Home / Security / Forcepoint / Forcepoint : Deploy the SMC on AWS | Part I

Forcepoint : Deploy the SMC on AWS | Part I

How to deploy Forcepoint SMC (Security Management Center) on AWS ? This is a good question. You’ve some document on forcepoint website, but it only explain how to install the SMC. In this howto, you’ll learn how to deploy a SMC behind a Forcepoint Firewall on a new AWS environnement.
From my point of view, the best practice is to deploy the SMC on a dedicated AWS account (or on the Network account if already exist), with a dedicated VPC & dedicated subnets.

This is the final design of the SMC implementation on AWS. We have :

  • 1 EC2 Instance which host the SMC located on the private subnet.
  • 1 EC2 Instance which host the Forcepoint NGFW Firewall located on both subnets, the private subnet and the public subnet.
  • 1 Elastic IP (EIP) linked to the NGFW public subnet interface.
  • I didn’t design it but we’ll have to change the route table.

1 / Prerequisites

To follow this howto you’ll need :

  • a VPC with public and private subnets (NAT)
  • Security Groups
  • 1 EC2 Instance for the Management server (SMC) on private subnet.
    • t3.xlarge mini
  • 1 EC2 Instance for the Log Server, on private subnet
    • m5.xlarge with additional HDD for logs
  • 1 EC2 Instance for the NGFW, on private subnet
    • m5.large
  • 1 EC2 Instance as “Jump server” on public subnet with a public IP
  • 1 Network adapter on public subnet linked to the NGFW
  • 1 EIP linked to the network adapter on public subnet

1.1/ VPC with Public & Private Subnet

We’ll create our subnets following the AWS recommendations :


Diagram for scenario 2: VPC with public and private subnets
  • Create a VPC : 172.16.0.0/16
  • Create your private subnet : 172.16.0.0/24
  • Create your public subnet : 172.16.1.0/24
  • Create a NAT Gateway attached to the public Subnet :
  • Create an Internet Gateway :
  • Create the private subnet routing table :
    • add the default route 0.0.0.0/0 pointing to your NAT Gateway
    • Go to Subnet Associations to link the route table to your private subnet
  • Create the public subnet routing table :
    • add the default route 0.0.0.0/0 pointing to your Internet Gateway
    • Go to Subnet Associations to link the route table to your public subnet

:) Well done ! Your Network is ready to welcome your EC2 Instances

1.2 / Security Groups

Before creating the instances, we’ll create all the security groups.

Loading...

It’s a big mess and I tried to simplify your life. You can find the default communication ports on Forcepoint Website

1.2.1 / Forcepoint NGFW Security Groups

  • First NGFW Security group : NGFW-SMC
  • Inbound Rules :
TypeProtocolPort rangeSourceDescription – optional
Custom TCPTCP15000172.16.0.10SG_Blacklisting
SSHTCP22Private-LanSSH
Custom TCPTCP4987172.16.0.10SG_Commands
Custom TCPTCP4950172.16.0.10SG_Remote_Upgrade
Custom TCPTCP636172.16.0.10LDAPS_Repli
  • Outbound Rules :
TypeProtocolPort rangeDestinationDescription – optional
Custom TCPTCP3020172.16.0.11SG_Log
Custom TCPTCP3021172.16.0.10SG_Initial_Contact
Custom TCPTCP8906172.16.0.10SG_Dynamic_Control
  • Second NGFW Security Group : NGFW-Global-Rules
  • Inbound Rules :
TypeProtocolPort rangeSourceDescription – optional
Custom UDPUDP45000.0.0.0/0NAT-T
Custom UDPUDP5000.0.0.0/0ISAKMP
HTTPSTCP4430.0.0.0/0TLS
SNMPUDP1610.0.0.0/0SNMP
  • Outbound Rules :
TypeProtocolPort rangeDestinationDescription – optional
HTTPTCP800.0.0.0/0HTTP
HTTPSTCP4430.0.0.0/0HTTPS
Custom UDPUDP45000.0.0.0/0NAT-T
Custom UDPUDP5000.0.0.0/0ISAKMP
DNSUDP530.0.0.0/0DNS

1.2.2 / SMC Security Groups

  • SMC Security group : SMC-Global-Rules
  • Inbound Rules :
TypeProtocolPort rangeSourceDescription – optional
Custom TCPTCP80800.0.0.0/0WebServer
SSHTCP22Private-LanSSH
Custom TCPTCP80820.0.0.0/0API
Custom TCPTCP80850.0.0.0/0WebServer_TLS
  • Outbount Rules :
TypeProtocolPort rangeDestinationDescription – optional
HTTPTCP800.0.0.0/0HTTP
Custom TCPTCP686Private-LanLDAPs
Custom UDPUDP1812 – 1813Private-LanRadius
Custom UDPUDP1645Private-LanRadius
DNS (UDP)UDP530.0.0.0/0DNS
LDAPTCP389Private-LanLDAP
HTTPSTCP4430.0.0.0/0HTTPs
All ICMP – IPv4ICMPAll0.0.0.0/0ICMP
  • SMC security group : SMC-NGFW
  • Inbound Rules :
TypeProtocolPort rangeSourceDescription – optional
Custom TCPTCP30200.0.0.0/0SG_Log
Custom TCPTCP30210.0.0.0/0SG_Initial_Contact
Custom TCPTCP89060.0.0.0/0SG_Dynamic_Control
  • Outbound Rules :
TypeProtocolPort rangeDestinationDescription – optional
Custom TCPTCP150000.0.0.0/0SG_Blacklisting
SSHTCP220.0.0.0/0SSH
Custom TCPTCP49870.0.0.0/0SG_Commands
Custom TCPTCP49500.0.0.0/0SG_Remote_Upgrade
Custom TCPTCP6360.0.0.0/0LDAPS_Repli

  • SMC Security Group : SMC-LOG
  • Inbound Rules :
TypeProtocolPort rangeSourceDescription – optional
Custom TCPTCP3021172.16.0.11SG_Log
Custom TCPTCP3023172.16.0.11SG_Status_Monitoring
Custom TCPTCP8902-8918172.16.0.11SG_Control
Custom UDPUDP1610.0.0.0/0SNMP
  • Outbound Rules :
TypeProtocolPort rangeDestinationDescription – optional
Custom TCPTCP3020172.16.0.11SG_Log
Custom TCPTCP8914-8918172.16.0.11USG_Data_Browsing
Custom UDPUDP1610.0.0.0/0SNMP

1.2.3 / Log Security Groups

  • Log Server Security group : Log-Global-Rules
  • Inbound Rules :
TypeProtocolPort rangeSourceDescription – optional
SSHTCP22Private-LanSSH
  • Outbound Rules :
TypeProtocolPort rangeDestinationDescription – optional
All ICMP – IPv4ICMPAll0.0.0.0/0ICMP
  • Log Server Security group : Log-SMC
  • Inbound Rules :
TypeProtocolPort rangeSourceDescription – optional
Custom TCPTCP8914-8918172.16.0.10SG_Data_Browsing
Custom UDPUDP1610.0.0.0/0SNMP
  • Outbound Rules :
TypeProtocolPort rangeDestinationDescription – optional
Custom TCPTCP3021172.16.0.10SG_Log
Custom TCPTCP3023172.16.0.10SG_Status_Monitoring
Custom TCPTCP8902-8918172.16.0.10SG_Control
Custom UDPUDP1610.0.0.0/0SNMP
  • Log Server Security Group : Log-NGFW
  • Inbound rules :
TypeProtocolPort rangeSourceDescription – optional
Custom TCPTCP30200.0.0.0/0SG_Log
  • Outbound Rules :
TypeProtocolPort rangeDestinationDescription – optional
Custom TCPTCP150000.0.0.0/0SG_Blacklisting

1.3 / EC2 Instances creations

1.3.1 / SMC Instance

For the SMC, you can configure it like that :

  • AMI : ami-0aef57767f5404a3c (Ubuntu 20.04)
  • Instance Type : t3.xlarge minimum (16GB memory if you activate the Web Interface)
    • Web Interface consume 2GB / connected user
  • Subnet : Private-Subnet
  • IP Address : 172.16.0.10
  • Disk Size : 50GB
  • Security Group : SMC-Global-Rules | SMC-NGFW | SMC-LOG

1.3.2 / Logs Instance

  • AMI : ami-0aef57767f5404a3c (Ubuntu 20.04)
  • Instance Type : m5.xlarge minimum
  • Subnet : Private-Subnet
  • IP Address : 172.16.0.11
  • Disk Size : 50GB
  • Security Group : Log-Global-Rules | Log-SMC | Log-NGFW

1.3.3 / NGFW Instance

1.3.3.1 / Public Interface creation

Before creating the instance, we’ll create a Network Interface, and assign an Elastic IP to this interface.

  • In Network Interfaces, click on “Create network interfaces
  • Description : Public-Int-NGFW
  • Subnet : 172.16.1.0/24
  • Private IPv4 Address : Custom
  • IPv4 Address : 172.16.1.254
  • Security Group : NGFWSMC | NGFW-Global-Rules | SMC-Global-Rules | SMC-NGFW

Now, please note the Interface ID and go to ‘Elastic IPs’

  • Click on “Allocate Elastic IP Address
  • Click On created EIP,
  • Click on Action, then “Associate Elastic IP Address
  • Resource Type : Network Interface
  • Network Interface : Your ENI ID
  • Then click on “Associate”
1.3.3.2 / NGFW Instance creation
  • AMI : ami-0f1ffa2bb09d7800c (Forcepoint NGFW BYOL)
  • Instance Type : m5.large minimum
  • For subnet, you’ve to assign both :
    • Subnet1 : Public-Subnet
    • Network Interface : Choose the previously created ENI
    • Subnet2 : Private-Subnet
    • IP Address : 172.16.0.254
  • Disk Size : 50GB
  • Security Group : NGFWSMC | NGFW-Global-Rules | SMC-Global-Rules | SMC-NGFW

1.3.4 / Jump Server

  • AMI : ami-0aef57767f5404a3c (Ubuntu 20.04)
  • Instance Type : t2.micro
  • Subnet : Public-Subnet
  • IP Address : DHCP + Check the box “Public IP”
  • Disk Size : 10GB
  • Security Group : default (SSH only)

We did it :) All prerequisites are done !! It was the biggest part of the job :).

You can now jump to the next Howto : Deploy the SMC on AWS | Part II, you’ll learn

Loading...

About Alexandre Nogard

Check Also

Forcepoint : Deploy the SMC on AWS | Part II

In the first Howto Forcepoint : Deploy the SMC on AWS | Part I, we …

Investigate if your linux server has been hacked or not

We’re a lot to face intrusion attemps in our IS. There can be many interests …

Hash Cracking with AWS EC2 P3 & Hashcat

Password cracking is a mandatory activity when you perform a pentest. Having access to a …

Leave a Reply

Your email address will not be published. Required fields are marked *