How to deploy Forcepoint SMC (Security Management Center) on AWS ? This is a good question. You’ve some document on forcepoint website, but it only explain how to install the SMC. In this howto, you’ll learn how to deploy a SMC behind a Forcepoint Firewall on a new AWS environnement. From my point of view, the best practice is to deploy the SMC on a dedicated AWS account (or on the Network account if already exist), with a dedicated VPC & dedicated subnets.
This is the final design of the SMC implementation on AWS. We have :
1 EC2 Instance which host the SMC located on the private subnet. 1 EC2 Instance which host the Forcepoint NGFW Firewall located on both subnets, the private subnet and the public subnet. 1 Elastic IP (EIP) linked to the NGFW public subnet interface. I didn’t design it but we’ll have to change the route table. 1 / Prerequisites To follow this howto you’ll need :
a VPC with public and private subnets (NAT) Security Groups 1 EC2 Instance for the Management server (SMC) on private subnet . 1 EC2 Instance for the Log Server, on private subnet m5.xlarge with additional HDD for logs 1 EC2 Instance for the NGFW, on private subnet 1 EC2 Instance as “Jump server” on public subnet with a public IP 1 Network adapter on public subnet linked to the NGFW 1 EIP linked to the network adapter on public subnet 1.1/ VPC with Public & Private Subnet We’ll create our subnets following the AWS recommendations :
Create a VPC : 172.16.0.0/16 Create your private subnet : 172.16.0.0/24 Create your public subnet : 172.16.1.0/24 Create a NAT Gateway attached to the public Subnet : Create an Internet Gateway : Create the private subnet routing table :add the default route 0.0.0.0/0 pointing to your NAT Gateway Go to Subnet Associations to link the route table to your private subnet Create the public subnet routing table :add the default route 0.0.0.0/0 pointing to your Internet Gateway Go to Subnet Associations to link the route table to your public subnet :) Well done ! Your Network is ready to welcome your EC2 Instances
1.2 / Security Groups Before creating the instances, we’ll create all the security groups.
It’s a big mess and I tried to simplify your life. You can find the default communication ports on Forcepoint Website
1.2.1 / Forcepoint NGFW Security Groups First NGFW Security group : NGFW-SMC Inbound Rules : Type Protocol Port range Source Description – optional Custom TCP TCP 15000 172.16.0.10 SG_Blacklisting SSH TCP 22 Private-Lan SSH Custom TCP TCP 4987 172.16.0.10 SG_Commands Custom TCP TCP 4950 172.16.0.10 SG_Remote_Upgrade Custom TCP TCP 636 172.16.0.10 LDAPS_Repli
Type Protocol Port range Destination Description – optional Custom TCP TCP 3020 172.16.0.11 SG_Log Custom TCP TCP 3021 172.16.0.10 SG_Initial_Contact Custom TCP TCP 8906 172.16.0.10 SG_Dynamic_Control
Second NGFW Security Group : NGFW-Global-Rules Inbound Rules : Type Protocol Port range Source Description – optional Custom UDP UDP 4500 0.0.0.0/0 NAT-T Custom UDP UDP 500 0.0.0.0/0 ISAKMP HTTPS TCP 443 0.0.0.0/0 TLS SNMP UDP 161 0.0.0.0/0 SNMP
Type Protocol Port range Destination Description – optional HTTP TCP 80 0.0.0.0/0 HTTP HTTPS TCP 443 0.0.0.0/0 HTTPS Custom UDP UDP 4500 0.0.0.0/0 NAT-T Custom UDP UDP 500 0.0.0.0/0 ISAKMP DNS UDP 53 0.0.0.0/0 DNS
1.2.2 / SMC Security Groups SMC Security group : SMC-Global-Rules Inbound Rules : Type Protocol Port range Source Description – optional Custom TCP TCP 8080 0.0.0.0/0 WebServer SSH TCP 22 Private-Lan SSH Custom TCP TCP 8082 0.0.0.0/0 API Custom TCP TCP 8085 0.0.0.0/0 WebServer_TLS
Type Protocol Port range Destination Description – optional HTTP TCP 80 0.0.0.0/0 HTTP Custom TCP TCP 686 Private-Lan LDAPs Custom UDP UDP 1812 – 1813 Private-Lan Radius Custom UDP UDP 1645 Private-Lan Radius DNS (UDP) UDP 53 0.0.0.0/0 DNS LDAP TCP 389 Private-Lan LDAP HTTPS TCP 443 0.0.0.0/0 HTTPs All ICMP – IPv4 ICMP All 0.0.0.0/0 ICMP
SMC security group : SMC-NGFW Inbound Rules : Type Protocol Port range Source Description – optional Custom TCP TCP 3020 0.0.0.0/0 SG_Log Custom TCP TCP 3021 0.0.0.0/0 SG_Initial_Contact Custom TCP TCP 8906 0.0.0.0/0 SG_Dynamic_Control
Type Protocol Port range Destination Description – optional Custom TCP TCP 15000 0.0.0.0/0 SG_Blacklisting SSH TCP 22 0.0.0.0/0 SSH Custom TCP TCP 4987 0.0.0.0/0 SG_Commands Custom TCP TCP 4950 0.0.0.0/0 SG_Remote_Upgrade Custom TCP TCP 636 0.0.0.0/0 LDAPS_Repli
SMC Security Group : SMC-LOG Inbound Rules : Type Protocol Port range Source Description – optional Custom TCP TCP 3021 172.16.0.11 SG_Log Custom TCP TCP 3023 172.16.0.11 SG_Status_Monitoring Custom TCP TCP 8902-8918 172.16.0.11 SG_Control Custom UDP UDP 161 0.0.0.0/0 SNMP
Type Protocol Port range Destination Description – optional Custom TCP TCP 3020 172.16.0.11 SG_Log Custom TCP TCP 8914-8918 172.16.0.11 USG_Data_Browsing Custom UDP UDP 161 0.0.0.0/0 SNMP
1.2.3 / Log Security Groups Log Server Security group : Log-Global-Rules Inbound Rules : Type Protocol Port range Source Description – optional SSH TCP 22 Private-Lan SSH
Type Protocol Port range Destination Description – optional All ICMP – IPv4 ICMP All 0.0.0.0/0 ICMP
Log Server Security group : Log-SMC Inbound Rules : Type Protocol Port range Source Description – optional Custom TCP TCP 8914-8918 172.16.0.10 SG_Data_Browsing Custom UDP UDP 161 0.0.0.0/0 SNMP
Type Protocol Port range Destination Description – optional Custom TCP TCP 3021 172.16.0.10 SG_Log Custom TCP TCP 3023 172.16.0.10 SG_Status_Monitoring Custom TCP TCP 8902-8918 172.16.0.10 SG_Control Custom UDP UDP 161 0.0.0.0/0 SNMP
Log Server Security Group : Log-NGFW Inbound rules : Type Protocol Port range Source Description – optional Custom TCP TCP 3020 0.0.0.0/0 SG_Log
Type Protocol Port range Destination Description – optional Custom TCP TCP 15000 0.0.0.0/0 SG_Blacklisting
1.3 / EC2 Instances creations 1.3.1 / SMC Instance For the SMC, you can configure it like that :
AMI : ami-0aef57767f5404a3c (Ubuntu 20.04)Instance Type : t3.xlarge minimum (16GB memory if you activate the Web Interface)Web Interface consume 2GB / connected user Subnet : Private-SubnetIP Address : 172.16.0.10Disk Size : 50GBSecurity Group : SMC-Global-Rules | SMC-NGFW | SMC-LOG 1.3.2 / Logs Instance AMI : ami-0aef57767f5404a3c (Ubuntu 20.04)Instance Type : m5.xlarge minimum Subnet : Private-SubnetIP Address : 172.16.0.11Disk Size : 50GBSecurity Group : Log-Global-Rules | Log-SMC | Log-NGFW 1.3.3 / NGFW Instance 1.3.3.1 / Public Interface creation Before creating the instance, we’ll create a Network Interface, and assign an Elastic IP to this interface.
In Network Interfaces, click on “Create network interfaces “ Description : Public-Int-NGFWSubnet : 172.16.1.0/24Private IPv4 Address : CustomIPv4 Address : 172.16.1.254Security Group : NGFW –SMC | NGFW-Global-Rules | SMC-Global-Rules | SMC-NGFW Now, please note the Interface ID and go to ‘Elastic IPs’
Click on “Allocate Elastic IP Address “ Click On created EIP, Click on Action, then “Associate Elastic IP Address “ Resource Type : Network InterfaceNetwork Interface : Your ENI IDThen click on “Associate” 1.3.3.2 / NGFW Instance creation AMI : ami-0f1ffa2bb09d7800c (Forcepoint NGFW BYOL)Instance Type : m5.large minimum For subnet , you’ve to assign both :Subnet1 : Public-SubnetNetwork Interface : Choose the previously created ENISubnet2 : Private-SubnetIP Address : 172.16.0.254 Disk Size : 50GBSecurity Group : NGFW –SMC | NGFW-Global-Rules | SMC-Global-Rules | SMC-NGFW 1.3.4 / Jump Server AMI : ami-0aef57767f5404a3c (Ubuntu 20.04)Instance Type : t2.microSubnet : Public-SubnetIP Address : DHCP + Check the box “Public IP” Disk Size : 10GBSecurity Group : default (SSH only)
We did it :) All prerequisites are done !! It was the biggest part of the job :).
You can now jump to the next Howto : Deploy the SMC on AWS | Part II , you’ll learn
One comment
Pingback: Forcepoint : Deploy the SMC on AWS | Part III | Alexnogard