How to Install Forcepoint NGFW in Amazon AWS TECHNICAL DOCUMENT
Table of Contents TABLE OF CONTENTS... 1 TEST NETWORK DIAGRAM... 2 PREPARING YOUR VPC... 3 IP addressing... 3 Virtual Private Cloud (VPC)... 3 Subnets... 4 Internet Gateway... 4 Network ACL and Security Group... 5 SMC CONFIGURATION... 6 Create a new single ngfw... 6 Save Initial configuration... 7 LAUNCHING AN INSTANCE... 7 Elastic IP... 10 Route Tables... 10 Disabling Source/Destination Checks... 11 LOGGING ENGINE USING SSH... 11 ADDING SERVER BEHIND AWS NGFW... 12 Deploy a new AMI... 12 Configure NGFW rules... 12 Testing connections... 13 COUPLE OF NOTES... 14 Technical Document 1
Test Network Diagram Linux host 10.29.101.10 i-1a8fd0a6 eni-1ea12862 Internal LAN 10.29.101.0/24 subnet-9d8d8ce6 rtb-b38f92da NGFW VPC CIDR 10.29.0.0/16 vpc-d8ba80b1 Eth1: 10.29.101.254 eni-afa029d3 AWS NGFW i-1a8fd0a6 Eth0: 10.29.100.254 eni-afa029d3 Elastic IP 52.57.7.226 External LAN 10.29.100.0/24 subnet-875859fc rtb-08534e61 NGFW-internetGW 10.29.100.1 igw-9e2144f7 Internet SMC Located in Helsinki Lab Technical Document 2
Preparing your VPC IP ADDRESSING The first four IP addresses and the last IP address in each subnet CIDR block are not available for you to use, and cannot be assigned to an instance. For example, in a subnet with CIDR block 10.29.100.0/24,the following five IP addresses are reserved: 10.29.100.0: Network address. 10.29.100.1: Reserved by AWS for the VPC router. 10.29.100.2: Reserved by AWS for mapping to the Amazon-provided DNS. 10.29.100.3: Reserved by AWS for future use. 10.29.100.255: Network broadcast address. Note AWS does not support broadcast in a VPC VIRTUAL PRIVATE CLOUD (VPC) A virtual private cloud (VPC) is a virtual network dedicated to your AWS account. It is logically isolated from other virtual networks in the AWS cloud. You can launch your AWS resources, such as Amazon EC2 instances, into your VPC. You can configure your VPC; you can select its IP address range, create subnets, and configure route tables, network gateways, and security settings. VPC Your VPCs Create VPC Test network VPC 10.29.0.0/16 (vpc-d8ba80b1) Technical Document 3
SUBNETS After creating a VPC, you can add one or more subnets in each Availability Zone. When you create a subnet, you specify the CIDR block for the subnet, which is a subset of the VPC CIDR block. VPC Subnets Create Subnet External LAN 10.29.100.0/24 (subnet-875859fc) Internal LAN 10.29.101.0/24 (subnet-9d8d8ce6) INTERNET GATEWAY To ensure that your instances can communicate with the Internet, you must also attach an Internet gateway to your VPC. Technical Document 4
NETWORK ACL AND SECURITY GROUP A network access control list (ACL) is an optional layer of security for your VPC that acts as a firewall for controlling traffic in and out of one or more subnets. In the example configuration NGFW is doing firewalling and AWS network ACL is disabled (allow all). A security group acts as a virtual firewall that controls the traffic for one or more instances. When you launch an instance, you associate one or more security groups with the instance. You add rules to each security group that allow traffic to or from its associated instances Test-ACL (acl-3a514053) has any-any-any-allow for inbound and outbound traffic Test-ACL is associated with internal and external nets. Note that Network ACLs are stateless Create also a any-any allow security group Technical Document 5
SMC Configuration In this example SMC locates in Helsinki demo lab, behind public internet. SMC is protected by firewall which allows the communication between NGFW and SMC and NATs the SMC public IP to private one. CREATE A NEW SINGLE NGFW Create new single node firewall with dynamic IP Remember to set location if SMC s real address is not directly reachable Define default route behind the mgmt interface Technical Document 6
SAVE INITIAL CONFIGURATION For SSH connection check the Enable SSH daemon Save the USB drive installation config on your desktop Launching an instance Go EC2 Instances Launch Select the latest available Forcepoint Stongesoft NGFW instance If your using development version of AWS NGFW then the software needs to be mapped to you AWS account (by Forcepoint Product Management) and NGFW AMI is found under private images Technical Document 7
Minimum requirement for NGFW is 2GB of memory Use 1 st interface for mgmt communication Define IP address for the interfaces. Here 10.29.100.254 and 10.29.101.254 To autoconnect engine to SMC during bootup import the initial contact file (the one exported from the SMC) in Advanced details Click next Technical Document 8
In security group we can filter the traffic that reaches firewall. Here we are configuring NGFW in test environment and we want that NGFW makes the filtering. To log in to your instance, you must create a key pair, specify the name of the key pair when you launch the instance, and provide the private key when you connect to the instance. Linux instances have no password, and you use a key pair to log in using SSH. With Windows instances, you use a key pair to obtain the administrator password and then log in using RDP. Technical Document 9
ELASTIC IP An Elastic IP address is a public IP address, which is reachable from the Internet. If your instance does not have a public IP address, you can associate an Elastic IP address with your instance to enable communication with the Internet; for example, to connect to your instance from your local computer. NGFW makes initial contact to the SMC during boot up. If Elastic IP is not yet available when NGFW tries to connection then the contact fails and contact needs to be done manually. This is explained in chapter Logging engine using SSH. To allocate and bound new address VPC Elastic IPs Allocate New Address Select the created address Actions Associate address to NGFW public IP (eni-afa029d3) Remember the public IP ROUTE TABLES By design, each subnet must be associated with a route table, which specifies the allowed routes for outbound traffic leaving the subnet. Every subnet that you create is automatically associated with the main route table for the VPC. You can change the association, and you can change the contents of the main route table. Test environment has following route tables Route Table NGFW-internalRT is associated with External LAN (10.29.100.0/24) and has default route to InternetGW (igw-9e2144f7) Route Table NGFW-internalRT is associated with Internal LAN (10.29.101.0/24) has default route to NGFW internal interface (10.29.101.254 / eni-2f6be253). Technical Document 10
DISABLING SOURCE/DESTINATION CHECKS Each EC2 instance performs source/destination checks by default. This means that the instance must be the source or destination of any traffic it sends or receives. However, a NGFW instance must be able to send and receive traffic when the source or destination is not itself. Therefore, you must disable source/destination checks on the NGFW instance. Disable src/dst check for all firewall interfaces. EC2 Network Interfaces Actions Change Src/Dst. Check Disabled Logging engine using SSH You can log into the engine with the configured keypair. https://docs.aws.amazon.com/awsec2/latest/userguide/putty.html?icmpid=docs_ec2_console Check the NGFW public (Elastic) IP for example from EC2 running instances Login with username aws The 'aws' user has sudo privileges once you have set a password for it. You can set the password on the command line with sudo passwd After that you can login as root with sudo i If your NGFW didn t connect to SMC during boot up run sg-reconfigure wizard Technical Document 11
Adding server behind AWS NGFW We want to test that traffic is going through firewall and we are getting logs. For that we add a Linux server behind the NGFW. In this example I used Amazon Linux DEPLOY A NEW AMI EC2 Lauch instance select the AMI for you needs Select the internal subnet (here 10.29.101.0/24) and define IP from that network (10.29.101.1.10) Launch the instance CONFIGURE NGFW RULES In the example I created following rules Allow SSH from my PC to NGFW Allow SSH from my PC to Linux host. o Connection to NGFW public IP port 2222 is NATed to Linux port 22 ICMP/SSH from internal server to NGFW and vice versa Allow ping from Linux to google (8.8.8.8) o Connection from Linux is Src.NATed to NGFW public IP Technical Document 12
Before pushing the policy remember to install license for NGFW TESTING CONNECTIONS After policy is successfully pushed to AWS NGFW you should see the NGFW as green in the SMC home view. In simple test we test SSH access to Linux protected by NGFW and ping google server. Open your SSH client and open TCP port 2222 to NGFW public IP. Remember to use the key exported from AWS Default user for Amazon Linux is ec2-user When logged in ping 8.8.8.8 Technical Document 13
Couple of notes The NATting from Elastic IP to NGFW IP is done on the Internet GW before packet reaches the NGFW and due to that we don t see the public IP on the logs. AWS reserves.1 IP for its router. If we look the routing table on Linux host it states that next hop is 10.29.101.1 but actually we configured NGFW as next hop and its IP is 10.29.101.254. So, AWS uses.1 as default GW and makes an internal NAT to the configured next (.254). This is very important to keep in mind specially when troubleshooting. Technical Document 14