConstraintDescription: Must be a valid target group name. + AcceptConnectionRequired: + Description: Indicate whether requests from service consumers to create an endpoint to your service must be accepted. Default is set to false(acceptance not required). + Default: "false" + AllowedValues: ["true", "false"] + Type: String + ConstraintDescription: Must be true or false. + CrossZoneLoadBalancing: + Description: Select 'true' to enable cross-az load balancing. NOTE! this may cause a spike in cross-az charges. + Type: String + Default: true + AllowedValues: + - true + - false + GatewayName: + Description: The name tag of the Security Gateway instances. (optional) + Type: String + Default: Check-Point-Gateway + GatewayInstanceType: + Description: The EC2 instance type for the Security Gateways. + Type: String + Default: c5.xlarge + AllowedValues: + - c4.large + - c4.xlarge + - c5.large + - c5.xlarge + - c5.2xlarge + - c5.4xlarge + - c5.9xlarge + - c5.12xlarge + - c5.18xlarge + - c5.24xlarge + - c5n.large + - c5n.xlarge + - c5n.2xlarge + - c5n.4xlarge + - c5n.9xlarge + - c5n.18xlarge + - c5d.large + - c5d.xlarge + - c5d.2xlarge + - c5d.4xlarge + - c5d.9xlarge + - c5d.12xlarge + - c5d.18xlarge + - c5d.24xlarge + - m5.large + - m5.xlarge + - m5.2xlarge + - m5.4xlarge + - m5.8xlarge + - m5.12xlarge + - m5.16xlarge + - m5.24xlarge + - m6i.large + - m6i.xlarge + - m6i.2xlarge + - m6i.4xlarge + - m6i.8xlarge + - m6i.12xlarge + - m6i.16xlarge + - m6i.24xlarge + - m6i.32xlarge + - c6i.large + - c6i.xlarge + - c6i.2xlarge + - c6i.4xlarge + - c6i.8xlarge + - c6i.12xlarge + - c6i.16xlarge + - c6i.24xlarge + - c6i.32xlarge + - c6in.large + - c6in.xlarge + - c6in.2xlarge + - c6in.4xlarge + - c6in.8xlarge + - c6in.12xlarge + - c6in.16xlarge + - c6in.24xlarge + - c6in.32xlarge + - r5.large + - r5.xlarge + - r5.2xlarge + - r5.4xlarge + - r5.8xlarge + - r5.12xlarge + - r5.16xlarge + - r5.24xlarge + - r5a.large + - r5a.xlarge + - r5a.2xlarge + - r5a.4xlarge + - r5a.8xlarge + - r5a.12xlarge + - r5a.16xlarge + - r5a.24xlarge + - r5b.large + - r5b.xlarge + - r5b.2xlarge + - r5b.4xlarge + - r5b.8xlarge + - r5b.12xlarge + - r5b.16xlarge + - r5b.24xlarge + - r5n.large + - r5n.xlarge + - r5n.2xlarge + - r5n.4xlarge + - r5n.8xlarge + - r5n.12xlarge + - r5n.16xlarge + - r5n.24xlarge + - r6i.large + - r6i.xlarge + - r6i.2xlarge + - r6i.4xlarge + - r6i.8xlarge + - r6i.12xlarge + - r6i.16xlarge + - r6i.24xlarge + - r6i.32xlarge + - m6a.large + - m6a.xlarge + - m6a.2xlarge + - m6a.4xlarge + - m6a.8xlarge + - m6a.12xlarge + - m6a.16xlarge + - m6a.24xlarge + - m6a.32xlarge + - m6a.48xlarge + ConstraintDescription: Must be a valid EC2 instance type + GatewaysMinSize: + Description: The minimal number of Security Gateways. + Type: Number + Default: 2 + MinValue: 1 + GatewaysMaxSize: + Description: The maximal number of Security Gateways. + Type: Number + Default: 10 + MinValue: 1 + GatewayVersion: + Description: The version and license to install on the Security Gateways. + Type: String + Default: R81.20-BYOL + AllowedValues: + - R80.40-BYOL + - R80.40-PAYG-NGTP + - R80.40-PAYG-NGTX + - R81.20-BYOL + - R81.20-PAYG-NGTP + - R81.20-PAYG-NGTX + - R82-BYOL + - R82-PAYG-NGTP + - R82-PAYG-NGTX + GatewayPasswordHash: + Description: Admin user's password hash (use command "openssl passwd -6 PASSWORD" to get the PASSWORD's hash). (optional) + Type: String + Default: '' + AllowedPattern: '^[\$\./a-zA-Z0-9]*$' + NoEcho: true + GatewayMaintenancePasswordHash: + Description: Check Point recommends setting Admin user's password and maintenance-mode password for recovery purposes (use command " grub2-mkpasswd-pbkdf2" to get the PASSWORD's hash). For R81.10 and below the Admin user's password is used also as maintenance-mode password. (optional) + Type: String + Default: '' + AllowedPattern: '[\$\./a-zA-Z0-9]*' + NoEcho: true + GatewaySICKey: + Description: The Secure Internal Communication key creates trusted connections between Check Point components. Choose a random string consisting of at least 8 alphanumeric characters. + Type: String + AllowedPattern: '^[a-zA-Z0-9]{8,}$' + ConstraintDescription: Secure Internal Communication activation key should contain only alpha numeric characters and be at least 8 characters long. + NoEcho: true + ControlGatewayOverPrivateOrPublicAddress: + Description: Determines if the gateways are provisioned using their private or public address. + Type: String + Default: private + AllowedValues: + - private + - public + AllocatePublicAddress: + Description: Allocate a Public IP for gateway members. + Type: String + Default: false + AllowedValues: + - true + - false + CloudWatch: + Description: Report Check Point specific CloudWatch metrics. + Type: String + Default: false + AllowedValues: + - true + - false + ManagementDeploy: + Description: Select 'false' to use an existing Security Management Server or to deploy one later and to ignore the other parameters of this section. + Type: String + Default: true + AllowedValues: + - true + - false + ManagementInstanceType: + Description: The EC2 instance type of the Security Management Server. + Type: String + Default: m5.xlarge + AllowedValues: + - c5.large + - c5.xlarge + - c5.2xlarge + - c5.4xlarge + - c5.9xlarge + - c5.12xlarge + - c5.18xlarge + - c5.24xlarge + - c5n.large + - c5n.xlarge + - c5n.2xlarge + - c5n.4xlarge + - c5n.9xlarge + - c5n.18xlarge + - c5d.large + - c5d.xlarge + - c5d.2xlarge + - c5d.4xlarge + - c5d.9xlarge + - c5d.12xlarge + - c5d.18xlarge + - c5d.24xlarge + - m5.large + - m5.xlarge + - m5.2xlarge + - m5.4xlarge + - m5.8xlarge + - m5.12xlarge + - m5.16xlarge + - m5.24xlarge + - m6i.large + - m6i.xlarge + - m6i.2xlarge + - m6i.4xlarge + - m6i.8xlarge + - m6i.12xlarge + - m6i.16xlarge + - m6i.24xlarge + - m6i.32xlarge + - c6i.large + - c6i.xlarge + - c6i.2xlarge + - c6i.4xlarge + - c6i.8xlarge + - c6i.12xlarge + - c6i.16xlarge + - c6i.24xlarge + - c6i.32xlarge + - c6in.large + - c6in.xlarge + - c6in.2xlarge + - c6in.4xlarge + - c6in.8xlarge + - c6in.12xlarge + - c6in.16xlarge + - c6in.24xlarge + - c6in.32xlarge + - r5.large + - r5.xlarge + - r5.2xlarge + - r5.4xlarge + - r5.8xlarge + - r5.12xlarge + - r5.16xlarge + - r5.24xlarge + - r5a.large + - r5a.xlarge + - r5a.2xlarge + - r5a.4xlarge + - r5a.8xlarge + - r5a.12xlarge + - r5a.16xlarge + - r5a.24xlarge + - r5b.large + - r5b.xlarge + - r5b.2xlarge + - r5b.4xlarge + - r5b.8xlarge + - r5b.12xlarge + - r5b.16xlarge + - r5b.24xlarge + - r5n.large + - r5n.xlarge + - r5n.2xlarge + - r5n.4xlarge + - r5n.8xlarge + - r5n.12xlarge + - r5n.16xlarge + - r5n.24xlarge + - r6i.large + - r6i.xlarge + - r6i.2xlarge + - r6i.4xlarge + - r6i.8xlarge + - r6i.12xlarge + - r6i.16xlarge + - r6i.24xlarge + - r6i.32xlarge + - m6a.large + - m6a.xlarge + - m6a.2xlarge + - m6a.4xlarge + - m6a.8xlarge + - m6a.12xlarge + - m6a.16xlarge + - m6a.24xlarge + - m6a.32xlarge + - m6a.48xlarge + ConstraintDescription: Must be a valid EC2 instance type + ManagementVersion: + Description: The license to install on the Security Management Server. + Type: String + Default: R81.20-BYOL + AllowedValues: + - R80.40-BYOL + - R80.40-PAYG + - R81-BYOL + - R81-PAYG + - R81.10-BYOL + - R81.10-PAYG + - R81.20-BYOL + - R81.20-PAYG + - R82-BYOL + - R82-PAYG + ManagementPasswordHash: + Description: Admin user's password hash (use command "openssl passwd -6 PASSWORD" to get the PASSWORD's hash). (optional) + Type: String + Default: '' + AllowedPattern: '^[\$\./a-zA-Z0-9]*$' + NoEcho: true + ManagementMaintenancePasswordHash: + Description: Check Point recommends setting Admin user's password and maintenance-mode password for recovery purposes (use command " grub2-mkpasswd-pbkdf2" to get the PASSWORD's hash). For R81.10 and below the Admin user's password is used also as maintenance-mode password. (optional) + Type: String + Default: '' + AllowedPattern: '[\$\./a-zA-Z0-9]*' + NoEcho: true + GatewaysPolicy: + Description: The name of the Security Policy package to be installed on the gateways in the Security Gateways Auto Scaling group. + Type: String + Default: Standard + MinLength: 1 + GatewaysBlades: + Description: Turn on the Intrusion Prevention System, Application Control, Anti-Virus and Anti-Bot Blades (these and additional Blades can be manually turned on or off later). + Type: String + Default: true + AdminCIDR: + Description: Allow web, SSH, and graphical clients only from this network to communicate with the Security Management Server. + Type: String + AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/([0-9]|[1-2][0-9]|3[0-2]))$' + GatewayManagement: + Description: Select 'Over the internet' if any of the gateways you wish to manage are not directly accessed via their private IP address. + Type: String + Default: Locally managed + AllowedValues: + - Locally managed + - Over the internet + GatewaysAddresses: + Description: Allow gateways only from this network to communicate with the Security Management Server. + Type: String + AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/([0-9]|[1-2][0-9]|3[0-2]))$' + ALBProtocol: + Description: The protocol to use on the Application Load Balancer. + Type: String + Default: HTTP + AllowedValues: + - HTTP + - HTTPS + ServicePort: + Description: 'The external Load Balancer listens to this port. Leave this field blank to use default ports: 80 for HTTP and 443 for HTTPS.' + Type: String + AllowedPattern: '^([0-9]{1,4}|[1-5][0-9]{4}|6[0-4][0-9]{3}|65[0-4][0-9]{2}|655[0-2][0-9]|6553[0-5])?$' + ConstraintDescription: Custom service port must be a number between 0 and 65535. + ResourcesTagName: + Description: The name tag of the resources. (optional) + Type: String + Default: '' + ServerInstanceType: + Description: The EC2 instance type for the web servers. + Type: String + Default: t3.micro + AllowedValues: + - t3.nano + - t3.micro + - t3.small + - t3.medium + - t3.large + - t3.xlarge + - t3.2xlarge + ConstraintDescription: Must be a valid EC2 instance type. + ServerAMI: + Description: The Amazon Machine Image ID of a preconfigured web server (e.g. ami-0dc7dc63). + Type: String + AllowedPattern: '^(ami-(([0-9a-f]{8})|([0-9a-f]{17})))$' + ConstraintDescription: Amazon Machine Image ID must be in the form ami-xxxxxxxx or ami-xxxxxxxxxxxxxxxxx. + SubnetTagsInboundCIDR: + Description: Inbound Subnet tagging for Inspection (Comma-delimited list of CIDR blocks for inspection), For more information, visit the documentation at CloudGuard Network for AWS Gateway Load Balancer Auto Scaling Group Deployment Guide Admin guide. + Type: CommaDelimitedList + Default: "0.0.0.0/0" + SubnetTagsOutboundCIDR: + Description: Outbound Subnet tagging for Inspection (Comma-delimited list of CIDR blocks for inspection), For more information, visit the documentation at CloudGuard Network for AWS Gateway Load Balancer Auto Scaling Group Deployment Guide Admin guide. + Type: CommaDelimitedList + Default: "0.0.0.0/0" +Conditions: + 4AZs: !Equals [!Ref NumberOfAZs, 4] + 3AZs: !Or [!Equals [!Ref NumberOfAZs, 3], !Condition 4AZs] + DeployManagement: !Equals [!Ref ManagementDeploy, true] + EncryptedProtocol: !Equals [ ALBProtocol, HTTPS ] + ProvidedPort: !Not [!Equals [!Ref ServicePort, '']] + ProvidedResourcesTag: !Not [!Equals [!Ref ResourcesTagName, '']] +Resources: + SecurityVPCStack: + Type: AWS::CloudFormation::Stack + Properties: + TemplateURL: https://cgi-cfts.s3.amazonaws.com/utils/vpc.yaml + Parameters: + AvailabilityZones: !Join [',' , !Ref AvailabilityZones] + NumberOfAZs: !Ref NumberOfAZs + VPCCIDR: !Ref SecurityVPCCIDR + PublicSubnet1CIDR: !Ref SecurityPublicSubnet1CIDR + PublicSubnet2CIDR: !Ref SecurityPublicSubnet2CIDR + PublicSubnet3CIDR: !Ref SecurityPublicSubnet3CIDR + PublicSubnet4CIDR: !Ref SecurityPublicSubnet4CIDR + CreatePrivateSubnets: false + ServersVPCStack: + Type: AWS::CloudFormation::Stack + Properties: + TemplateURL: https://cgi-cfts.s3.amazonaws.com/gwlb/qs-gwlb-servers-vpc.yaml + Parameters: + AvailabilityZones: !Join [ ',' , !Ref AvailabilityZones ] + NumberOfAZs: !Ref NumberOfAZs + VPCCIDR: !Ref ServersVPCCIDR + ServersSubnet1CIDR: !Ref ServersPublicSubnet1CIDR + ServersSubnet2CIDR: !Ref ServersPublicSubnet2CIDR + ServersSubnet3CIDR: !Ref ServersPublicSubnet3CIDR + ServersSubnet4CIDR: !Ref ServersPublicSubnet4CIDR + GWLBeSubnet1CIDR: !Ref GWLBeSubnet1CIDR + GWLBeSubnet2CIDR: !Ref GWLBeSubnet2CIDR + GWLBeSubnet3CIDR: !Ref GWLBeSubnet3CIDR + GWLBeSubnet4CIDR: !Ref GWLBeSubnet4CIDR + SubnetTagsOutboundCIDR: !Join [ ',' , !Ref SubnetTagsOutboundCIDR ] + SubnetTagsInboundCIDR: !Join [ ',' , !Ref SubnetTagsInboundCIDR ] + MainStack: + Type: AWS::CloudFormation::Stack + DependsOn: [SecurityVPCStack, ServersVPCStack] + Properties: + TemplateURL: https://cgi-cfts.s3.amazonaws.com/gwlb/qs-gwlb.yaml + Parameters: + SecurityVPC: !GetAtt SecurityVPCStack.Outputs.VPCID + NumberOfAZs: !Ref NumberOfAZs + GatewaysSubnets: !Join + - ',' + - - !GetAtt SecurityVPCStack.Outputs.PublicSubnet1ID + - !GetAtt SecurityVPCStack.Outputs.PublicSubnet2ID + - !If [ 3AZs, !GetAtt SecurityVPCStack.Outputs.PublicSubnet3ID, !Ref 'AWS::NoValue' ] + - !If [ 4AZs, !GetAtt SecurityVPCStack.Outputs.PublicSubnet4ID, !Ref 'AWS::NoValue' ] + ServersVPC: !GetAtt ServersVPCStack.Outputs.VPCID + ServersSubnets: !Join [',', [!GetAtt ServersVPCStack.Outputs.ServersSubnet1ID, !GetAtt ServersVPCStack.Outputs.ServersSubnet2ID, !If [ 3AZs, !GetAtt ServersVPCStack.Outputs.ServersSubnet3ID, !Ref 'AWS::NoValue' ], !If [ 4AZs, !GetAtt ServersVPCStack.Outputs.ServersSubnet4ID, !Ref 'AWS::NoValue' ]]] + GWLBeSubnets: !Join [',', [!GetAtt ServersVPCStack.Outputs.GWLBeSubnet1ID, !GetAtt ServersVPCStack.Outputs.GWLBeSubnet2ID, !If [ 3AZs, !GetAtt ServersVPCStack.Outputs.GWLBeSubnet3ID, !Ref 'AWS::NoValue' ], !If [ 4AZs, !GetAtt ServersVPCStack.Outputs.GWLBeSubnet4ID, !Ref 'AWS::NoValue' ]]] + KeyName: !Ref KeyName + EnableVolumeEncryption: !Ref EnableVolumeEncryption + VolumeType: !Ref VolumeType + VolumeSize: !Ref VolumeSize + EnableInstanceConnect: !Ref EnableInstanceConnect + TerminationProtection: !Ref TerminationProtection + AllowUploadDownload: !Ref AllowUploadDownload + ManagementServer: !Ref ManagementServer + ConfigurationTemplate: !Ref ConfigurationTemplate + AdminEmail: !Ref AdminEmail + Shell: !Ref Shell + GWLBName: !Ref GWLBName + TargetGroupName: !Ref TargetGroupName + AcceptConnectionRequired: !Ref AcceptConnectionRequired + CrossZoneLoadBalancing: !Ref CrossZoneLoadBalancing + GatewayName: !Ref GatewayName + GatewayInstanceType: !Ref GatewayInstanceType + GatewaysMinSize: !Ref GatewaysMinSize + GatewaysMaxSize: !Ref GatewaysMaxSize + GatewayVersion: !Ref GatewayVersion + GatewayPasswordHash: !Ref GatewayPasswordHash + GatewayMaintenancePasswordHash: !Ref GatewayMaintenancePasswordHash + GatewaySICKey: !Ref GatewaySICKey + ControlGatewayOverPrivateOrPublicAddress: !Ref ControlGatewayOverPrivateOrPublicAddress + AllocatePublicAddress: !Ref AllocatePublicAddress + CloudWatch: !Ref CloudWatch + ManagementDeploy: !Ref ManagementDeploy + ManagementInstanceType: !Ref ManagementInstanceType + ManagementVersion: !Ref ManagementVersion + ManagementPasswordHash: !Ref ManagementPasswordHash + ManagementMaintenancePasswordHash: !Ref ManagementMaintenancePasswordHash + GatewaysPolicy: !Ref GatewaysPolicy + GatewaysBlades: !Ref GatewaysBlades + AdminCIDR: !Ref AdminCIDR + GatewayManagement: !Ref GatewayManagement + GatewaysAddresses: !Ref GatewaysAddresses + ALBProtocol: !Ref ALBProtocol + ServicePort: !Ref ServicePort + ResourcesTagName: !Ref ResourcesTagName + ServerInstanceType: !Ref ServerInstanceType + ServerAMI: !Ref ServerAMI + ServerIGW: !GetAtt ServersVPCStack.Outputs.IGWID + ServersCIDRs: !Join + - ',' + - - !Ref ServersPublicSubnet1CIDR + - !Ref ServersPublicSubnet2CIDR + - !If [ 3AZs, !Ref ServersPublicSubnet3CIDR, !Ref 'AWS::NoValue' ] + - !If [ 4AZs, !Ref ServersPublicSubnet4CIDR, !Ref 'AWS::NoValue' ] + +Outputs: + SecurityVPCID: + Description: Security VPC ID. + Value: !GetAtt SecurityVPCStack.Outputs.VPCID + ServersVPCID: + Description: Servers VPC ID. + Value: !GetAtt ServersVPCStack.Outputs.VPCID + ManagementPublicAddress: + Description: The public address of the management server. + Value: !GetAtt MainStack.Outputs.ManagementPublicAddress + Condition: DeployManagement + ConfigurationTemplateName: + Description: The name that represents the configuration template. Configurations required to automatically provision the Gateways in the Auto Scaling Group, such as what Security Policy to install and which Blades to enable, will be placed under this template name. + Value: !GetAtt MainStack.Outputs.ConfigurationTemplateName + ControllerName: + Description: The name that represents the controller. Configurations required to connect to your AWS environment, such as credentials and regions, will be placed under this controller name. + Value: !GetAtt MainStack.Outputs.ControllerName + GWLBName: + Description: Gateway Load Balancer Name. + Value: !GetAtt MainStack.Outputs.GWLBName + GWLBServiceName: + Description: Gateway Load Balancer Service Name. + Value: !GetAtt MainStack.Outputs.GWLBServiceName + VpcEndpointService: + Description: Endpoint Service Name. + Value: !GetAtt MainStack.Outputs.VpcEndpointService + ServerPorts: + Description: The internal Load Balancer should listen to this port. + Value: !GetAtt MainStack.Outputs.ServerPorts + Condition: DeployManagement + ServerLBURL: + Description: The URL of the Servers Application Load Balancer. + Value: !GetAtt MainStack.Outputs.ServerLBURL + Condition: DeployManagement + ServerSecurityGroupID: + Description: The Application Servers Security Group ID. + Value: !GetAtt MainStack.Outputs.ServerSecurityGroupID + Condition: DeployManagement + Server1EndpointRoute: + Description: Server 1 GWLB EndPoint route entry + Value: !Sub ['${ROUTE1} | ${AZ1}', {ROUTE1: !GetAtt MainStack.Outputs.Server1EndpointRoute, AZ1: !Select [0, !Ref AvailabilityZones]}] + Server2EndpointRoute: + Description: Server 2 GWLB EndPoint route entry + Value: !Sub ['${ROUTE2} | ${AZ2}', {ROUTE2: !GetAtt MainStack.Outputs.Server2EndpointRoute, AZ2: !Select [1, !Ref AvailabilityZones]}] + Server3EndpointRoute: + Description: Server 3 GWLB EndPoint route entry + Value: !Sub ['${ROUTE3} | ${AZ3}', {ROUTE3: !GetAtt MainStack.Outputs.Server3EndpointRoute, AZ3: !Select [2, !Ref AvailabilityZones]}] + Condition: 3AZs + Server4EndpointRoute: + Description: Server 4 GWLB EndPoint route entry + Value: !Sub ['${ROUTE4} | ${AZ4}', {ROUTE4: !GetAtt MainStack.Outputs.Server4EndpointRoute, AZ4: !Select [3, !Ref AvailabilityZones]}] + Condition: 4AZs + +Rules: + GatewayAddressAllocationRule: + RuleCondition: !Equals [!Ref ControlGatewayOverPrivateOrPublicAddress, 'public'] + Assertions: + - AssertDescription: "Gateway's selected to be provisioned by public IP, but ['AllocatePublicAddress'] parameter is false" + Assert: !Equals [!Ref AllocatePublicAddress, 'true'] diff --git a/aws/templates/gwlb-asg/qs-gwlb.yaml b/aws/templates/gwlb-asg/qs-gwlb.yaml new file mode 100644 index 00000000..eec61246 --- /dev/null +++ b/aws/templates/gwlb-asg/qs-gwlb.yaml @@ -0,0 +1,923 @@ +AWSTemplateFormatVersion: 2010-09-09 +Description: "Deploy a Quick-Start Gateway Load Balancer, Check Point CloudGuard IaaS Security Gateway Auto Scaling Group, optionally: Security Management Server and Application Server Autoscale in an existing VPC (05072024)" +Metadata: + AWS::CloudFormation::Interface: + ParameterGroups: + - Label: + default: General Network Configuration + Parameters: + - NumberOfAZs + - Label: + default: Security Network Configuration + Parameters: + - SecurityVPC + - GatewaysSubnets + - Label: + default: Servers Network Configuration + Parameters: + - ServersVPC + - ServersSubnets + - ServersCIDRs + - GWLBeSubnets + - ServerIGW + - Label: + default: General Settings + Parameters: + - KeyName + - EnableVolumeEncryption + - VolumeSize + - VolumeType + - EnableInstanceConnect + - TerminationProtection + - AllowUploadDownload + - ManagementServer + - ConfigurationTemplate + - AdminEmail + - Shell + - Label: + default: Gateway Load Balancer Configuration + Parameters: + - GWLBName + - TargetGroupName + - AcceptConnectionRequired + - CrossZoneLoadBalancing + - Label: + default: Check Point CloudGuard IaaS Security Gateways Auto Scaling Group Configuration + Parameters: + - GatewayName + - GatewayInstanceType + - GatewaysMinSize + - GatewaysMaxSize + - GatewayVersion + - GatewayPasswordHash + - GatewayMaintenancePasswordHash + - GatewaySICKey + - ControlGatewayOverPrivateOrPublicAddress + - AllocatePublicAddress + - CloudWatch + - Label: + default: Check Point CloudGuard IaaS Security Management Server Configuration + Parameters: + - ManagementDeploy + - ManagementInstanceType + - ManagementVersion + - ManagementPasswordHash + - ManagementMaintenancePasswordHash + - GatewaysPolicy + - GatewaysBlades + - AdminCIDR + - GatewayManagement + - GatewaysAddresses + - Label: + default: Web Servers Auto Scaling Group Configuration + Parameters: + - ServerInstanceType + - ServerAMI + - ALBProtocol + - ServicePort + - ResourcesTagName + ParameterLabels: + NumberOfAZs: + default: Number of AZs + SecurityVPC: + default: SecurityVPC + GatewaysSubnets: + default: Gateways subnets + ServersVPC: + default: ServersVPC + ServersSubnets: + default: Servers subnets + ServersCIDRs: + default: ServersCIDRs + GWLBeSubnets: + default: GWLBe subnets + ServerIGW: + default: Server VPC IGW + KeyName: + default: Key name + EnableVolumeEncryption: + default: Enable environment volume encryption + VolumeSize: + default: Root volume size (GB) + VolumeType: + default: Volume Type + EnableInstanceConnect: + default: Enable AWS Instance Connect + TerminationProtection: + default: Termination Protection + AllowUploadDownload: + default: Allow upload & download + ManagementServer: + default: Management Server + ConfigurationTemplate: + default: Configuration template + AdminEmail: + default: Email address + Shell: + default: Admin shell + GWLBName: + default: Gateway Load Balancer Name + TargetGroupName: + default: Target Group Name + AcceptConnectionRequired: + default: Connection Acceptance Required + CrossZoneLoadBalancing: + default: Enable Cross Zone Load Balancing + GatewayName: + default: Gateways instance name + GatewayInstanceType: + default: Gateways instance type + GatewaysMinSize: + default: Minimum group size + GatewaysMaxSize: + default: Maximum group size + GatewayVersion: + default: Gateways version & license + GatewayPasswordHash: + default: Gateways Password hash + GatewayMaintenancePasswordHash: + default: Gateway Maintenance Password hash + GatewaySICKey: + default: Gateways SIC key + ControlGatewayOverPrivateOrPublicAddress: + default: Gateways addresses + AllocatePublicAddress: + default: Allocate Public IPs + CloudWatch: + default: CloudWatch metrics + ManagementDeploy: + default: Deploy Management Server + ManagementInstanceType: + default: Management instance type + ManagementVersion: + default: Management version & license + ManagementPasswordHash: + default: Management password hash + ManagementMaintenancePasswordHash: + default: Management Maintenance Password hash + GatewaysPolicy: + default: Security Policy + GatewaysBlades: + default: Default Blades + AdminCIDR: + default: Administrator addresses + GatewayManagement: + default: Manage Gateways + GatewaysAddresses: + default: Gateways addresses + ServerInstanceType: + default: Servers instance type + ServerAMI: + default: AMI ID + ALBProtocol: + default: ALB Protocol + ServicePort: + default: Custom service port + ResourcesTagName: + default: Resources tag name +Parameters: + NumberOfAZs: + Description: Number of Availability Zones to use in the VPC. This must match your selections in the list of Availability Zones parameter. + Type: Number + Default: 2 + MinValue: 2 + MaxValue: 4 + SecurityVPC: + Description: Select an existing Security VPC. + Type: AWS::EC2::VPC::Id + MinLength: 1 + ConstraintDescription: You must select a VPC. + GatewaysSubnets: + Description: Select at least 2 public subnets in the Security VPC. + Type: List + MinLength: 2 + ServersVPC: + Description: Select an existing VPC for Serevrs deployment. + Type: AWS::EC2::VPC::Id + MinLength: 1 + ConstraintDescription: You must select a VPC. + ServersSubnets: + Description: Select at least 2 private subnets in the VPC for Servers deployment. + Type: List + MinLength: 2 + GWLBeSubnets: + Description: Select at least 2 public subnets in the VPC for GWLBe deployment. + Type: List + MinLength: 2 + ServerIGW: + Description: Internet gateway It that attached to Servers VPC + Type: String + KeyName: + Description: The EC2 Key Pair to allow SSH access to the instances created by this stack. + Type: AWS::EC2::KeyPair::KeyName + MinLength: 1 + ConstraintDescription: Must be the name of an existing EC2 KeyPair. + EnableVolumeEncryption: + Description: Encrypt Environment instances volume with default AWS KMS key. + Type: String + Default: true + AllowedValues: + - true + - false + VolumeSize: + Type: Number + MinValue: 100 + Default: 100 + VolumeType: + Description: General Purpose SSD Volume Type + Type: String + Default: gp3 + AllowedValues: + - gp3 + - gp2 + EnableInstanceConnect: + Description: Enable SSH connection over AWS web console. + Type: String + Default: false + AllowedValues: + - true + - false + TerminationProtection: + Description: Prevents an instance from accidental termination. + Type: String + Default: false + AllowedValues: + - true + - false + AllowUploadDownload: + Description: Automatically download updates and share statistical data for product improvement purpose. + Type: String + Default: true + AllowedValues: + - true + - false + ManagementServer: + Description: The name that represents the Security Management Server in the automatic provisioning configuration. + Type: String + Default: gwlb-management-server + MinLength: 1 + ConfigurationTemplate: + Description: A name of a gateway configuration template in the automatic provisioning configuration. + Type: String + Default: gwlb-ASG-configuration + MinLength: 1 + MaxLength: 30 + AdminEmail: + Description: Notifications about scaling events will be sent to this email address. (optional) + Type: String + Default: '' + AllowedPattern: '^(([a-zA-Z0-9_\-\.]+)@((\[[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.)|(([a-zA-Z0-9\-]+\.)+))([a-zA-Z]{2,4}|[0-9]{1,3})(\]?))?$' + Shell: + Description: Change the admin shell to enable advanced command line configuration. Applies for Security Gateways and Security Management Server if deployed. + Type: String + Default: /etc/cli.sh + AllowedValues: + - /etc/cli.sh + - /bin/bash + - /bin/csh + - /bin/tcsh + GWLBName: + Description: Gateway Load Balancer name. This name must be unique within your AWS account and can have a maximum of 32 alphanumeric characters and hyphens. A name cannot begin or end with a hyphen. + Type: String + Default: gwlb1 + ConstraintDescription: Must be a valid GWLB Name. + TargetGroupName: + Description: Target Group Name. This name must be unique within your AWS account and can have a maximum of 32 alphanumeric characters and hyphens. A name cannot begin or end with a hyphen. + Type: String + Default: tg1 + ConstraintDescription: Must be a valid target group name. + AcceptConnectionRequired: + Description: Indicate whether requests from service consumers to create an endpoint to your service must be accepted. Default is set to false(acceptance not required). + Default: "false" + AllowedValues: ["true", "false"] + Type: String + ConstraintDescription: Must be true or false. + CrossZoneLoadBalancing: + Description: Select 'true' to enable cross-az load balancing. NOTE! this may cause a spike in cross-az charges. + Type: String + Default: true + AllowedValues: + - true + - false + GatewayName: + Description: The name tag of the Security Gateway instances. (optional) + Type: String + Default: Check-Point-Gateway + GatewayInstanceType: + Description: The EC2 instance type for the Security Gateways. + Type: String + Default: c5.xlarge + AllowedValues: + - c4.large + - c4.xlarge + - c5.large + - c5.xlarge + - c5.2xlarge + - c5.4xlarge + - c5.9xlarge + - c5.12xlarge + - c5.18xlarge + - c5.24xlarge + - c5n.large + - c5n.xlarge + - c5n.2xlarge + - c5n.4xlarge + - c5n.9xlarge + - c5n.18xlarge + - c5d.large + - c5d.xlarge + - c5d.2xlarge + - c5d.4xlarge + - c5d.9xlarge + - c5d.12xlarge + - c5d.18xlarge + - c5d.24xlarge + - m5.large + - m5.xlarge + - m5.2xlarge + - m5.4xlarge + - m5.8xlarge + - m5.12xlarge + - m5.16xlarge + - m5.24xlarge + - m6i.large + - m6i.xlarge + - m6i.2xlarge + - m6i.4xlarge + - m6i.8xlarge + - m6i.12xlarge + - m6i.16xlarge + - m6i.24xlarge + - m6i.32xlarge + - c6i.large + - c6i.xlarge + - c6i.2xlarge + - c6i.4xlarge + - c6i.8xlarge + - c6i.12xlarge + - c6i.16xlarge + - c6i.24xlarge + - c6i.32xlarge + - c6in.large + - c6in.xlarge + - c6in.2xlarge + - c6in.4xlarge + - c6in.8xlarge + - c6in.12xlarge + - c6in.16xlarge + - c6in.24xlarge + - c6in.32xlarge + - r5.large + - r5.xlarge + - r5.2xlarge + - r5.4xlarge + - r5.8xlarge + - r5.12xlarge + - r5.16xlarge + - r5.24xlarge + - r5a.large + - r5a.xlarge + - r5a.2xlarge + - r5a.4xlarge + - r5a.8xlarge + - r5a.12xlarge + - r5a.16xlarge + - r5a.24xlarge + - r5b.large + - r5b.xlarge + - r5b.2xlarge + - r5b.4xlarge + - r5b.8xlarge + - r5b.12xlarge + - r5b.16xlarge + - r5b.24xlarge + - r5n.large + - r5n.xlarge + - r5n.2xlarge + - r5n.4xlarge + - r5n.8xlarge + - r5n.12xlarge + - r5n.16xlarge + - r5n.24xlarge + - r6i.large + - r6i.xlarge + - r6i.2xlarge + - r6i.4xlarge + - r6i.8xlarge + - r6i.12xlarge + - r6i.16xlarge + - r6i.24xlarge + - r6i.32xlarge + - m6a.large + - m6a.xlarge + - m6a.2xlarge + - m6a.4xlarge + - m6a.8xlarge + - m6a.12xlarge + - m6a.16xlarge + - m6a.24xlarge + - m6a.32xlarge + - m6a.48xlarge + ConstraintDescription: Must be a valid EC2 instance type + GatewaysMinSize: + Description: The minimal number of Security Gateways. + Type: Number + Default: 2 + MinValue: 1 + GatewaysMaxSize: + Description: The maximal number of Security Gateways. + Type: Number + Default: 10 + MinValue: 1 + GatewayVersion: + Description: The version and license to install on the Security Gateways. + Type: String + Default: R81.20-BYOL + AllowedValues: + - R80.40-BYOL + - R80.40-PAYG-NGTP + - R80.40-PAYG-NGTX + - R81.20-BYOL + - R81.20-PAYG-NGTP + - R81.20-PAYG-NGTX + - R82-BYOL + - R82-PAYG-NGTP + - R82-PAYG-NGTX + GatewayPasswordHash: + Description: Admin user's password hash (use command "openssl passwd -6 PASSWORD" to get the PASSWORD's hash). (optional) + Type: String + Default: '' + AllowedPattern: '^[\$\./a-zA-Z0-9]*$' + NoEcho: true + GatewayMaintenancePasswordHash: + Description: Check Point recommends setting Admin user's password and maintenance-mode password for recovery purposes (use command " grub2-mkpasswd-pbkdf2" to get the PASSWORD's hash). For R81.10 and below the Admin user's password is used also as maintenance-mode password. (optional) + Type: String + Default: '' + AllowedPattern: '[\$\./a-zA-Z0-9]*' + NoEcho: true + GatewaySICKey: + Description: The Secure Internal Communication key creates trusted connections between Check Point components. Choose a random string consisting of at least 8 alphanumeric characters. + Type: String + AllowedPattern: '^[a-zA-Z0-9]{8,}$' + ConstraintDescription: Secure Internal Communication acti.vation key should contain only alpha numeric characters and be at least 8 characters long. + NoEcho: true + ControlGatewayOverPrivateOrPublicAddress: + Description: Determines if the gateways are provisioned using their private or public address. + Type: String + Default: private + AllowedValues: + - private + - public + AllocatePublicAddress: + Description: Allocate a Public IP for gateway members. + Type: String + Default: false + AllowedValues: + - true + - false + CloudWatch: + Description: Report Check Point specific CloudWatch metrics. + Type: String + Default: false + AllowedValues: + - true + - false + ManagementDeploy: + Description: Select 'false' to use an existing Security Management Server or to deploy one later and to ignore the other parameters of this section. + Type: String + Default: true + AllowedValues: + - true + - false + ManagementInstanceType: + Description: The EC2 instance type of the Security Management Server. + Type: String + Default: m5.xlarge + AllowedValues: + - c5.large + - c5.xlarge + - c5.2xlarge + - c5.4xlarge + - c5.9xlarge + - c5.12xlarge + - c5.18xlarge + - c5.24xlarge + - c5n.large + - c5n.xlarge + - c5n.2xlarge + - c5n.4xlarge + - c5n.9xlarge + - c5n.18xlarge + - c5d.large + - c5d.xlarge + - c5d.2xlarge + - c5d.4xlarge + - c5d.9xlarge + - c5d.12xlarge + - c5d.18xlarge + - c5d.24xlarge + - m5.large + - m5.xlarge + - m5.2xlarge + - m5.4xlarge + - m5.8xlarge + - m5.12xlarge + - m5.16xlarge + - m5.24xlarge + - m6i.large + - m6i.xlarge + - m6i.2xlarge + - m6i.4xlarge + - m6i.8xlarge + - m6i.12xlarge + - m6i.16xlarge + - m6i.24xlarge + - m6i.32xlarge + - c6i.large + - c6i.xlarge + - c6i.2xlarge + - c6i.4xlarge + - c6i.8xlarge + - c6i.12xlarge + - c6i.16xlarge + - c6i.24xlarge + - c6i.32xlarge + - c6in.large + - c6in.xlarge + - c6in.2xlarge + - c6in.4xlarge + - c6in.8xlarge + - c6in.12xlarge + - c6in.16xlarge + - c6in.24xlarge + - c6in.32xlarge + - r5.large + - r5.xlarge + - r5.2xlarge + - r5.4xlarge + - r5.8xlarge + - r5.12xlarge + - r5.16xlarge + - r5.24xlarge + - r5a.large + - r5a.xlarge + - r5a.2xlarge + - r5a.4xlarge + - r5a.8xlarge + - r5a.12xlarge + - r5a.16xlarge + - r5a.24xlarge + - r5b.large + - r5b.xlarge + - r5b.2xlarge + - r5b.4xlarge + - r5b.8xlarge + - r5b.12xlarge + - r5b.16xlarge + - r5b.24xlarge + - r5n.large + - r5n.xlarge + - r5n.2xlarge + - r5n.4xlarge + - r5n.8xlarge + - r5n.12xlarge + - r5n.16xlarge + - r5n.24xlarge + - r6i.large + - r6i.xlarge + - r6i.2xlarge + - r6i.4xlarge + - r6i.8xlarge + - r6i.12xlarge + - r6i.16xlarge + - r6i.24xlarge + - r6i.32xlarge + - m6a.large + - m6a.xlarge + - m6a.2xlarge + - m6a.4xlarge + - m6a.8xlarge + - m6a.12xlarge + - m6a.16xlarge + - m6a.24xlarge + - m6a.32xlarge + - m6a.48xlarge + ConstraintDescription: Must be a valid EC2 instance type + ManagementVersion: + Description: The license to install on the Security Management Server. + Type: String + Default: R81.20-BYOL + AllowedValues: + - R80.40-BYOL + - R80.40-PAYG + - R81-BYOL + - R81-PAYG + - R81.10-BYOL + - R81.10-PAYG + - R81.20-BYOL + - R81.20-PAYG + ManagementPasswordHash: + Description: Admin user's password hash (use command "openssl passwd -6 PASSWORD" to get the PASSWORD's hash). (optional) + Type: String + Default: '' + AllowedPattern: '^[\$\./a-zA-Z0-9]*$' + NoEcho: true + ManagementMaintenancePasswordHash: + Description: Check Point recommends setting Admin user's password and maintenance-mode password for recovery purposes (use command " grub2-mkpasswd-pbkdf2" to get the PASSWORD's hash). For R81.10 and below the Admin user's password is used also as maintenance-mode password. (optional) + Type: String + Default: '' + AllowedPattern: '[\$\./a-zA-Z0-9]*' + NoEcho: true + GatewaysPolicy: + Description: The name of the Security Policy package to be installed on the gateways in the Security Gateways Auto Scaling group. + Type: String + Default: Standard + MinLength: 1 + GatewaysBlades: + Description: Turn on the Intrusion Prevention System, Application Control, Anti-Virus and Anti-Bot Blades (these and additional Blades can be manually turned on or off later). + Type: String + Default: true + AdminCIDR: + Description: Allow web, SSH, and graphical clients only from this network to communicate with the Security Management Server. + Type: String + AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/([0-9]|[1-2][0-9]|3[0-2]))$' + GatewayManagement: + Description: Select 'Over the internet' if any of the gateways you wish to manage are not directly accessed via their private IP address. + Type: String + Default: Locally managed + AllowedValues: + - Locally managed + - Over the internet + GatewaysAddresses: + Description: Allow gateways only from this network to communicate with the Security Management Server. + Type: String + AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/([0-9]|[1-2][0-9]|3[0-2]))$' + ALBProtocol: + Description: The protocol to use on the Application Load Balancer. + Type: String + Default: HTTP + AllowedValues: + - HTTP + - HTTPS + ServicePort: + Description: 'The external Load Balancer listens to this port. Leave this field blank to use default ports: 80 for HTTP and 443 for HTTPS.' + Type: String + AllowedPattern: '^([0-9]{1,4}|[1-5][0-9]{4}|6[0-4][0-9]{3}|65[0-4][0-9]{2}|655[0-2][0-9]|6553[0-5])?$' + ConstraintDescription: Custom service port must be a number between 0 and 65535. + ResourcesTagName: + Description: The name tag of the resources. (optional) + Type: String + Default: '' + ServerInstanceType: + Description: The EC2 instance type for the web servers. + Type: String + Default: t3.micro + AllowedValues: + - t3.nano + - t3.micro + - t3.small + - t3.medium + - t3.large + - t3.xlarge + - t3.2xlarge + ConstraintDescription: Must be a valid EC2 instance type. + ServerAMI: + Description: The Amazon Machine Image ID of a preconfigured web server (e.g. ami-0dc7dc63). + Type: String + AllowedPattern: '^(ami-(([0-9a-f]{8})|([0-9a-f]{17})))$' + ConstraintDescription: Amazon Machine Image ID must be in the form ami-xxxxxxxx or ami-xxxxxxxxxxxxxxxxx. + ServersCIDRs: + Description: CIDR's block of each Servers private subnet(divided by coma, without spaces) + Type: CommaDelimitedList + Default: "192.168.0.10/24, 192.168.0.20/24" +Conditions: + 4AZs: !Equals [!Ref NumberOfAZs, 4] + 3AZs: !Or [!Equals [!Ref NumberOfAZs, 3], !Condition 4AZs] + 2AZs: !Or [!Equals [!Ref NumberOfAZs, 2], !Condition 3AZs] + DeployManagement: !Equals [!Ref ManagementDeploy, true] + VolumeEncryption: !Equals [!Ref EnableVolumeEncryption, true] + ProvidedPort: !Not [!Equals [!Ref ServicePort, '']] + ProvidedResourcesTag: !Not [!Equals [!Ref ResourcesTagName, '']] + EncryptedProtocol: !Equals [ ALBProtocol, HTTPS ] +Resources: + GatewayLoadBalancer: + Type: AWS::ElasticLoadBalancingV2::LoadBalancer + Properties: + Type: gateway + Name: !Ref GWLBName + LoadBalancerAttributes: + - Key: load_balancing.cross_zone.enabled + Value: !Ref CrossZoneLoadBalancing + Subnets: !Ref GatewaysSubnets + Tags: + - Key: x-chkp-management + Value: !Ref ManagementServer + - Key: x-chkp-template + Value: !Ref ConfigurationTemplate + VpcEndpointService: + Type: AWS::EC2::VPCEndpointService + Properties: + AcceptanceRequired: !Ref AcceptConnectionRequired + GatewayLoadBalancerArns: + - !Ref GatewayLoadBalancer + TargetGroup: + Type: AWS::ElasticLoadBalancingV2::TargetGroup + Properties: + Name: !Ref TargetGroupName + Port: 6081 + Protocol: GENEVE + HealthCheckPort: 8117 + HealthCheckProtocol: TCP + TargetGroupAttributes: + - Key: deregistration_delay.timeout_seconds + Value: 20 + VpcId: !Ref SecurityVPC + TargetType: instance + Tags: + - Key: Name + Value: !Join + - "" + - - !Ref AWS::StackName + - "-tg1" + Listener: + Type: AWS::ElasticLoadBalancingV2::Listener + Properties: + DefaultActions: + - Type: forward + TargetGroupArn: !Ref TargetGroup + LoadBalancerArn: !Ref GatewayLoadBalancer + SecurityGatewaysStack: + Type: AWS::CloudFormation::Stack + Properties: + TemplateURL: https://cgi-cfts.s3.amazonaws.com/gwlb/autoscale-gwlb.yaml + Parameters: + VPC: !Ref SecurityVPC + GatewaysSubnets: !Join [',', !Ref GatewaysSubnets] + GatewayName: !Ref GatewayName + GatewayInstanceType: !Ref GatewayInstanceType + KeyName: !Ref KeyName + Shell: !Ref Shell + EnableVolumeEncryption: !Ref EnableVolumeEncryption + VolumeType: !Ref VolumeType + VolumeSize: !Ref VolumeSize + EnableInstanceConnect: !Ref EnableInstanceConnect + GatewaysMinSize: !Ref GatewaysMinSize + GatewaysMaxSize: !Ref GatewaysMaxSize + AdminEmail: !Ref AdminEmail + GatewaysTargetGroups: !Ref TargetGroup + GatewayVersion: !Ref GatewayVersion + GatewayPasswordHash: !Ref GatewayPasswordHash + GatewayMaintenancePasswordHash: !Ref GatewayMaintenancePasswordHash + GatewaySICKey: !Ref GatewaySICKey + AllowUploadDownload: !Ref AllowUploadDownload + ControlGatewayOverPrivateOrPublicAddress: !Ref ControlGatewayOverPrivateOrPublicAddress + AllocatePublicAddress: !Ref AllocatePublicAddress + CloudWatch: !Ref CloudWatch + ManagementServer: !Ref ManagementServer + ConfigurationTemplate: !Ref ConfigurationTemplate + GatewayBootstrapScript: !Join + - ';' + - - 'echo -e "\nStarting Bootstrap script\n"' + - 'echo "Adding quickstart identifier to cloud-version"' + - 'cv_template="gwlb_qs"' + - 'cv_path="/etc/cloud-version"' + - 'if test -f ${cv_path}; then sed -i ''/template_name/c\template_name: ''"${cv_template}"'''' /etc/cloud-version; fi' + - 'cv_json_path="/etc/cloud-version.json"' + - 'cv_json_path_tmp="/etc/cloud-version-tmp.json"' + - 'if test -f ${cv_json_path}; then cat ${cv_json_path} | jq ''.template_name = "''"${cv_template}"''"'' > ${cv_json_path_tmp}; mv ${cv_json_path_tmp} ${cv_json_path}; fi' + - 'echo -e "\nFinished Bootstrap script\n"' + ManagementStack: + Type: AWS::CloudFormation::Stack + Condition: DeployManagement + DependsOn: GWLBeEndpointStack + Properties: + TemplateURL: https://cgi-cfts.s3.amazonaws.com/gwlb/management-gwlb.yaml + Parameters: + VPC: !Ref SecurityVPC + ManagementSubnet: !Select [0, !Ref GatewaysSubnets] + ManagementName: !Ref ManagementServer + ManagementInstanceType: !Ref ManagementInstanceType + KeyName: !Ref KeyName + Shell: !Ref Shell + VolumeEncryption: !If [VolumeEncryption, alias/aws/ebs, ''] + VolumeType: !Ref VolumeType + VolumeSize: !Ref VolumeSize + EnableInstanceConnect: !Ref EnableInstanceConnect + ManagementPermissions: Create with read-write permissions + ManagementVersion: !Ref ManagementVersion + ManagementPasswordHash: !Ref ManagementPasswordHash + ManagementMaintenancePasswordHash: !Ref ManagementMaintenancePasswordHash + AllowUploadDownload: !Ref AllowUploadDownload + AdminCIDR: !Ref AdminCIDR + GatewayManagement: !Ref GatewayManagement + GatewaysAddresses: !Ref GatewaysAddresses + TerminationProtection: !Ref TerminationProtection + ManagementBootstrapScript: !Join + - ';' + - - 'echo -e "\nStarting Bootstrap script\n"' + - !Sub 'policy=${GatewaysPolicy} ; region=${AWS::Region} ; conf_template=${ConfigurationTemplate} ; mgmt=${ManagementServer} ; blades=${GatewaysBlades}' + - !Sub ['version=${Version}', {Version: !Select [0, !Split ['-', !Ref GatewayVersion]]}] + - !Join ['', ['sic="$(echo ', 'Fn::Base64': !Ref GatewaySICKey, ' | base64 -d)"']] + - 'controller="gwlb-controller"' + - 'echo "Adding quickstart identifier to cloud-version"' + - 'cv_template="management_gwlb_qs"' + - 'cv_path="/etc/cloud-version"' + - 'if test -f ${cv_path}; then sed -i ''/template_name/c\template_name: ''"${cv_template}"'''' /etc/cloud-version; fi' + - 'cv_json_path="/etc/cloud-version.json"' + - 'cv_json_path_tmp="/etc/cloud-version-tmp.json"' + - 'if test -f ${cv_json_path}; then cat ${cv_json_path} | jq ''.template_name = "''"${cv_template}"''"'' > ${cv_json_path_tmp}; mv ${cv_json_path_tmp} ${cv_json_path}; fi' + - 'echo "Creating CME configuration"' + - 'autoprov_cfg -f init AWS -mn "${mgmt}" -tn "${conf_template}" -cn "${controller}" -po "${policy}" -otp "${sic}" -r "${region}" -ver "${version}" -iam -ss' + - 'autoprov_cfg -f set controller AWS -cn "${controller}" -ct "${conf_template}"' + - '${blades} && autoprov_cfg -f set template -tn "${conf_template}" -ips -appi -av -ab' + - 'echo "Set Scan GWLB Load Balancer parameter"' + - 'autoprovision_file="${FWDIR}/conf/autoprovision.json"' + - 'autoprovision_file_tmp="${FWDIR}/conf/autoprovision.json.tmp"' + - 'if test -f ${autoprovision_file}; then jq ".controllers.\"${controller}\".sync |= . + {\"lb\": false}" "${autoprovision_file}" > "${autoprovision_file_tmp}"; mv "${autoprovision_file_tmp}" "${autoprovision_file}"; fi' + - 'echo -e "\nFinished Bootstrap script\n"' + GWLBeEndpointStack: + Type: AWS::CloudFormation::Stack + DependsOn: VpcEndpointService + Properties: + TemplateURL: https://cgi-cfts.s3.amazonaws.com/gwlb/qs-gwlb-endpoints.yaml + Parameters: + NumberOfAZs: !Ref NumberOfAZs + GWLBeVPC: !Ref ServersVPC + GWLBeSubnets: !Join [',', !Ref GWLBeSubnets] + GWLBServiceName: !Sub ["com.amazonaws.vpce.${AWS::Region}.${Service}", {Service: !Ref VpcEndpointService}] + ServersSubnets: !Join [',', !Ref ServersSubnets] + ServersCIDRs: !Join [',', !Ref ServersCIDRs] + ServerIGW: !Ref ServerIGW + ServersStacks: + Type: AWS::CloudFormation::Stack + DependsOn: GWLBeEndpointStack + Properties: + TemplateURL: https://cgi-cfts.s3.amazonaws.com/gwlb/qs-gwlb-servers-autoscale.yaml + Parameters: + VPC: !Ref ServersVPC + Subnets: !Join [',', !Ref ServersSubnets] + ResourcesTagName: !Ref ResourcesTagName + ALBProtocol: !Ref ALBProtocol + ServicePort: !If [ProvidedPort, !Ref ServicePort, !If [EncryptedProtocol, 443, 80]] + AdminEmail: !Ref AdminEmail + ServerInstanceType: !Ref ServerInstanceType + ServerAMI: !Ref ServerAMI + KeyName: !Ref KeyName + AllocateServerPublicAddress: true + ServersMinSize: !Ref GatewaysMinSize + ServersMaxSize: !Ref GatewaysMaxSize +Outputs: + SecurityVPCID: + Description: Security VPC ID. + Value: !Ref SecurityVPC + ManagementPublicAddress: + Description: The public address of the management server. + Value: !GetAtt ManagementStack.Outputs.PublicAddress + Condition: DeployManagement + ConfigurationTemplateName: + Description: The name that represents the configuration template. Configurations required to automatically provision the Gateways in the Auto Scaling Group, such as what Security Policy to install and which Blades to enable, will be placed under this template name. + Value: !Ref ConfigurationTemplate + ControllerName: + Description: The name that represents the controller. Configurations required to connect to your AWS environment, such as credentials and regions, will be placed under this controller name. + Value: gwlb-controller + GWLBName: + Description: Gateway Load Balancer Name. + Value: !Ref GWLBName + GWLBServiceName: + Description: Gateway Load Balancer Service Name. + Value: !Sub ["com.amazonaws.vpce.${AWS::Region}.${Service}", {Service: !Ref VpcEndpointService}] + VpcEndpointService: + Description: Endpoint Service Name. + Value: !Ref VpcEndpointService + ServerPorts: + Description: The internal Load Balancer should listen to this port. + Value: !If [EncryptedProtocol, 443, 80] + Condition: DeployManagement + ServerLBURL: + Description: The URL of the Servers Application Load Balancer. + Value: !GetAtt ServersStacks.Outputs.ServerLBURL + Condition: DeployManagement + ServerSecurityGroupID: + Description: The Application Servers Security Group ID. + Value: !GetAtt ServersStacks.Outputs.ServerSecurityGroupID + Condition: DeployManagement + Server1EndpointRoute: + Description: Server 1 GWLB EndPoint route entry + Value: !GetAtt GWLBeEndpointStack.Outputs.Server1EndpointRoute + Server2EndpointRoute: + Description: Server 2 GWLB EndPoint route entry + Value: !GetAtt GWLBeEndpointStack.Outputs.Server2EndpointRoute + Server3EndpointRoute: + Description: Server 3 GWLB EndPoint route entry + Value: !GetAtt GWLBeEndpointStack.Outputs.Server3EndpointRoute + Condition: 3AZs + Server4EndpointRoute: + Description: Server 4 GWLB EndPoint route entry + Value: !GetAtt GWLBeEndpointStack.Outputs.Server4EndpointRoute + Condition: 4AZs +Rules: + GatewayAddressAllocationRule: + RuleCondition: !Equals [!Ref ControlGatewayOverPrivateOrPublicAddress, 'public'] + Assertions: + - AssertDescription: "Gateway's selected to be provisioned by public IP, but ['AllocatePublicAddress'] parameter is false" + Assert: !Equals [!Ref AllocatePublicAddress, 'true'] From 1e5aafee08137fc134a7145176c6a55e7447a123 Mon Sep 17 00:00:00 2001 From: yizhako Date: Tue, 7 May 2024 12:25:59 +0300 Subject: [PATCH 2/6] removed version --- aws/templates/gwlb-asg/qs-gwlb-master.yaml | 5 ----- aws/templates/gwlb-asg/qs-gwlb.yaml | 3 --- 2 files changed, 8 deletions(-) diff --git a/aws/templates/gwlb-asg/qs-gwlb-master.yaml b/aws/templates/gwlb-asg/qs-gwlb-master.yaml index e689fb6c..0d7f5b74 100644 --- a/aws/templates/gwlb-asg/qs-gwlb-master.yaml +++ b/aws/templates/gwlb-asg/qs-gwlb-master.yaml @@ -535,9 +535,6 @@ Parameters: - R81.20-BYOL - R81.20-PAYG-NGTP - R81.20-PAYG-NGTX - - R82-BYOL - - R82-PAYG-NGTP - - R82-PAYG-NGTX GatewayPasswordHash: Description: Admin user's password hash (use command "openssl passwd -6 PASSWORD" to get the PASSWORD's hash). (optional) Type: String @@ -711,8 +708,6 @@ Parameters: - R81.10-PAYG - R81.20-BYOL - R81.20-PAYG - - R82-BYOL - - R82-PAYG ManagementPasswordHash: Description: Admin user's password hash (use command "openssl passwd -6 PASSWORD" to get the PASSWORD's hash). (optional) Type: String diff --git a/aws/templates/gwlb-asg/qs-gwlb.yaml b/aws/templates/gwlb-asg/qs-gwlb.yaml index eec61246..bb828036 100644 --- a/aws/templates/gwlb-asg/qs-gwlb.yaml +++ b/aws/templates/gwlb-asg/qs-gwlb.yaml @@ -440,9 +440,6 @@ Parameters: - R81.20-BYOL - R81.20-PAYG-NGTP - R81.20-PAYG-NGTX - - R82-BYOL - - R82-PAYG-NGTP - - R82-PAYG-NGTX GatewayPasswordHash: Description: Admin user's password hash (use command "openssl passwd -6 PASSWORD" to get the PASSWORD's hash). (optional) Type: String From da2a29fa277d312063ca23e7d4ef73ada6400eb5 Mon Sep 17 00:00:00 2001 From: yizhako Date: Tue, 7 May 2024 12:38:11 +0300 Subject: [PATCH 3/6] fixed readme --- aws/templates/gwlb-asg/README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/aws/templates/gwlb-asg/README.md b/aws/templates/gwlb-asg/README.md index 31fd7827..5eb84a43 100644 --- a/aws/templates/gwlb-asg/README.md +++ b/aws/templates/gwlb-asg/README.md @@ -41,7 +41,7 @@ Deploys and configures an AWS Auto Scaling group configured for Gateway Load Balancer in a Centralized Security VPC, and Customer Web Service in Servers VPC

For more details, refer to CloudGuard Network for AWS Centralized Gateway Load Balancer R80.40 Deployment Guide. -
Creates a new Security VPC and deploys into it a Gateway Load Balancer, Check Point CloudGuard IaaS Security Gateway Auto Scaling Group, and optionally a Security Management Server.
+ Creates a new Security VPC and deploys into it a Gateway Load Balancer, Check Point CloudGuard IaaS Security Gateway Auto Scaling Group, and optionally a Security Management Server.
Creates a new Servers VPC, configure subnets and endpoints and deploys into it Customer Web Service. @@ -49,7 +49,7 @@ Deploys and configures an AWS Auto Scaling group configured for Gateway Load Balancer in a Centralized Security VPC, and Customer Web Service in Servers VPC.

For more details, refer to CloudGuard Network for AWS Centralized Gateway Load Balancer R80.40 Deployment Guide. -
Deploys a Gateway Load Balancer, Check Point CloudGuard IaaS Security Gateway Auto Scaling Group, and optionally a Security Management Server into an existing Security VPC.
+ Deploys a Gateway Load Balancer, Check Point CloudGuard IaaS Security Gateway Auto Scaling Group, and optionally a Security Management Server into an existing Security VPC.
Configure Servers endpoints and deploys into it Customer Web Service into an existing Servers VPC. From c3cf10d60e061dc43111a96b183e1b1d358815da Mon Sep 17 00:00:00 2001 From: yizhako Date: Sun, 12 May 2024 15:08:14 +0300 Subject: [PATCH 4/6] change readme.md --- aws/templates/gwlb-asg/README.md | 19 +++++++++---------- 1 file changed, 9 insertions(+), 10 deletions(-) diff --git a/aws/templates/gwlb-asg/README.md b/aws/templates/gwlb-asg/README.md index 5eb84a43..42f361ff 100644 --- a/aws/templates/gwlb-asg/README.md +++ b/aws/templates/gwlb-asg/README.md @@ -11,46 +11,45 @@ - Deploys and configures an AWS Auto Scaling group configured for Gateway Load Balancer in a Centralized Security VPC.

For more details, refer to CloudGuard Network for AWS Centralized Gateway Load Balancer R80.40 Deployment Guide. + Deploys and configures an AWS Auto Scaling group configured for Gateway Load Balancer in a Centralized Security VPC.

For more details, refer to CloudGuard Network for AWS Centralized Gateway Load Balancer R80.40 Deployment Guide. Creates a new VPC and deploys into it a Gateway Load Balancer, Check Point CloudGuard IaaS Security Gateway Auto Scaling Group, and optionally a Security Management Server. - Deploys and configures an AWS Auto Scaling group configured for Gateway Load Balancer in a Centralized Security VPC.

For more details, refer to CloudGuard Network for AWS Centralized Gateway Load Balancer R80.40 Deployment Guide. + Deploys and configures an AWS Auto Scaling group configured for Gateway Load Balancer in a Centralized Security VPC.

For more details, refer to CloudGuard Network for AWS Centralized Gateway Load Balancer R80.40 Deployment Guide. Deploys a Gateway Load Balancer, Check Point CloudGuard IaaS Security Gateway Auto Scaling Group, and optionally a Security Management Server into an existing VPC. - Deploys and configures an AWS Auto Scaling group configured for Gateway Load Balancer in a Centralized Security VPC for Transit Gateway.

For more details, refer to CloudGuard Network for AWS Gateway Load Balancer Security VPC for Transit Gateway R80.40 Deployment Guide. + Deploys and configures an AWS Auto Scaling group configured for Gateway Load Balancer in a Centralized Security VPC for Transit Gateway.

For more details, refer to CloudGuard Network for AWS Gateway Load Balancer Security VPC for Transit Gateway R80.40 Deployment Guide. Creates a new VPC and deploys into it a Gateway Load Balancer, Check Point CloudGuard IaaS Security Gateway Auto Scaling Group, and optionally a Security Management Server, Gateway Load Balancer Endpoints and NAT Gateways for each AZ, for Transit Gateway. - Deploys and configures an AWS Auto Scaling group configured for Gateway Load Balancer in a Centralized Security VPC for Transit Gateway.

For more details, refer to CloudGuard Network for AWS Gateway Load Balancer Security VPC for Transit Gateway R80.40 Deployment Guide. + Deploys and configures an AWS Auto Scaling group configured for Gateway Load Balancer in a Centralized Security VPC for Transit Gateway.

For more details, refer to CloudGuard Network for AWS Gateway Load Balancer Security VPC for Transit Gateway R80.40 Deployment Guide. Deploys a Gateway Load Balancer, Check Point CloudGuard IaaS Security Gateway Auto Scaling Group, and optionally a Security Management Server, Gateway Load Balancer Endpoints and NAT Gateways for each AZ, for Transit Gateway into an existing VPC. - Deploys and configures an AWS Auto Scaling group configured for Gateway Load Balancer in a Centralized Security VPC, and Customer Web Service in Servers VPC

For more details, refer to CloudGuard Network for AWS Centralized Gateway Load Balancer R80.40 Deployment Guide. + Deploys and configures a Quick Start AWS Auto Scaling Group configured for Gateway Load Balancer in a Centralized Security VPC, and Servers in Servers VPC

For more details, refer to CloudGuard Network for AWS Centralized Gateway Load Balancer R80.40 Deployment Guide. - Creates a new Security VPC and deploys into it a Gateway Load Balancer, Check Point CloudGuard IaaS Security Gateway Auto Scaling Group, and optionally a Security Management Server.
- Creates a new Servers VPC, configure subnets and endpoints and deploys into it Customer Web Service. + Creates a new Security VPC with Gateway Load Balancer, Check Point CloudGuard IaaS Security Gateway Auto Scaling Group, Servers' VPC with Gateway Load Balancer Endpoints (1 per Availability Zone), Application Load Balancer in Servers' VPC, Servers and optionally a Security Management Server.
- Deploys and configures an AWS Auto Scaling group configured for Gateway Load Balancer in a Centralized Security VPC, and Customer Web Service in Servers VPC.

For more details, refer to CloudGuard Network for AWS Centralized Gateway Load Balancer R80.40 Deployment Guide. + Deploys and configures a Quick Start AWS Auto Scaling Group configured for Gateway Load Balancer in a Centralized Security VPC, and Servers in Servers VPC.

For more details, refer to CloudGuard Network for AWS Centralized Gateway Load Balancer R80.40 Deployment Guide. - Deploys a Gateway Load Balancer, Check Point CloudGuard IaaS Security Gateway Auto Scaling Group, and optionally a Security Management Server into an existing Security VPC.
- Configure Servers endpoints and deploys into it Customer Web Service into an existing Servers VPC. + Deploys a Gateway Load Balancer, Check Point CloudGuard IaaS Security Gateway Auto Scaling Group, optionally a Security Management Server into an existing Security VPC, Gateway Load Balancer Endpoints (1 per Availability Zone), Application Load Balancer and Customer Application Servers into an existing in Servers' VPC.
+ From e07c631fe57fbd711c1938b32fe28fb31a49a30a Mon Sep 17 00:00:00 2001 From: chkp-romanka <59528298+chkp-romanka@users.noreply.github.com> Date: Sun, 12 May 2024 15:49:34 +0300 Subject: [PATCH 5/6] Update README.md --- aws/templates/gwlb-asg/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/aws/templates/gwlb-asg/README.md b/aws/templates/gwlb-asg/README.md index 42f361ff..d22e2012 100644 --- a/aws/templates/gwlb-asg/README.md +++ b/aws/templates/gwlb-asg/README.md @@ -48,7 +48,7 @@ Deploys and configures a Quick Start AWS Auto Scaling Group configured for Gateway Load Balancer in a Centralized Security VPC, and Servers in Servers VPC.

For more details, refer to CloudGuard Network for AWS Centralized Gateway Load Balancer R80.40 Deployment Guide. - Deploys a Gateway Load Balancer, Check Point CloudGuard IaaS Security Gateway Auto Scaling Group, optionally a Security Management Server into an existing Security VPC, Gateway Load Balancer Endpoints (1 per Availability Zone), Application Load Balancer and Customer Application Servers into an existing in Servers' VPC.
+ Deploys a Gateway Load Balancer, Check Point CloudGuard IaaS Security Gateway Auto Scaling Group, optionally a Security Management Server into an existing Security VPC, Gateway Load Balancer Endpoints (1 per Availability Zone), Application Load Balancer and Servers into an existing in Servers' VPC.
From c95ef66c8a7af65b2a7755a9ad47b42d705d5c7f Mon Sep 17 00:00:00 2001 From: chkp-romanka <59528298+chkp-romanka@users.noreply.github.com> Date: Sun, 12 May 2024 15:50:22 +0300 Subject: [PATCH 6/6] Update README.md --- aws/templates/gwlb-asg/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/aws/templates/gwlb-asg/README.md b/aws/templates/gwlb-asg/README.md index d22e2012..26eda643 100644 --- a/aws/templates/gwlb-asg/README.md +++ b/aws/templates/gwlb-asg/README.md @@ -48,7 +48,7 @@ Deploys and configures a Quick Start AWS Auto Scaling Group configured for Gateway Load Balancer in a Centralized Security VPC, and Servers in Servers VPC.

For more details, refer to CloudGuard Network for AWS Centralized Gateway Load Balancer R80.40 Deployment Guide. - Deploys a Gateway Load Balancer, Check Point CloudGuard IaaS Security Gateway Auto Scaling Group, optionally a Security Management Server into an existing Security VPC, Gateway Load Balancer Endpoints (1 per Availability Zone), Application Load Balancer and Servers into an existing in Servers' VPC.
+ Deploys a Gateway Load Balancer, Check Point CloudGuard IaaS Security Gateway Auto Scaling Group, optionally a Security Management Server into an existing Security VPC, Gateway Load Balancer Endpoints (1 per Availability Zone), Application Load Balancer and Servers into an existing Servers' VPC.