Home / Security / Forcepoint / Forcepoint : Deploy the SMC on AWS | Part III

Forcepoint : Deploy the SMC on AWS | Part III

In the first Howto Forcepoint : Deploy the SMC on AWS | Part I, we implemented all prerequisites, in the second one, Forcepoint : Deploy the SMC on AWS | Part II, we installed all the components. Now, We’ll configure the Firewall and create the rule base to have the SMC working on AWS.

3 / Configuration

3.1 / Access the SMC

Everything is installed. So now, how to access the SMC from internet ? With a Proxy socks !

Open Putty, enter the public IP Address of your jump server, add de ppk certificate and go in Tunnel, to add the source port 1080.

On Firefox, go in properties, “Network Parameters”, and add a proxy :

You can now reach the SMC :

Verify everything is UP & Running :

3.2 / NGFW Creation on the SMC

Create a new single firewall :

  • Click on the + Button, in the NGFW Engines panel
  • Click on Firewall
  • Then Single Firewall

Specify a name :

And go to Interfaces :

  • Click on Add button
  • Add a Layer 3 Physical Interface
  • in Comment, specify ‘Internet
  • Click OK,
  • Then, right Click on the Interface,
  • NEW” & “IPv4 Address
  • Select Dynamic (AWS Deliver the IP)
  • leave the box checked “Automatic Default Route

Then, we do the same, for the Private-Subnet interface, but uncheck the box ‘Automatic default Route

Save the Firewall configuration

3.3 / Policy Package

We have to create a policy package, go to :

  • Configuration
  • then “NGFW“, “Policies“, “Firewall Policies
  • Right Click on “Firewall Template
  • New” and “Firewall Policy

Enter the name you want

We’ll create the needed policies directly. Just create the same policies created with the security group :

Rule ID 5.1 :

  • Just a rule with a “continue” action, to configure the logging options for all following rules.

Rule ID 5.2 :

  • This rule is to permit external hosts to contact the SMC, throw the Firewall (NAT)
  • I created the object AWSFW-PUB with the IP 172.16.1.254 (Public IP) because it’s not possible to select the Firewall object (due to DHCP ?)
  • I added all ports needed

Rule ID 5.3 :

  • This rule is to let AWSFW-PUB contact the Management & the Logserver

Rule ID 5.4 :

  • This rule is to let my selected object to communicate with any host, with the selected services
  • There is also a NAT rule to add.

Rule ID 5.5 :

  • This rule is to let the management server contact the NGFW
  • We create a NAT Rule to contact external NGFW

Dont forget to create the IPv4 NAT :

Rule ID 2.1 :

Loading...
  • Allow all external host to contact the SMC, throw the Public NGFW IP

Rule ID 2.2 :

  • Allow the Management server to contact any host, with the selected service. The traffic is natted to NGFW Public IP

Rule ID 2.3 :

  • Allow the Log Server & Management Server to communicate in HTTP / HTTPs & ICMP.

Now, We’ll jump back to the Home page.

On the NGFW Engines panel, click on Initial Config, under your firewall

  • Initial Security Policy, choose the policy you just created
  • Time Zone : Select yours
  • Keyboard : Select your format
  • You can enable SSH Daemon

Then, click on “View details” to copy the One Time Password :

3.4 / NGFW Firewall Setup

From the Jump Server, connect yourself to the firewall :

And start the config script :

Follow the installation process :

  • Update the timezone
  • Change the hostname
  • Change the root password

Next screen, just check you’ve your 2 eth, and they are up :

Then, last screen :

  • Leave the DHCP because AWS distribute the IPs
  • Contact Management server : choose “Contact”
  • IP Address : 172.16.0.10
  • One-Time Password : Paste yours
  • Never contact installation server : uncheck the box

Choose finish and the script will do the rest :

3.5 / Policy Upload

Go back to the SMC Homepage, you should see your firewall. Click on the “Upload policy” button :

Select your firewall & your policy, and click OK :

We are almost done ! Everything is well configured, The Firewall communicate with the SMC & the log Server :

:) One step left :

3.6 / Change the AWS routing

Now we have everything up & running, only one step left : change the AWS routing.

Go back to your AWS account, in the VPC service, Route Tables and edit your private route table. Remember you configure the default route going to your NAT Gateway. We’ll change it to go through the Firewall Private NIC Interface :

3.7 / Source / Dest check

By default, AWS prohibits the routing of traffic between machines. You have to go to the console to deactivate an option to allow our Firewall to become a router.

Go to EC2, Instances, select your Instance, click on Actions, Networking & Change Source/Destination Check

Then, click on the Stop button

Conclusion

You did it ! there was a lot to do to get our SMC running on AWS. The SMC can now contact our firewalls connected to internet, and SMC can also be contacted over internet, in a completely secure way, because everything goes through the NGFW firewall.

Loading...

About Alexandre Nogard

Check Also

Forcepoint : Deploy the SMC on AWS | Part I

How to deploy Forcepoint SMC (Security Management Center) on AWS ? This is a good …

Investigate if your linux server has been hacked or not

We’re a lot to face intrusion attemps in our IS. There can be many interests …

Hash Cracking with AWS EC2 P3 & Hashcat

Password cracking is a mandatory activity when you perform a pentest. Having access to a …

Leave a Reply

Your email address will not be published. Required fields are marked *