Forcepoint : Deploy the SMC on AWS | Part I

How to deploy Forcepoint SMC (Security Management Center) on AWS ? This is a good question. You’ve some document on forcepoint website, but it only explain how to install the SMC. In this howto, you’ll learn how to deploy a SMC behind a Forcepoint Firewall on a new AWS environnement.
From my point of view, the best practice is to deploy the SMC on a dedicated AWS account (or on the Network account if already exist), with a dedicated VPC & dedicated subnets.

This is the final design of the SMC implementation on AWS. We have :

• 1 EC2 Instance which host the SMC located on the private subnet.
• 1 EC2 Instance which host the Forcepoint NGFW Firewall located on both subnets, the private subnet and the public subnet.
• 1 Elastic IP (EIP) linked to the NGFW public subnet interface.
• I didn’t design it but we’ll have to change the route table.

1 / Prerequisites

To follow this howto you’ll need :

• a VPC with public and private subnets (NAT)
• Security Groups
• 1 EC2 Instance for the Management server (SMC) on private subnet.
  • t3.xlarge mini
• 1 EC2 Instance for the Log Server, on private subnet
  • m5.xlarge with additional HDD for logs
• 1 EC2 Instance for the NGFW, on private subnet
  • m5.large
• 1 EC2 Instance as “Jump server” on public subnet with a public IP
• 1 Network adapter on public subnet linked to the NGFW
• 1 EIP linked to the network adapter on public subnet

1.1/ VPC with Public & Private Subnet

We’ll create our subnets following the AWS recommendations :

• Create a VPC : 172.16.0.0/16

• Create your private subnet : 172.16.0.0/24
• Create your public subnet : 172.16.1.0/24

• Create a NAT Gateway attached to the public Subnet :

• Create an Internet Gateway :

• Create the private subnet routing table :
  • add the default route 0.0.0.0/0 pointing to your NAT Gateway
  • Go to Subnet Associations to link the route table to your private subnet

• Create the public subnet routing table :
  • add the default route 0.0.0.0/0 pointing to your Internet Gateway
  • Go to Subnet Associations to link the route table to your public subnet

:) Well done ! Your Network is ready to welcome your EC2 Instances

1.2 / Security Groups

Before creating the instances, we’ll create all the security groups.

It’s a big mess and I tried to simplify your life. You can find the default communication ports on Forcepoint Website

1.2.1 / Forcepoint NGFW Security Groups

• First NGFW Security group : NGFW-SMC
• Inbound Rules :

• Outbound Rules :

• Second NGFW Security Group : NGFW-Global-Rules
• Inbound Rules :

• Outbound Rules :

1.2.2 / SMC Security Groups

• SMC Security group : SMC-Global-Rules
• Inbound Rules :

• Outbount Rules :

• SMC security group : SMC-NGFW
• Inbound Rules :

• Outbound Rules :

• SMC Security Group : SMC-LOG
• Inbound Rules :

• Outbound Rules :

1.2.3 / Log Security Groups

• Log Server Security group : Log-Global-Rules
• Inbound Rules :

• Outbound Rules :

• Log Server Security group : Log-SMC
• Inbound Rules :

• Outbound Rules :

• Log Server Security Group : Log-NGFW
• Inbound rules :

• Outbound Rules :

1.3 / EC2 Instances creations

1.3.1 / SMC Instance

For the SMC, you can configure it like that :

• AMI : ami-0aef57767f5404a3c (Ubuntu 20.04)
• Instance Type : t3.xlarge minimum (16GB memory if you activate the Web Interface)
  • Web Interface consume 2GB / connected user
• Subnet : Private-Subnet
• IP Address : 172.16.0.10
• Disk Size : 50GB
• Security Group : SMC-Global-Rules | SMC-NGFW | SMC-LOG

1.3.2 / Logs Instance

• AMI : ami-0aef57767f5404a3c (Ubuntu 20.04)
• Instance Type : m5.xlarge minimum
• Subnet : Private-Subnet
• IP Address : 172.16.0.11
• Disk Size : 50GB
• Security Group : Log-Global-Rules | Log-SMC | Log-NGFW

1.3.3 / NGFW Instance

1.3.3.1 / Public Interface creation

Before creating the instance, we’ll create a Network Interface, and assign an Elastic IP to this interface.

• In Network Interfaces, click on “Create network interfaces“
• Description : Public-Int-NGFW
• Subnet : 172.16.1.0/24
• Private IPv4 Address : Custom
• IPv4 Address : 172.16.1.254
• Security Group : NGFW–SMC | NGFW-Global-Rules | SMC-Global-Rules | SMC-NGFW

Now, please note the Interface ID and go to ‘Elastic IPs’

• Click on “Allocate Elastic IP Address“
• Click On created EIP,
• Click on Action, then “Associate Elastic IP Address“
• Resource Type : Network Interface
• Network Interface : Your ENI ID
• Then click on “Associate”

1.3.3.2 / NGFW Instance creation

• AMI : ami-0f1ffa2bb09d7800c (Forcepoint NGFW BYOL)
• Instance Type : m5.large minimum
• For subnet, you’ve to assign both :
  • Subnet1 : Public-Subnet
  • Network Interface : Choose the previously created ENI
  • Subnet2 : Private-Subnet
  • IP Address : 172.16.0.254
• Disk Size : 50GB
• Security Group : NGFW–SMC | NGFW-Global-Rules | SMC-Global-Rules | SMC-NGFW

1.3.4 / Jump Server

• AMI : ami-0aef57767f5404a3c (Ubuntu 20.04)
• Instance Type : t2.micro
• Subnet : Public-Subnet
• IP Address : DHCP + Check the box “Public IP”
• Disk Size : 10GB
• Security Group : default (SSH only)

We did it :) All prerequisites are done !! It was the biggest part of the job :).

You can now jump to the next Howto : Deploy the SMC on AWS | Part II, you’ll learn