How to Install Forcepoint NGFW in Amazon AWS TECHNICAL DOCUMENT

Similar documents
How to Deploy the Barracuda NG Firewall in an Amazon Virtual Private Cloud

Amazon Web Services Hands- On VPC

EdgeConnect for Amazon Web Services (AWS)

Amazon Virtual Private Cloud. Getting Started Guide

Deploy the Firepower Management Center Virtual On the AWS Cloud

Configuring a Palo Alto Firewall in AWS

Pexip Infinity and Amazon Web Services Deployment Guide

FortiMail AWS Deployment Guide

MyIGW Main. Oregon. MyVPC /16. MySecurityGroup / us-west-2b. Type Port Source SSH /0 HTTP

lab Highly Available and Fault Tolerant Architecture for Web Applications inside a VPC V1.01 AWS Certified Solutions Architect Associate lab title

Amazon Virtual Private Cloud. User Guide API Version

Configuring AWS for Zerto Virtual Replication

Create a Dual Stack Virtual Private Cloud (VPC) in AWS

Creating your Virtual Data Centre

Deploy ERSPAN with the ExtraHop Discover Appliance and Brocade 5600 vrouter in AWS

F5 BIG-IQ Centralized Management and Amazon Web Services: Setup. Version 5.4

Pexip Infinity and Amazon Web Services Deployment Guide

How to Configure Forcepoint NGFW Route-Based VPN to AWS with BGP TECHNICAL DOCUMENT

Immersion Day. Getting Started with Windows Server on. Amazon EC2. Rev

2013 AWS Worldwide Public Sector Summit Washington, D.C.

Immersion Day. Getting Started with Windows Server on Amazon EC2. June Rev

Deploying the Cisco CSR 1000v on Amazon Web Services

AWS VPC Cloud Environment Setup

Pulse Connect Secure Virtual Appliance on Amazon Web Services

Building a Modular and Scalable Virtual Network Architecture with Amazon VPC

SelectSurvey.NET AWS (Amazon Web Service) Integration

PVS Deployment in the Cloud. Last Updated: June 17, 2016

SAM 8.0 SP2 Deployment at AWS. Version 1.0

Installation of Informatica Services on Amazon EC2

NGF0502 AWS Student Slides

Virtual Private Cloud. User Guide. Issue 21 Date HUAWEI TECHNOLOGIES CO., LTD.

Crear un centro de datos virtual en AWS

Creating Your Virtual Data Center

Deploy and Secure an Internet Facing Application with the Barracuda Web Application Firewall in Amazon Web Services

Cisco CSR1000V Overview. Cisco CSR 1000V Use Cases in Amazon AWS

Virtual Private Cloud. User Guide. Issue 03 Date

Overview. AWS networking services including: VPC Extend your network into a virtual private cloud. EIP Elastic IP

CloudEdge SG6000-VM Installation Guide

CloudEdge Deployment Guide

Puppet on the AWS Cloud

Contrail Sandbox Tutorial Script

KillTest *KIJGT 3WCNKV[ $GVVGT 5GTXKEG Q&A NZZV ]]] QORRZKYZ IUS =K ULLKX LXKK [VJGZK YKX\OIK LUX UTK _KGX

Amazon Virtual Private Cloud Deep Dive

Top 30 AWS VPC Interview Questions and Answers Pdf

Resizing your AWS VPC NAT Instance to a Lower Cost Instance Type

Creating Your Virtual Data Center

Installing Oxwall completely in Amazon Cloud

VPN-Cubed 2.x vpcplus Free Edition

Configuring VPC Peering For AWS

How to set up a Virtual Private Cloud (VPC)

Sangoma VM SBC AMI at AWS (Amazon Web Services)

A Reference Design. VPN user access and VPC networking. Version Copyright Aviatrix Systems, Inc. All rights reserved.

AWS EC2 & VPC CRASH COURSE WHITNEY CHAMPION

ElasterStack 3.2 User Administration Guide - Advanced Zone

VPN-Cubed 2.x vpcplus Enterprise Edition

Amazon AWS-Solutions-Architect-Professional Exam

Load Balancing FreePBX / Asterisk in AWS

Remote Desktop Gateway on the AWS Cloud

HySecure Quick Start Guide. HySecure 5.0

Quick Start Guide to Compute Canada Cloud Service

AWS Solutions Architect Associate (SAA-C01) Sample Exam Questions

Sputnik Installation and Configuration Guide

Lab 1: Creating Secure Architectures (Revision)

Paperspace. Architecture Overview. 20 Jay St. Suite 312 Brooklyn, NY Technical Whitepaper

Configuring High Availability

Deployment Guide for Nuage Networks VSP

Deployment Guide for Nuage Networks VSP

Using NSX Cloud. VMware NSX Cloud

Infoblox Installation Guide. vnios for Amazon Web Services

PrepAwayExam. High-efficient Exam Materials are the best high pass-rate Exam Dumps

LB Cache Quick Start Guide v1.0

CPM. Quick Start Guide V2.4.0

25 Best Practice Tips for architecting Amazon VPC

Network Security & Access Control in AWS

Lab 2: Creating Secure Architectures

LINUX, WINDOWS(MCSE),

How to Configure Mobile VPN for Forcepoint NGFW TECHNICAL DOCUMENT

S U M M I T B e r l i n

Launching secure-by-default SLES on Amazon EC2 instances with Amazon Virtual Private Cloud (VPC)

Immersion Day. Getting Started with Amazon RDS. Rev

AWS Networking Fundamentals

Project Presentation

EXPRESSCLUSTER X 4.0. HA Cluster Configuration Guide for Amazon Web Services (Linux) April 17, st Edition

Support for policy-based routing applies to the Barracuda Web Security Gateway running version 6.x only.

Virtual Private Cloud. User Guide

NGFWv & ASAv in Public Cloud (AWS & Azure)

Sichere Netzwerke in der Cloud

Security Group Guardrails for AWS

on Amazon AWS On-Demand Configuration Guide

How to Deploy an AMI Test Agent in Amazon Web Services

Figure 1 0: AMI Instances

Silver Peak EC-V and Microsoft Azure Deployment Guide

Introduction to Firewalls using IPTables

SonicWALL / Toshiba General Installation Guide

Creating a Yubikey MFA Service in AWS

AWS: Basic Architecture Session SUNEY SHARMA Solutions Architect: AWS

Cloudera s Enterprise Data Hub on the Amazon Web Services Cloud: Quick Start Reference Deployment October 2014

VX 9000 Virtualized Controller INSTALLATION GUIDE

Immersion Day. Getting Started with Linux on Amazon EC2

How to Setup Total Application Security

Transcription:

How to Install Forcepoint NGFW in Amazon AWS TECHNICAL DOCUMENT

Table of Contents TABLE OF CONTENTS... 1 TEST NETWORK DIAGRAM... 2 PREPARING YOUR VPC... 3 IP addressing... 3 Virtual Private Cloud (VPC)... 3 Subnets... 4 Internet Gateway... 4 Network ACL and Security Group... 5 SMC CONFIGURATION... 6 Create a new single ngfw... 6 Save Initial configuration... 7 LAUNCHING AN INSTANCE... 7 Elastic IP... 10 Route Tables... 10 Disabling Source/Destination Checks... 11 LOGGING ENGINE USING SSH... 11 ADDING SERVER BEHIND AWS NGFW... 12 Deploy a new AMI... 12 Configure NGFW rules... 12 Testing connections... 13 COUPLE OF NOTES... 14 Technical Document 1

Test Network Diagram Linux host 10.29.101.10 i-1a8fd0a6 eni-1ea12862 Internal LAN 10.29.101.0/24 subnet-9d8d8ce6 rtb-b38f92da NGFW VPC CIDR 10.29.0.0/16 vpc-d8ba80b1 Eth1: 10.29.101.254 eni-afa029d3 AWS NGFW i-1a8fd0a6 Eth0: 10.29.100.254 eni-afa029d3 Elastic IP 52.57.7.226 External LAN 10.29.100.0/24 subnet-875859fc rtb-08534e61 NGFW-internetGW 10.29.100.1 igw-9e2144f7 Internet SMC Located in Helsinki Lab Technical Document 2

Preparing your VPC IP ADDRESSING The first four IP addresses and the last IP address in each subnet CIDR block are not available for you to use, and cannot be assigned to an instance. For example, in a subnet with CIDR block 10.29.100.0/24,the following five IP addresses are reserved: 10.29.100.0: Network address. 10.29.100.1: Reserved by AWS for the VPC router. 10.29.100.2: Reserved by AWS for mapping to the Amazon-provided DNS. 10.29.100.3: Reserved by AWS for future use. 10.29.100.255: Network broadcast address. Note AWS does not support broadcast in a VPC VIRTUAL PRIVATE CLOUD (VPC) A virtual private cloud (VPC) is a virtual network dedicated to your AWS account. It is logically isolated from other virtual networks in the AWS cloud. You can launch your AWS resources, such as Amazon EC2 instances, into your VPC. You can configure your VPC; you can select its IP address range, create subnets, and configure route tables, network gateways, and security settings. VPC Your VPCs Create VPC Test network VPC 10.29.0.0/16 (vpc-d8ba80b1) Technical Document 3

SUBNETS After creating a VPC, you can add one or more subnets in each Availability Zone. When you create a subnet, you specify the CIDR block for the subnet, which is a subset of the VPC CIDR block. VPC Subnets Create Subnet External LAN 10.29.100.0/24 (subnet-875859fc) Internal LAN 10.29.101.0/24 (subnet-9d8d8ce6) INTERNET GATEWAY To ensure that your instances can communicate with the Internet, you must also attach an Internet gateway to your VPC. Technical Document 4

NETWORK ACL AND SECURITY GROUP A network access control list (ACL) is an optional layer of security for your VPC that acts as a firewall for controlling traffic in and out of one or more subnets. In the example configuration NGFW is doing firewalling and AWS network ACL is disabled (allow all). A security group acts as a virtual firewall that controls the traffic for one or more instances. When you launch an instance, you associate one or more security groups with the instance. You add rules to each security group that allow traffic to or from its associated instances Test-ACL (acl-3a514053) has any-any-any-allow for inbound and outbound traffic Test-ACL is associated with internal and external nets. Note that Network ACLs are stateless Create also a any-any allow security group Technical Document 5

SMC Configuration In this example SMC locates in Helsinki demo lab, behind public internet. SMC is protected by firewall which allows the communication between NGFW and SMC and NATs the SMC public IP to private one. CREATE A NEW SINGLE NGFW Create new single node firewall with dynamic IP Remember to set location if SMC s real address is not directly reachable Define default route behind the mgmt interface Technical Document 6

SAVE INITIAL CONFIGURATION For SSH connection check the Enable SSH daemon Save the USB drive installation config on your desktop Launching an instance Go EC2 Instances Launch Select the latest available Forcepoint Stongesoft NGFW instance If your using development version of AWS NGFW then the software needs to be mapped to you AWS account (by Forcepoint Product Management) and NGFW AMI is found under private images Technical Document 7

Minimum requirement for NGFW is 2GB of memory Use 1 st interface for mgmt communication Define IP address for the interfaces. Here 10.29.100.254 and 10.29.101.254 To autoconnect engine to SMC during bootup import the initial contact file (the one exported from the SMC) in Advanced details Click next Technical Document 8

In security group we can filter the traffic that reaches firewall. Here we are configuring NGFW in test environment and we want that NGFW makes the filtering. To log in to your instance, you must create a key pair, specify the name of the key pair when you launch the instance, and provide the private key when you connect to the instance. Linux instances have no password, and you use a key pair to log in using SSH. With Windows instances, you use a key pair to obtain the administrator password and then log in using RDP. Technical Document 9

ELASTIC IP An Elastic IP address is a public IP address, which is reachable from the Internet. If your instance does not have a public IP address, you can associate an Elastic IP address with your instance to enable communication with the Internet; for example, to connect to your instance from your local computer. NGFW makes initial contact to the SMC during boot up. If Elastic IP is not yet available when NGFW tries to connection then the contact fails and contact needs to be done manually. This is explained in chapter Logging engine using SSH. To allocate and bound new address VPC Elastic IPs Allocate New Address Select the created address Actions Associate address to NGFW public IP (eni-afa029d3) Remember the public IP ROUTE TABLES By design, each subnet must be associated with a route table, which specifies the allowed routes for outbound traffic leaving the subnet. Every subnet that you create is automatically associated with the main route table for the VPC. You can change the association, and you can change the contents of the main route table. Test environment has following route tables Route Table NGFW-internalRT is associated with External LAN (10.29.100.0/24) and has default route to InternetGW (igw-9e2144f7) Route Table NGFW-internalRT is associated with Internal LAN (10.29.101.0/24) has default route to NGFW internal interface (10.29.101.254 / eni-2f6be253). Technical Document 10

DISABLING SOURCE/DESTINATION CHECKS Each EC2 instance performs source/destination checks by default. This means that the instance must be the source or destination of any traffic it sends or receives. However, a NGFW instance must be able to send and receive traffic when the source or destination is not itself. Therefore, you must disable source/destination checks on the NGFW instance. Disable src/dst check for all firewall interfaces. EC2 Network Interfaces Actions Change Src/Dst. Check Disabled Logging engine using SSH You can log into the engine with the configured keypair. https://docs.aws.amazon.com/awsec2/latest/userguide/putty.html?icmpid=docs_ec2_console Check the NGFW public (Elastic) IP for example from EC2 running instances Login with username aws The 'aws' user has sudo privileges once you have set a password for it. You can set the password on the command line with sudo passwd After that you can login as root with sudo i If your NGFW didn t connect to SMC during boot up run sg-reconfigure wizard Technical Document 11

Adding server behind AWS NGFW We want to test that traffic is going through firewall and we are getting logs. For that we add a Linux server behind the NGFW. In this example I used Amazon Linux DEPLOY A NEW AMI EC2 Lauch instance select the AMI for you needs Select the internal subnet (here 10.29.101.0/24) and define IP from that network (10.29.101.1.10) Launch the instance CONFIGURE NGFW RULES In the example I created following rules Allow SSH from my PC to NGFW Allow SSH from my PC to Linux host. o Connection to NGFW public IP port 2222 is NATed to Linux port 22 ICMP/SSH from internal server to NGFW and vice versa Allow ping from Linux to google (8.8.8.8) o Connection from Linux is Src.NATed to NGFW public IP Technical Document 12

Before pushing the policy remember to install license for NGFW TESTING CONNECTIONS After policy is successfully pushed to AWS NGFW you should see the NGFW as green in the SMC home view. In simple test we test SSH access to Linux protected by NGFW and ping google server. Open your SSH client and open TCP port 2222 to NGFW public IP. Remember to use the key exported from AWS Default user for Amazon Linux is ec2-user When logged in ping 8.8.8.8 Technical Document 13

Couple of notes The NATting from Elastic IP to NGFW IP is done on the Internet GW before packet reaches the NGFW and due to that we don t see the public IP on the logs. AWS reserves.1 IP for its router. If we look the routing table on Linux host it states that next hop is 10.29.101.1 but actually we configured NGFW as next hop and its IP is 10.29.101.254. So, AWS uses.1 as default GW and makes an internal NAT to the configured next (.254). This is very important to keep in mind specially when troubleshooting. Technical Document 14

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback