forked from rcove/aws-tgw-r8040
-
Notifications
You must be signed in to change notification settings - Fork 0
/
checkpoint-tgw-asg-master.yaml
471 lines (471 loc) · 16.3 KB
/
checkpoint-tgw-asg-master.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
AWSTemplateFormatVersion: '2010-09-09'
Description: Deploy an Auto Scaling Group of CloudGuard Security Gateways for Transit Gateway with an optional Management Server in a new VPC (20211212)
Metadata:
AWS::CloudFormation::Interface:
ParameterGroups:
- Label:
default: Network Configuration
Parameters:
- VpcCidr
- AvailabilityZones
- NumberOfAZs
- PublicSubnetCidrA
- PublicSubnetCidrB
- PublicSubnetCidrC
- PublicSubnetCidrD
- Label:
default: General Settings
Parameters:
- KeyPairName
- EnableInstanceConnect
- AllowUploadDownload
- VolumeEncryption
- Shell
- Label:
default: Check Point CloudGuard IaaS Security Gateways Auto Scaling Group Configuration
Parameters:
- Name
- GatewaysInstanceType
- GatewaysMinSize
- GatewaysMaxSize
- GatewaysLicense
- GatewaysPasswordHash
- GatewaysSIC
- ASN
- AdminEmail
- EnableCloudWatch
- Label:
default: Check Point CloudGuard IaaS Security Management Server Configuration
Parameters:
- ManagementDeploy
- ManagementInstanceType
- ManagementLicense
- ManagementPermissions
- PredefinedRole
- ManagementPasswordHash
- GatewaysBlades
- AdminAddressCIDR
- GatewayManagement
- GatewaysAddresses
- Label:
default: Automatic Provisioning with Security Management Server Settings
Parameters:
- ControlGatewayOverPrivateOrPublicAddress
- ManagementServer
- ConfigurationTemplate
ParameterLabels:
VpcCidr:
default: VPC CIDR
NumberOfAZs:
default: Number of AZs
AvailabilityZones:
default: Availability Zones
PublicSubnetCidrA:
default: Public Subnet 1
PublicSubnetCidrB:
default: Public Subnet 2
PublicSubnetCidrC:
default: Public Subnet 3
PublicSubnetCidrD:
default: Public Subnet 4
ManagementDeploy:
default: Deploy Management Server
ManagementInstanceType:
default: Instance type
ManagementLicense:
default: Version & license
ManagementPermissions:
default: IAM role
PredefinedRole:
default: Existing IAM role name
KeyPairName:
default: Key name
EnableInstanceConnect:
default: Enable AWS Instance Connect
ManagementPasswordHash:
default: Password hash
AdminAddressCIDR:
default: Administrator addresses
GatewaysAddresses:
default: Gateways addresses
GatewayManagement:
default: Manage Gateways
GatewaysInstanceType:
default: Instance type
GatewaysMinSize:
default: Minimum group size
GatewaysMaxSize:
default: Maximum group size
AdminEmail:
default: Email address
GatewaysBlades:
default: Default Blades
GatewaysLicense:
default: Version & license
GatewaysPasswordHash:
default: Password hash
GatewaysSIC:
default: SIC key
EnableCloudWatch:
default: CloudWatch metrics
ASN:
default: BGP ASN
ControlGatewayOverPrivateOrPublicAddress:
default: Gateways addresses
ManagementServer:
default: Management Server
ConfigurationTemplate:
default: Configuration template
Name:
default: Name
Shell:
default: Admin shell
AllowUploadDownload:
default: Allow upload & download
VolumeEncryption:
default: Enable environment volume encryption
Parameters:
VpcCidr:
Description: CIDR block for the VPC
Type: String
AllowedPattern: (\d{1,3})\.(\d{1,3})\.(\d{1,3})\.(\d{1,3})/(\d{1,2})
Default: 10.0.0.0/16
ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28
AvailabilityZones:
Description: List of Availability Zones (AZs) to use for the subnets in the VPC. Select at least two
Type: List<AWS::EC2::AvailabilityZone::Name>
MinLength: 1
NumberOfAZs:
Description: Number of Availability Zones to use in the VPC. This must match your selections in the list of Availability Zones parameter
Type: String
Default: 2
AllowedValues:
- 2
- 3
- 4
PublicSubnetCidrA:
Description: CIDR block for public subnet 1 located in the 1st Availability Zone. If you choose to deploy a Security Management Server it will be deployed in this subnet
Type: String
AllowedPattern: ^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$
Default: 10.0.0.0/24
ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28
PublicSubnetCidrB:
Description: CIDR block for public subnet 2 located in the 2nd Availability Zone
Type: String
AllowedPattern: ^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$
Default: 10.0.2.0/24
ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28
PublicSubnetCidrC:
Description: CIDR block for public subnet 3 located in the 3rd Availability Zone
Type: String
AllowedPattern: ^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$
Default: 10.0.4.0/24
ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28
PublicSubnetCidrD:
Description: CIDR block for public subnet 4 located in the 4th Availability Zone
Type: String
AllowedPattern: ^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$
Default: 10.0.6.0/24
ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28
ManagementDeploy:
Description: Select 'No' to use an existing Security Management Server or to deploy one later and to ignore the other parameters of this section
Type: String
Default: 'Yes'
AllowedValues:
- 'Yes'
- 'No'
ManagementInstanceType:
Type: String
Default: m5.xlarge
AllowedValues:
- m5.large
- m5.xlarge
- m5.2xlarge
- m5.4xlarge
- m5.12xlarge
- m5.24xlarge
ConstraintDescription: Must be a valid EC2 instance type
ManagementLicense:
Type: String
Default: R80.30-PAYG-MGMT
AllowedValues:
- R80.20-BYOL
- R80.20-PAYG-MGMT
- R80.30-BYOL
- R80.30-PAYG-MGMT
- R80.40-BYOL
- R80.40-PAYG-MGMT
ManagementPermissions:
Type: String
Default: Create with read permissions
AllowedValues:
- None (configure later)
- Use existing (specify an existing IAM role name)
- Create with assume role permissions (specify an STS role ARN)
- Create with read permissions
- Create with read-write permissions
PredefinedRole:
Type: String
Default: ""
Description: A predefined IAM role to attach to the instance profile. Ignored if IAM role is not set to 'Use existing'
KeyPairName:
Description: The EC2 Key Pair to allow SSH access to the instances created by this stack
Type: AWS::EC2::KeyPair::KeyName
MinLength: 1
ConstraintDescription: Must be the name of an existing EC2 KeyPair
EnableInstanceConnect:
Description: Ec2 Instance Connect is not supported with versions prior to R80.40
Type: String
Default: 'false'
AllowedValues:
- 'true'
- 'false'
ManagementPasswordHash:
Description: Admin user's password hash (use command "openssl passwd -1 PASSWORD" to get the PASSWORD's hash) (optional)
Type: String
Default: ''
AllowedPattern: '[\$\./a-zA-Z0-9]*'
NoEcho: true
AdminAddressCIDR:
Description: Allow web, SSH, and graphical clients only from this network to communicate with the Security Management Server
Type: String
Default: 0.0.0.0/0
AllowedPattern: ^(([0-9]{1,3}\.){3}[0-9]{1,3}/([0-9]|[1-2][0-9]|3[0-2]))?$
GatewaysAddresses:
Description: Allow gateways only from this network to communicate with the Security Management Server
Type: String
Default: 10.0.0.0/16
AllowedPattern: ^([0-9]{1,3}\.){3}[0-9]{1,3}/([0-9]|[1-2][0-9]|3[0-2])$
GatewayManagement:
Description: Select 'Over the internet' if any of the gateways you wish to manage are not directly accessed via their private IP address
Type: String
Default: Locally managed
AllowedValues:
- Locally managed
- Over the internet
GatewaysInstanceType:
Type: String
Default: c5.xlarge
AllowedValues:
- c5.large
- c5.xlarge
- c5.2xlarge
- c5.4xlarge
- c5.9xlarge
- c5.18xlarge
- c5n.large
- c5n.xlarge
- c5n.2xlarge
- c5n.4xlarge
- c5n.9xlarge
- c5n.18xlarge
ConstraintDescription: Must be a valid EC2 instance type
GatewaysMinSize:
Description: The minimal number of Security Gateways
Default: 2
Type: Number
MinValue: 1
GatewaysMaxSize:
Description: The maximal number of Security Gateways
Default: 5
Type: Number
MinValue: 1
AdminEmail:
Description: Notifications about scaling events will be sent to this email address (optional)
Type: String
Default: ''
AllowedPattern: (|([a-zA-Z0-9_\-\.]+)@((\[[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.)|(([a-zA-Z0-9\-]+\.)+))([a-zA-Z]{2,4}|[0-9]{1,3})(\]?))
ConstraintDescription: Must be a valid email address
GatewaysBlades:
Description: Turn on/off the Identity Awareness, CloudGuard Controller, Intrusion Prevention System, Application Control, Anti-Virus and Anti-Bot Blades (these and additional Blades can be manually turned on or off later)
Type: String
AllowedValues:
- 'On'
- 'Off'
Default: 'On'
GatewaysLicense:
Type: String
Default: R80.30-PAYG-NGTP
AllowedValues:
- R80.20-BYOL
- R80.20-PAYG-NGTP
- R80.20-PAYG-NGTX
- R80.30-BYOL
- R80.30-PAYG-NGTP
- R80.30-PAYG-NGTX
- R80.40-BYOL
- R80.40-PAYG-NGTP
- R80.40-PAYG-NGTX
GatewaysPasswordHash:
Description: Admin user's password hash (use command "openssl passwd -1 PASSWORD" to get the PASSWORD's hash) (optional)
Type: String
Default: ''
AllowedPattern: '[\$\./a-zA-Z0-9]*'
NoEcho: true
GatewaysSIC:
Description: The Secure Internal Communication key creates trusted connections between Check Point components. Choose a random string consisting of at least 8 alphanumeric characters
NoEcho: true
MinLength: 8
Type: String
AllowedPattern: '[a-zA-Z0-9]*'
ConstraintDescription: Secure Internal Communication activation key should contain only alpha numeric characters and be at least 8 characters long
EnableCloudWatch:
Description: Report Check Point specific CloudWatch metrics
Type: String
AllowedValues:
- true
- false
Default: false
ASN:
Description: The organization Autonomous System Number (ASN) that identifies the routing domain for the Security Gateways
Type: String
AllowedPattern: '[0-9]*'
Default: 65000
ControlGatewayOverPrivateOrPublicAddress:
Description: Determines if the gateways are provisioned using their private or public address
Default: private
Type: String
AllowedValues:
- private
- public
ManagementServer:
Description: The name that represents the Security Management Server in the automatic provisioning configuration
Type: String
Default: management-server
MinLength: '1'
ConfigurationTemplate:
Description: A name of a gateway configuration template in the automatic provisioning configuration
Type: String
Default: TGW-ASG-configuration
MinLength: '1'
Name:
Description: (optional)
Type: String
Default: Check-Point-Gateway
Shell:
Description: Change the admin shell to enable advanced command line configuration
Type: String
Default: /etc/cli.sh
AllowedValues:
- /etc/cli.sh
- /bin/bash
- /bin/csh
- /bin/tcsh
AllowUploadDownload:
Description: Automatically download Blade Contracts and other important data. Improve product experience by sending data to Check Point
Type: String
Default: 'Yes'
AllowedValues:
- 'Yes'
- 'No'
VolumeEncryption:
Description: Encrypt Environment instances volume with default AWS KMS key
Type: String
Default: 'true'
AllowedValues:
- 'true'
- 'false'
Conditions:
3AZs: !Or
- !Equals
- !Ref NumberOfAZs
- 3
- !Equals
- !Ref NumberOfAZs
- 4
4AZs: !Equals
- !Ref NumberOfAZs
- 4
DeployManagement: !Equals
- !Ref ManagementDeploy
- 'Yes'
Resources:
VPCStack:
Type: AWS::CloudFormation::Stack
Properties:
TemplateURL: https://cgi-cfts.s3.amazonaws.com/utils/vpc.yaml
Parameters:
VPCCIDR: !Ref VpcCidr
AvailabilityZones: !Join
- ','
- !Ref AvailabilityZones
NumberOfAZs: !Ref NumberOfAZs
PublicSubnet1CIDR: !Ref PublicSubnetCidrA
PublicSubnet2CIDR: !Ref PublicSubnetCidrB
PublicSubnet3CIDR: !Ref PublicSubnetCidrC
PublicSubnet4CIDR: !Ref PublicSubnetCidrD
CreatePrivateSubnets: false
MainStack:
Type: AWS::CloudFormation::Stack
Properties:
TemplateURL: https://cgi-cfts.s3.amazonaws.com/deprecated/autoscale/checkpoint-tgw-asg.yaml
Parameters:
VPC: !GetAtt
- VPCStack
- Outputs.VPCID
AdminEmail: !Ref AdminEmail
KeyPairName: !Ref KeyPairName
EnableInstanceConnect: !Ref EnableInstanceConnect
ManagementDeploy: !Ref ManagementDeploy
ManagementPermissions: !Ref ManagementPermissions
PredefinedRole: !Ref PredefinedRole
Subnets: !Join
- ','
- - !GetAtt
- VPCStack
- Outputs.PublicSubnet1ID
- !GetAtt
- VPCStack
- Outputs.PublicSubnet2ID
- !If
- 3AZs
- !GetAtt
- VPCStack
- Outputs.PublicSubnet3ID
- !Ref AWS::NoValue
- !If
- 4AZs
- !GetAtt
- VPCStack
- Outputs.PublicSubnet4ID
- !Ref AWS::NoValue
GatewaysInstanceType: !Ref GatewaysInstanceType
GatewaysMinSize: !Ref GatewaysMinSize
GatewaysMaxSize: !Ref GatewaysMaxSize
GatewaysBlades: !Ref GatewaysBlades
GatewaysLicense: !Ref GatewaysLicense
GatewaysPasswordHash: !Ref GatewaysPasswordHash
GatewaysSIC: !Ref GatewaysSIC
EnableCloudWatch: !Ref EnableCloudWatch
AllowUploadDownload: !Ref AllowUploadDownload
VolumeEncryption: !Ref VolumeEncryption
ManagementInstanceType: !Ref ManagementInstanceType
ManagementLicense: !Ref ManagementLicense
ManagementPasswordHash: !Ref ManagementPasswordHash
AdminAddressCIDR: !Ref AdminAddressCIDR
GatewaysAddresses: !Ref GatewaysAddresses
GatewayManagement: !Ref GatewayManagement
ManagementServer: !Ref ManagementServer
ConfigurationTemplate: !Ref ConfigurationTemplate
Shell: !Ref Shell
Name: !Ref Name
ControlGatewayOverPrivateOrPublicAddress: !Ref ControlGatewayOverPrivateOrPublicAddress
ASN: !Ref ASN
Outputs:
ManagementName:
Description: The name that represents the Security Management Server
Value: !Ref ManagementServer
ConfigurationTemplateName:
Description: The name that represents the configuration template. Configurations required to automatically provision the Gateways in the Auto Scaling Group, such as what Security Policy to install and which Blades to enable, will be placed under this template name
Value: !Ref ConfigurationTemplate
ControllerName:
Description: The name that represents the controller. Configurations required to connect to your AWS environment, such as credentials and regions, will be placed under this controller name
Value: !GetAtt
- MainStack
- Outputs.ControllerName
ManagementPublicAddress:
Description: The public address of the management servers
Value: !GetAtt
- MainStack
- Outputs.ManagementPublicAddress
Condition: DeployManagement