diff --git a/aws/templates/management/README.md b/aws/templates/management/README.md index 8b1950f0..a18ee106 100644 --- a/aws/templates/management/README.md +++ b/aws/templates/management/README.md @@ -1,5 +1,5 @@ - ## Security Management Server + @@ -24,10 +24,11 @@ In order to check the template version, please refer to [sk125252](https://support.checkpoint.com/results/sk/sk125252#ToggleR8120gateway) | Template Version | Description | -|------------------|---------------------------------------------------------------------------------------------------------------| +| ---------------- | ------------------------------------------------------------------------------------------------------------- | +| 20260208 | Add IPv6 support via IPMode variable: "IPv4" and "DualStack" | | 20240704 | - R80.40 version deprecation.
- R81 version deprecation. | | 20240519 | Add support for requiring use instance metadata service version 2 (IMDSv2) only | -| 20230923 | Add support for C5d instance type | +| 20230923 | Add support for C5d instance type | | 20230521 | - Change default shell for the admin user to /etc/cli.sh
- Add description for reserved words in hostname | | 20221123 | Templates version 20221120 and above support R81.20 | | 20220606 | New instance type support | diff --git a/aws/templates/management/management-master.yaml b/aws/templates/management/management-master.yaml old mode 100755 new mode 100644 index dfbf7e66..9be4c7ed --- a/aws/templates/management/management-master.yaml +++ b/aws/templates/management/management-master.yaml @@ -1,6 +1,6 @@ AWSTemplateFormatVersion: 2010-09-09 Description: | - Deploys a Check Point Management Server into a new VPC (20260101) + Deploys a Check Point Management Server into a new VPC (20260205) See sk130372 administration guide for detailed deployment and configuration steps. Metadata: AWS::CloudFormation::Interface: @@ -24,6 +24,7 @@ Metadata: - VPCCIDR - PublicSubnet1CIDR - ManagementName + - IPMode - AllocatePublicAddress - VolumeSize - VolumeType @@ -57,8 +58,10 @@ Metadata: default: Management Instance type KeyName: default: Key name + IPMode: + default: IP Configuration Mode AllocatePublicAddress: - default: Allocate an Elastic IP + default: Allocate an Elastic IPv4 address (Irrelevant for IPv6 only mode) VolumeSize: default: Root volume size (GB) VolumeType: @@ -319,6 +322,13 @@ Parameters: Type: AWS::EC2::KeyPair::KeyName MinLength: 1 ConstraintDescription: must be the name of an existing EC2 KeyPair. + IPMode: + Description: Specifies the IP mode for the Management and AWS resources. + Type: String + AllowedValues: + - IPv4 + - DualStack + Default: IPv4 AllocatePublicAddress: Description: Allocate an elastic IP for the Management. Type: String @@ -451,15 +461,15 @@ Parameters: - true - false AdminCIDR: - Description: Allow web, SSH, and graphical clients only from this network to communicate + Description: Allow web, SSH, and graphical clients only from this network to communicate (IPv4 or IPv6 CIDR) with the Management Server. Type: String - AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/([0-9]|[1-2][0-9]|3[0-2]))$' + AllowedPattern: '^((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\/(3[0-2]|[12]?[0-9])|([0-9a-fA-F]{0,4}:){2,7}([0-9a-fA-F]{0,4}|((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?))\/([0-9]|[1-9][0-9]|1[0-1][0-9]|12[0-8]))$' GatewaysAddresses: - Description: Allow gateways only from this network to communicate with the Management + Description: Allow gateways only from this network to communicate with the Management (IPv4 or IPv6 CIDR) Server. Type: String - AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/([0-9]|[1-2][0-9]|3[0-2]))$' + AllowedPattern: '^((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\/(3[0-2]|[12]?[0-9])|([0-9a-fA-F]{0,4}:){2,7}([0-9a-fA-F]{0,4}|((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?))\/([0-9]|[1-9][0-9]|1[0-1][0-9]|12[0-8]))$' GatewayManagement: Description: Select 'Over the internet' if any of the gateways you wish to manage are not directly accessed via their private IP address. @@ -484,12 +494,16 @@ Parameters: Default: 0.pool.ntp.org AllowedPattern: '[\.a-zA-Z0-9\-]*' Conditions: - EIP: !Equals [!Ref AllocatePublicAddress, true] + IsIPv6Enabled: !Not [!Equals [!Ref IPMode, "IPv4"]] + IsIPv4Enabled: !Not [!Equals [!Ref IPMode, "IPv6"]] + AllocatePublicIPv4: + !And [!Equals [!Ref AllocatePublicAddress, true], !Condition IsIPv4Enabled] Resources: VPCStack: Type: AWS::CloudFormation::Stack Properties: - TemplateURL: https://cgi-cfts.s3.amazonaws.com/utils/vpc.yaml + TemplateURL: + !If [IsIPv6Enabled, https://cgi-cfts.s3.amazonaws.com/utils/vpc-ipv6.yaml, https://cgi-cfts.s3.amazonaws.com/utils/vpc.yaml] Parameters: AvailabilityZones: !Ref AvailabilityZone NumberOfAZs: 1 @@ -497,10 +511,11 @@ Resources: PublicSubnet1CIDR: !Ref PublicSubnet1CIDR CreatePrivateSubnets: false CreateAttachmentSubnets: false + IPMode: !Ref IPMode ManagementStack: Type: AWS::CloudFormation::Stack Properties: - TemplateURL: https://cgi-cfts.s3.us-east-1.amazonaws.com/management/management.yaml + TemplateURL: https://cgi-cfts.s3.amazonaws.com/management/management.yaml Parameters: VPC: !GetAtt VPCStack.Outputs.VPCID ManagementSubnet: !GetAtt VPCStack.Outputs.PublicSubnet1ID @@ -531,16 +546,17 @@ Resources: ManagementBootstrapScript: !Ref ManagementBootstrapScript NTPPrimary: !Ref NTPPrimary NTPSecondary: !Ref NTPSecondary + IPMode: !Ref IPMode Outputs: PublicAddress: - Condition: EIP - Description: The public address of the management server. + Condition: AllocatePublicIPv4 + Description: The public address of the Management Server. Value: !GetAtt ManagementStack.Outputs.PublicAddress SSH: - Condition: EIP - Description: SSH command to the management server. + Condition: AllocatePublicIPv4 + Description: SSH command. Value: !GetAtt ManagementStack.Outputs.SSH URL: - Condition: EIP - Description: URL to the management server portal. - Value: !GetAtt ManagementStack.Outputs.URL + Condition: AllocatePublicIPv4 + Description: URL to the portal. + Value: !GetAtt ManagementStack.Outputs.URL \ No newline at end of file diff --git a/aws/templates/management/management.yaml b/aws/templates/management/management.yaml old mode 100755 new mode 100644 index ef405aeb..e5c84962 --- a/aws/templates/management/management.yaml +++ b/aws/templates/management/management.yaml @@ -1,5 +1,7 @@ AWSTemplateFormatVersion: 2010-09-09 -Description: Deploys a Check Point Management Server into an existing VPC (20260101) +Description: | + Deploys a Check Point Management Server into an existing VPC (20260205) + See sk130372 administration guide for detailed deployment and configuration steps. Metadata: AWS::CloudFormation::Interface: ParameterGroups: @@ -21,6 +23,7 @@ Metadata: default: Advanced Settings Parameters: - ManagementName + - IPMode - AllocatePublicAddress - VolumeSize - VolumeType @@ -52,8 +55,10 @@ Metadata: default: Management Instance type KeyName: default: Key name + IPMode: + default: IP Configuration Mode AllocatePublicAddress: - default: Allocate an Elastic IP + default: Allocate an Elastic IPv4 address (Irrelevant for IPv6 only mode) VolumeSize: default: Root volume size (GB) VolumeType: @@ -307,6 +312,13 @@ Parameters: Type: AWS::EC2::KeyPair::KeyName MinLength: 1 ConstraintDescription: must be the name of an existing EC2 KeyPair. + IPMode: + Description: Specifies the IP mode for the Management and AWS resources. + Type: String + AllowedValues: + - IPv4 + - DualStack + Default: IPv4 AllocatePublicAddress: Description: Allocate an elastic IP for the Management. Type: String @@ -407,7 +419,7 @@ Parameters: AllowedPattern: '[\$\./a-zA-Z0-9]*' NoEcho: true ManagementHostname: - Description: The name must not contain reserved words. For details, refer to sk40179 (optional). + Description: The name must not contain reserved words. For details, refer to sk40179. (optional) Type: String Default: mgmt-aws AllowedPattern: '^([A-Za-z]([-0-9A-Za-z]{0,61}[0-9A-Za-z])?|)$' @@ -439,15 +451,15 @@ Parameters: - true - false AdminCIDR: - Description: Allow web, SSH, and graphical clients only from this network to communicate + Description: Allow web, SSH, and graphical clients only from this network to communicate (IPv4 or IPv6 CIDR) with the Management Server. Type: String - AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/([0-9]|[1-2][0-9]|3[0-2]))$' + AllowedPattern: '^((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\/(3[0-2]|[12]?[0-9])|([0-9a-fA-F]{0,4}:){2,7}([0-9a-fA-F]{0,4}|((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?))\/([0-9]|[1-9][0-9]|1[0-1][0-9]|12[0-8]))$' GatewaysAddresses: - Description: Allow gateways only from this network to communicate with the Management + Description: Allow gateways only from this network to communicate with the Management (IPv4 or IPv6 CIDR) Server. Type: String - AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/([0-9]|[1-2][0-9]|3[0-2]))$' + AllowedPattern: '^((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\/(3[0-2]|[12]?[0-9])|([0-9a-fA-F]{0,4}:){2,7}([0-9a-fA-F]{0,4}|((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?))\/([0-9]|[1-9][0-9]|1[0-1][0-9]|12[0-8]))$' GatewayManagement: Description: Select 'Over the internet' if any of the gateways you wish to manage are not directly accessed via their private IP address. @@ -472,9 +484,14 @@ Parameters: Default: 0.pool.ntp.org AllowedPattern: '[\.a-zA-Z0-9\-]*' Conditions: - EIP: !Equals [!Ref AllocatePublicAddress, true] + IsIPv6Enabled: !Not [!Equals [!Ref IPMode, "IPv4"]] + IsIPv4Enabled: !Not [!Equals [!Ref IPMode, "IPv6"]] + AllocatePublicIPv4: + !And [!Equals [!Ref AllocatePublicAddress, true], !Condition IsIPv4Enabled] + IsGatewaysAddressesIPv6: !Not [!Equals [!Select [0, !Split [':', !Ref GatewaysAddresses]], !Ref GatewaysAddresses]] + AdminCIDRIsIPv6: !Not [!Equals [!Select [0, !Split [':', !Ref AdminCIDR]], !Ref AdminCIDR]] ManageOverInternet: !Equals [!Ref GatewayManagement, Over the internet] - ManageOverInternetAndEIP: !And [!Condition EIP, !Condition ManageOverInternet] + ManageOverInternetAndEIP: !And [!Condition AllocatePublicIPv4, !Condition ManageOverInternet] CreateRole: !Or - !Equals [!Ref ManagementPermissions, Create with assume role permissions (specify an STS role ARN)] - !Equals [!Ref ManagementPermissions, Create with read permissions] @@ -493,11 +510,11 @@ Resources: Version: !Join ['-', [!Ref ManagementVersion, MGMT]] ManagementReadyHandle: Type: AWS::CloudFormation::WaitConditionHandle - Condition: EIP + Condition: AllocatePublicIPv4 Properties: {} ManagementReadyCondition: Type: AWS::CloudFormation::WaitCondition - Condition: EIP + Condition: AllocatePublicIPv4 DependsOn: ManagementInstance Properties: Handle: !Ref ManagementReadyHandle @@ -508,55 +525,68 @@ Resources: GroupDescription: Management security group VpcId: !Ref VPC SecurityGroupIngress: - - CidrIp: !Ref GatewaysAddresses + - CidrIp: !If [IsGatewaysAddressesIPv6, !Ref "AWS::NoValue", !Ref GatewaysAddresses] + CidrIpV6: !If [IsGatewaysAddressesIPv6, !Ref GatewaysAddresses, !Ref "AWS::NoValue"] IpProtocol: tcp FromPort: 257 ToPort: 257 - - CidrIp: !Ref GatewaysAddresses + - CidrIp: !If [IsGatewaysAddressesIPv6, !Ref "AWS::NoValue", !Ref GatewaysAddresses] + CidrIpV6: !If [IsGatewaysAddressesIPv6, !Ref GatewaysAddresses, !Ref "AWS::NoValue"] IpProtocol: tcp FromPort: 8211 ToPort: 8211 - - CidrIp: !Ref GatewaysAddresses + - CidrIp: !If [IsGatewaysAddressesIPv6, !Ref "AWS::NoValue", !Ref GatewaysAddresses] + CidrIpV6: !If [IsGatewaysAddressesIPv6, !Ref GatewaysAddresses, !Ref "AWS::NoValue"] IpProtocol: tcp FromPort: 18191 ToPort: 18191 - - CidrIp: !Ref GatewaysAddresses + - CidrIp: !If [IsGatewaysAddressesIPv6, !Ref "AWS::NoValue", !Ref GatewaysAddresses] + CidrIpV6: !If [IsGatewaysAddressesIPv6, !Ref GatewaysAddresses, !Ref "AWS::NoValue"] IpProtocol: tcp FromPort: 18192 ToPort: 18192 - - CidrIp: !Ref GatewaysAddresses + - CidrIp: !If [IsGatewaysAddressesIPv6, !Ref "AWS::NoValue", !Ref GatewaysAddresses] + CidrIpV6: !If [IsGatewaysAddressesIPv6, !Ref GatewaysAddresses, !Ref "AWS::NoValue"] IpProtocol: tcp FromPort: 18208 ToPort: 18208 - - CidrIp: !Ref GatewaysAddresses + - CidrIp: !If [IsGatewaysAddressesIPv6, !Ref "AWS::NoValue", !Ref GatewaysAddresses] + CidrIpV6: !If [IsGatewaysAddressesIPv6, !Ref GatewaysAddresses, !Ref "AWS::NoValue"] IpProtocol: tcp FromPort: 18210 ToPort: 18210 - - CidrIp: !Ref GatewaysAddresses + - CidrIp: !If [IsGatewaysAddressesIPv6, !Ref "AWS::NoValue", !Ref GatewaysAddresses] + CidrIpV6: !If [IsGatewaysAddressesIPv6, !Ref GatewaysAddresses, !Ref "AWS::NoValue"] IpProtocol: tcp FromPort: 18211 ToPort: 18211 - - CidrIp: !Ref GatewaysAddresses + - CidrIp: !If [IsGatewaysAddressesIPv6, !Ref "AWS::NoValue", !Ref GatewaysAddresses] + CidrIpV6: !If [IsGatewaysAddressesIPv6, !Ref GatewaysAddresses, !Ref "AWS::NoValue"] IpProtocol: tcp FromPort: 18221 ToPort: 18221 - - CidrIp: !Ref GatewaysAddresses + - CidrIp: !If [IsGatewaysAddressesIPv6, !Ref "AWS::NoValue", !Ref GatewaysAddresses] + CidrIpV6: !If [IsGatewaysAddressesIPv6, !Ref GatewaysAddresses, !Ref "AWS::NoValue"] IpProtocol: tcp FromPort: 18264 ToPort: 18264 - - CidrIp: !Ref AdminCIDR + - CidrIp: !If [AdminCIDRIsIPv6, !Ref "AWS::NoValue", !Ref AdminCIDR] + CidrIpV6: !If [AdminCIDRIsIPv6, !Ref AdminCIDR, !Ref "AWS::NoValue"] IpProtocol: tcp FromPort: 22 ToPort: 22 - - CidrIp: !Ref AdminCIDR + - CidrIp: !If [AdminCIDRIsIPv6, !Ref "AWS::NoValue", !Ref AdminCIDR] + CidrIpV6: !If [AdminCIDRIsIPv6, !Ref AdminCIDR, !Ref "AWS::NoValue"] IpProtocol: tcp FromPort: 443 ToPort: 443 - - CidrIp: !Ref AdminCIDR + - CidrIp: !If [AdminCIDRIsIPv6, !Ref "AWS::NoValue", !Ref AdminCIDR] + CidrIpV6: !If [AdminCIDRIsIPv6, !Ref AdminCIDR, !Ref "AWS::NoValue"] IpProtocol: tcp FromPort: 18190 ToPort: 18190 - - CidrIp: !Ref AdminCIDR + - CidrIp: !If [AdminCIDRIsIPv6, !Ref "AWS::NoValue", !Ref AdminCIDR] + CidrIpV6: !If [AdminCIDRIsIPv6, !Ref AdminCIDR, !Ref "AWS::NoValue"] IpProtocol: tcp FromPort: 19009 ToPort: 19009 @@ -594,6 +624,7 @@ Resources: - !Ref ManagementSecurityGroup DeleteOnTermination: true SubnetId: !Ref ManagementSubnet + Ipv6AddressCount: !If [IsIPv6Enabled, 1, !Ref "AWS::NoValue"] ManagementLaunchTemplate: Type: AWS::EC2::LaunchTemplate Properties: @@ -621,38 +652,38 @@ Resources: - 'runcmd:' - ' - |' - ' set -e' - - !Sub ' admin_shell=${Shell} ; allow_info=${AllowUploadDownload} ; hostname=${ManagementHostname} ; eic=${EnableInstanceConnect} ; admin_subnet=${AdminCIDR} ; eip=${AllocatePublicAddress} ; ntp1=${NTPPrimary} ; ntp2=${NTPSecondary} ; mgmt_install_type=''${ManagementInstallationType}''' - - !If [EIP, !Sub ' wait_handle=''${ManagementReadyHandle}''',!Ref 'AWS::NoValue'] + - !Sub ' admin_shell=${Shell} ; allow_info=${AllowUploadDownload} ; hostname=${ManagementHostname} ; eic=${EnableInstanceConnect} ; admin_subnet=${AdminCIDR} ; ntp1=${NTPPrimary} ; ntp2=${NTPSecondary} ; mgmt_install_type=''${ManagementInstallationType}''' + - !If [AllocatePublicIPv4, !Sub ' wait_handle=''${ManagementReadyHandle}'' ; eip=${AllocatePublicAddress}', ' eip=false'] - !If [NoSIC, ' sic=""', !Join ['', [' sic="$(echo ', 'Fn::Base64': !Ref SICKey, ')"']]] - !If [ManageOverInternetAndEIP, ' pub_mgmt=true', ' pub_mgmt=false'] - !Join ['', [' bootstrap="$(echo ', 'Fn::Base64': !Ref ManagementBootstrapScript, ')"']] - !Join ['', [' pwd_hash="$(echo ', 'Fn::Base64': !Ref ManagementPasswordHash, ')"']] - !Join ['', [' maintenance_pwd_hash="$(echo ', 'Fn::Base64': !Ref ManagementMaintenancePasswordHash, ')"']] - !Sub [' version=${Version}', {Version: !Select [0, !Split ['-', !Ref ManagementVersion]]}] - - ' python3 /etc/cloud_config.py waitHandle=\"${wait_handle}\" sicKey=\"${sic}\" installationType=\"management\" osVersion=\"${version}\" allowUploadDownload=\"${allow_info}\" templateVersion=\"20260101\" templateName=\"management\" shell=\"${admin_shell}\" enableInstanceConnect=\"${eic}\" hostName=\"${hostname}\" ntpPrimary=\"${ntp1}\" ntpSecondary=\"${ntp2}\" passwordHash=\"${pwd_hash}\" MaintenanceModePassword=\"${maintenance_pwd_hash}\" "management_installation_type=\"${mgmt_install_type}\"" adminSubnet=\"${admin_subnet}\" allocatePublicAddress=\"${eip}\" overTheInternet=\"${pub_mgmt}\" bootstrapScript64=\"${bootstrap}\"' + - ' python3 /etc/cloud_config.py waitHandle=\"${wait_handle}\" sicKey=\"${sic}\" installationType=\"management\" osVersion=\"${version}\" allowUploadDownload=\"${allow_info}\" templateVersion=\"20260205\" templateName=\"management\" shell=\"${admin_shell}\" enableInstanceConnect=\"${eic}\" hostName=\"${hostname}\" ntpPrimary=\"${ntp1}\" ntpSecondary=\"${ntp2}\" passwordHash=\"${pwd_hash}\" MaintenanceModePassword=\"${maintenance_pwd_hash}\" "management_installation_type=\"${mgmt_install_type}\"" adminSubnet=\"${admin_subnet}\" allocatePublicAddress=\"${eip}\" overTheInternet=\"${pub_mgmt}\" bootstrapScript64=\"${bootstrap}\"' VersionDescription: Initial template version PublicAddress: Type: AWS::EC2::EIP - Condition: EIP + Condition: AllocatePublicIPv4 Properties: Domain: vpc AddressAssoc: Type: AWS::EC2::EIPAssociation - Condition: EIP + Condition: AllocatePublicIPv4 DependsOn: ManagementInstance Properties: InstanceId: !Ref ManagementInstance AllocationId: !GetAtt PublicAddress.AllocationId Outputs: PublicAddress: - Condition: EIP + Condition: AllocatePublicIPv4 Description: The public address of the Management Server. Value: !Ref PublicAddress SSH: - Condition: EIP + Condition: AllocatePublicIPv4 Description: SSH command. Value: !Join ['', ['ssh -i ', !Ref KeyName, ' admin@', !Ref PublicAddress]] URL: - Condition: EIP + Condition: AllocatePublicIPv4 Description: URL to the portal. - Value: !Join ['', ['https://', !Ref PublicAddress]] + Value: !Join ['', ['https://', !Ref PublicAddress]] \ No newline at end of file diff --git a/aws/templates/single-gw/README.md b/aws/templates/single-gw/README.md index 81e7b828..6887923b 100644 --- a/aws/templates/single-gw/README.md +++ b/aws/templates/single-gw/README.md @@ -1,4 +1,5 @@ ## Security Gateway +
@@ -25,10 +26,12 @@
## Revision History + In order to check the template version, please refer to [sk125252](https://support.checkpoint.com/results/sk/sk125252#ToggleR8120gateway) | Template Version | Description | -|------------------|---------------------------------------------------------------------------------------------------------------| +| ---------------- | ------------------------------------------------------------------------------------------------------------- | +| 20260208 | Add IPv6 support via IPMode variable: "IPv4", "DualStack", "IPv6" (coming soon) | | 20240704 | - R80.40 version deprecation.
- R81 version deprecation. | | 20240519 | Add support for requiring use instance metadata service version 2 (IMDSv2) only | | 20231113 | Stability fixes. | diff --git a/aws/templates/single-gw/gateway-master.yaml b/aws/templates/single-gw/gateway-master.yaml index 8e1b61f8..203c012a 100644 --- a/aws/templates/single-gw/gateway-master.yaml +++ b/aws/templates/single-gw/gateway-master.yaml @@ -1,5 +1,7 @@ AWSTemplateFormatVersion: 2010-09-09 -Description: Deploys a Check Point Security Gateway into a new VPC (20260101) +Description: | + Deploys a Check Point Security Gateway into a new VPC (20260205) + See sk175207 for Gateway administration guide deployment and configuration steps. Metadata: AWS::CloudFormation::Interface: ParameterGroups: @@ -18,6 +20,7 @@ Metadata: - VPCCIDR - PublicSubnetCIDR - PrivateSubnetCIDR + - IPMode - AllocatePublicAddress - VolumeSize - VolumeType @@ -54,8 +57,10 @@ Metadata: default: Gateway Instance type KeyName: default: Key name + IPMode: + default: IP Configuration Mode AllocatePublicAddress: - default: Allocate an Elastic IP + default: Allocate an Elastic IPv4 address (Irrelevant for IPv6 only mode) VolumeSize: default: Root volume size (GB) VolumeType: @@ -356,6 +361,14 @@ Parameters: Type: AWS::EC2::KeyPair::KeyName MinLength: 1 ConstraintDescription: must be the name of an existing EC2 KeyPair. + IPMode: + Description: Specifies the IP mode for the Security Gateway and AWS resources. + Type: String + AllowedValues: + - IPv4 + # - IPv6 + - DualStack + Default: IPv4 AllocatePublicAddress: Type: String Default: true @@ -411,6 +424,9 @@ Parameters: - R82-BYOL - R82-PAYG-NGTP - R82-PAYG-NGTX + - R82.10-BYOL + - R82.10-PAYG-NGTP + - R82.10-PAYG-NGTX Shell: Description: Change the admin shell to enable advanced command line configuration. Type: String @@ -450,7 +466,7 @@ Parameters: Type: String Default: '' GatewayHostname: - Description: The name must not contain reserved words. For details, refer to sk40179 (optional). + Description: The name must not contain reserved words. For details, refer to sk40179. (optional) Type: String Default: '' AllowedPattern: '^([A-Za-z]([-0-9A-Za-z]{0,61}[0-9A-Za-z])?|)$' @@ -493,22 +509,24 @@ Parameters: - private - public ManagementServer: - Description: The name that represents the Security Management Server in the automatic. - provisioning configuration. + Description: The name that represents the Security Management Server in the automatic provisioning configuration. Type: String ConfigurationTemplate: - Description: A name of a Security Gateway configuration template in the automatic. - provisioning configuration. + Description: A name of a Security Gateway configuration template in the automatic provisioning configuration. Type: String MaxLength: 30 Conditions: - AllocateAddress: !Equals [!Ref AllocatePublicAddress, true] ProvidedResourcesTag: !Not [!Equals [!Ref ResourcesTagName, '']] + IsIPv6Enabled: !Not [!Equals [!Ref IPMode, "IPv4"]] + IsIPv4Enabled: !Not [!Equals [!Ref IPMode, "IPv6"]] + AllocatePublicIPv4: + !And [!Equals [!Ref AllocatePublicAddress, true], !Condition IsIPv4Enabled] Resources: VPCStack: Type: AWS::CloudFormation::Stack Properties: - TemplateURL: https://cgi-cfts.s3.amazonaws.com/utils/vpc.yaml + TemplateURL: + !If [IsIPv6Enabled, https://cgi-cfts.s3.amazonaws.com/utils/vpc-ipv6.yaml, https://cgi-cfts.s3.amazonaws.com/utils/vpc.yaml] Parameters: AvailabilityZones: !Ref AvailabilityZone NumberOfAZs: 1 @@ -517,6 +535,7 @@ Resources: CreatePrivateSubnets: true PrivateSubnet1CIDR: !Ref PrivateSubnetCIDR CreateAttachmentSubnets: false + IPMode: !Ref IPMode InternalRoutingTable: Type: AWS::EC2::RouteTable Properties: @@ -568,24 +587,27 @@ Resources: ControlGatewayOverPrivateOrPublicAddress: !Ref ControlGatewayOverPrivateOrPublicAddress ManagementServer: !Ref ManagementServer ConfigurationTemplate: !Ref ConfigurationTemplate + IPMode: !Ref IPMode Outputs: CheckPointInstancePublicAddress: - Condition: AllocateAddress + Condition: AllocatePublicIPv4 Description: The public address of the Check Point instance. Value: !GetAtt GatewayStack.Outputs.PublicAddress CheckPointInstancePrivateExternalAddress: + Condition: IsIPv4Enabled Description: The private external address of the Check Point instance. Value: !GetAtt GatewayStack.Outputs.PrivateExternalAddress CheckPointInstancePrivateInternalAddress: + Condition: IsIPv4Enabled Description: The private internal address of the Check Point instance. Value: !GetAtt GatewayStack.Outputs.PrivateInternalAddress CheckPointInstanceSSH: - Condition: AllocateAddress + Condition: AllocatePublicIPv4 Description: SSH command to the Check Point instance. Value: !GetAtt GatewayStack.Outputs.SSH CheckPointInstanceURL: - Condition: AllocateAddress - Description: URL to the portal + Condition: AllocatePublicIPv4 + Description: URL to the portal. Value: !GetAtt GatewayStack.Outputs.URL ManagementName: Description: The name that represents the Security Management Server. diff --git a/aws/templates/single-gw/gateway.yaml b/aws/templates/single-gw/gateway.yaml index 8679e8d3..2f004a8c 100644 --- a/aws/templates/single-gw/gateway.yaml +++ b/aws/templates/single-gw/gateway.yaml @@ -1,5 +1,7 @@ AWSTemplateFormatVersion: 2010-09-09 -Description: Deploys a Check Point Security Gateway into an existing VPC (20260101) +Description: | + Deploys a Check Point Security Gateway into an existing VPC (20260205) + See sk175207 for Gateway administration guide deployment and configuration steps. Metadata: AWS::CloudFormation::Interface: ParameterGroups: @@ -20,6 +22,7 @@ Metadata: default: Advanced Settings Parameters: - GatewayName + - IPMode - AllocatePublicAddress - VolumeSize - VolumeType @@ -57,8 +60,10 @@ Metadata: default: Gateway Instance type KeyName: default: Key name + IPMode: + default: IP Configuration Mode AllocatePublicAddress: - default: Allocate an Elastic IP + default: Allocate an Elastic IPv4 address (Irrelevant for IPv6 only mode) VolumeSize: default: Root volume size (GB) VolumeType: @@ -353,6 +358,14 @@ Parameters: Type: AWS::EC2::KeyPair::KeyName MinLength: 1 ConstraintDescription: must be the name of an existing EC2 KeyPair. + IPMode: + Description: Specifies the IP mode for the Security Gateway and AWS resources. + Type: String + AllowedValues: + - IPv4 + # - IPv6 + - DualStack + Default: IPv4 AllocatePublicAddress: Type: String Default: true @@ -450,7 +463,7 @@ Parameters: Type: String Default: '' GatewayHostname: - Description: The name must not contain reserved words. For details, refer to sk40179 (optional). + Description: The name must not contain reserved words. For details, refer to sk40179. (optional) Type: String Default: '' AllowedPattern: '^([A-Za-z]([-0-9A-Za-z]{0,61}[0-9A-Za-z])?|)$' @@ -503,20 +516,27 @@ Parameters: MaxLength: 30 Conditions: ProvidedRouteTable: !Not [!Equals [!Ref InternalRouteTable, '']] - AllocateAddress: !Equals [!Ref AllocatePublicAddress, true] EncryptedVolume: !Not [!Equals [!Ref VolumeEncryption, '']] ProvidedResourcesTag: !Not [!Equals [!Ref ResourcesTagName, '']] ProvidedManagementParameters: !And [!Not [!Equals [!Ref ManagementServer, '']], !Not [!Equals [!Ref ConfigurationTemplate, '']]] EnableCloudWatch: !Equals [!Ref CloudWatch, true] EnableMetaDataToken: !Equals [!Ref MetaDataToken, true] + IsIPv6Enabled: !Not [!Equals [!Ref IPMode, "IPv4"]] + IsIPv4Enabled: !Not [!Equals [!Ref IPMode, "IPv6"]] + EnableIPv4RouteTable: + !And [!Condition IsIPv4Enabled, !Condition ProvidedRouteTable] + EnableIPv6RouteTable: + !And [!Condition IsIPv6Enabled, !Condition ProvidedRouteTable] + AllocatePublicIPv4: + !And [!Equals [!Ref AllocatePublicAddress, true], !Condition IsIPv4Enabled] Resources: ReadyHandle: Type: AWS::CloudFormation::WaitConditionHandle - Condition: AllocateAddress + Condition: AllocatePublicIPv4 Properties: {} ReadyCondition: Type: AWS::CloudFormation::WaitCondition - Condition: AllocateAddress + Condition: AllocatePublicIPv4 DependsOn: GatewayInstance Properties: Handle: !Ref ReadyHandle @@ -568,6 +588,7 @@ Resources: GroupSet: - !Ref PermissiveSecurityGroup SubnetId: !Ref PublicSubnet + Ipv6AddressCount: !If [IsIPv6Enabled, 1, !Ref "AWS::NoValue"] InternalNetworkInterface: Type: AWS::EC2::NetworkInterface Properties: @@ -583,6 +604,7 @@ Resources: GroupSet: - !Ref PermissiveSecurityGroup SubnetId: !Ref PrivateSubnet + Ipv6AddressCount: !If [IsIPv6Enabled, 1, !Ref "AWS::NoValue"] PermissiveSecurityGroup: Type: AWS::EC2::SecurityGroup Properties: @@ -596,15 +618,30 @@ Resources: GroupDescription: Permissive security group. VpcId: !Ref VPC SecurityGroupIngress: - - IpProtocol: -1 - CidrIp: 0.0.0.0/0 + - !If + - IsIPv4Enabled + - IpProtocol: -1 + CidrIp: 0.0.0.0/0 + - !Ref "AWS::NoValue" + - !If + - IsIPv6Enabled + - IpProtocol: -1 + CidrIpv6: ::/0 + - !Ref "AWS::NoValue" InternalDefaultRoute: Type: AWS::EC2::Route - Condition: ProvidedRouteTable + Condition: EnableIPv4RouteTable Properties: DestinationCidrBlock: 0.0.0.0/0 NetworkInterfaceId: !Ref InternalNetworkInterface RouteTableId: !Ref InternalRouteTable + InternalDefaultRouteIPv6: + Type: AWS::EC2::Route + Condition: EnableIPv6RouteTable + Properties: + DestinationIpv6CidrBlock: "::/0" + NetworkInterfaceId: !Ref InternalNetworkInterface + RouteTableId: !Ref InternalRouteTable GatewayInstance: Type: AWS::EC2::Instance DependsOn: GatewayLaunchTemplate @@ -658,23 +695,23 @@ Resources: - 'runcmd:' - ' - |' - ' set -e' - - !Sub ' admin_shell=${Shell} ; hostname=${GatewayHostname} ; allow_info=${AllowUploadDownload} ; cw=${CloudWatch} ; ntp1=${NTPPrimary} ; ntp2=${NTPSecondary} ; eic=${EnableInstanceConnect} ; eip=${AllocatePublicAddress} ; token=''${GatewayToken}''' - - !If [AllocateAddress, !Sub ' wait_handle=''${ReadyHandle}''',!Ref 'AWS::NoValue'] + - !Sub ' admin_shell=${Shell} ; hostname=${GatewayHostname} ; allow_info=${AllowUploadDownload} ; cw=${CloudWatch} ; ntp1=${NTPPrimary} ; ntp2=${NTPSecondary} ; eic=${EnableInstanceConnect} ; token=''${GatewayToken}''' + - !If [AllocatePublicIPv4, !Sub ' wait_handle=''${ReadyHandle}'' ; eip=${AllocatePublicAddress}', ' eip=false'] - !Join ['', [' sic="$(echo ', 'Fn::Base64': !Ref GatewaySICKey, ')"']] - !Join ['', [' pwd_hash="$(echo ', 'Fn::Base64': !Ref GatewayPasswordHash, ')"']] - !Join ['', [' maintenance_pwd_hash="$(echo ', 'Fn::Base64': !Ref GatewayMaintenancePasswordHash, ')"']] - !Join ['', [' bootstrap="$(echo ', 'Fn::Base64': !Ref GatewayBootstrapScript, ')"']] - !Sub [' version=${Version}', {Version: !Select [0, !Split ['-', !Ref GatewayVersion]]}] - - ' python3 /etc/cloud_config.py enableCloudWatch=\"${cw}\" waitHandle=\"${wait_handle}\" sicKey=\"${sic}\" "smart1CloudToken=\"${token}\"" installationType=\"gateway\" osVersion=\"${version}\" allowUploadDownload=\"${allow_info}\" templateVersion=\"20260101\" templateName=\"gateway\" shell=\"${admin_shell}\" enableInstanceConnect=\"${eic}\" hostName=\"${hostname}\" ntpPrimary=\"${ntp1}\" ntpSecondary=\"${ntp2}\" passwordHash=\"${pwd_hash}\" MaintenanceModePassword=\"${maintenance_pwd_hash}\" allocatePublicAddress=\"${eip}\" bootstrapScript64=\"${bootstrap}\"' + - ' python3 /etc/cloud_config.py enableCloudWatch=\"${cw}\" waitHandle=\"${wait_handle}\" sicKey=\"${sic}\" "smart1CloudToken=\"${token}\"" installationType=\"gateway\" osVersion=\"${version}\" allowUploadDownload=\"${allow_info}\" templateVersion=\"20260205\" templateName=\"gateway\" shell=\"${admin_shell}\" enableInstanceConnect=\"${eic}\" hostName=\"${hostname}\" ntpPrimary=\"${ntp1}\" ntpSecondary=\"${ntp2}\" passwordHash=\"${pwd_hash}\" MaintenanceModePassword=\"${maintenance_pwd_hash}\" allocatePublicAddress=\"${eip}\" bootstrapScript64=\"${bootstrap}\"' VersionDescription: Initial template version PublicAddress: Type: AWS::EC2::EIP - Condition: AllocateAddress + Condition: AllocatePublicIPv4 Properties: Domain: vpc AddressAssoc: Type: AWS::EC2::EIPAssociation - Condition: AllocateAddress + Condition: AllocatePublicIPv4 DependsOn: GatewayInstance Properties: NetworkInterfaceId: !Ref ExternalNetworkInterface @@ -684,21 +721,23 @@ Outputs: PublicAddress: Description: The public address of the Check Point instance. Value: !Ref PublicAddress - Condition: AllocateAddress + Condition: AllocatePublicIPv4 PrivateExternalAddress: + Condition: IsIPv4Enabled Description: The private external address of the Check Point instance. Value: !GetAtt ExternalNetworkInterface.PrimaryPrivateIpAddress PrivateInternalAddress: + Condition: IsIPv4Enabled Description: The private internal address of the Check Point instance. Value: !GetAtt InternalNetworkInterface.PrimaryPrivateIpAddress SSH: Description: SSH command to the Check Point instance. Value: !Join ['', ['ssh -i ', !Ref KeyName, ' admin@', !Ref PublicAddress]] - Condition: AllocateAddress + Condition: AllocatePublicIPv4 URL: Description: URL to the portal. Value: !Join ['', ['https://', !Ref PublicAddress]] - Condition: AllocateAddress + Condition: AllocatePublicIPv4 ManagementName: Description: The name that represents the Security Management Server. Value: !Ref ManagementServer