In the first Howto Forcepoint : Deploy the SMC on AWS | Part I, we implemented all prerequisites, in the second one, Forcepoint : Deploy the SMC on AWS | Part II, we installed all the components. Now, We’ll configure the Firewall and create the rule base to have the SMC working on AWS.
3 / Configuration
3.1 / Access the SMC
Everything is installed. So now, how to access the SMC from internet ? With a Proxy socks !
Open Putty, enter the public IP Address of your jump server, add de ppk certificate and go in Tunnel, to add the source port 1080.
On Firefox, go in properties, “Network Parameters”, and add a proxy :
You can now reach the SMC :
Verify everything is UP & Running :
3.2 / NGFW Creation on the SMC
Create a new single firewall :
- Click on the + Button, in the NGFW Engines panel
- Click on Firewall
- Then Single Firewall
Specify a name :
And go to Interfaces :
- Click on Add button
- Add a Layer 3 Physical Interface
- in Comment, specify ‘Internet‘
- Click OK,
- Then, right Click on the Interface,
- “NEW” & “IPv4 Address“
- Select Dynamic (AWS Deliver the IP)
- leave the box checked “Automatic Default Route“
Then, we do the same, for the Private-Subnet interface, but uncheck the box ‘Automatic default Route‘
Save the Firewall configuration
3.3 / Policy Package
We have to create a policy package, go to :
- Configuration
- then “NGFW“, “Policies“, “Firewall Policies“
- Right Click on “Firewall Template“
- “New” and “Firewall Policy“
Enter the name you want
We’ll create the needed policies directly. Just create the same policies created with the security group :
Rule ID 5.1 :
- Just a rule with a “continue” action, to configure the logging options for all following rules.
Rule ID 5.2 :
- This rule is to permit external hosts to contact the SMC, throw the Firewall (NAT)
- I created the object AWSFW-PUB with the IP 172.16.1.254 (Public IP) because it’s not possible to select the Firewall object (due to DHCP ?)
- I added all ports needed
Rule ID 5.3 :
- This rule is to let AWSFW-PUB contact the Management & the Logserver
Rule ID 5.4 :
- This rule is to let my selected object to communicate with any host, with the selected services
- There is also a NAT rule to add.
Rule ID 5.5 :
- This rule is to let the management server contact the NGFW
- We create a NAT Rule to contact external NGFW
Dont forget to create the IPv4 NAT :
Rule ID 2.1 :
- Allow all external host to contact the SMC, throw the Public NGFW IP
Rule ID 2.2 :
- Allow the Management server to contact any host, with the selected service. The traffic is natted to NGFW Public IP
Rule ID 2.3 :
- Allow the Log Server & Management Server to communicate in HTTP / HTTPs & ICMP.
Now, We’ll jump back to the Home page.
On the NGFW Engines panel, click on Initial Config, under your firewall
- Initial Security Policy, choose the policy you just created
- Time Zone : Select yours
- Keyboard : Select your format
- You can enable SSH Daemon
Then, click on “View details” to copy the One Time Password :
3.4 / NGFW Firewall Setup
From the Jump Server, connect yourself to the firewall :
ssh -i digital.pem aws@172.16.1.254
And start the config script :
sudo sg-reconfigure
Follow the installation process :
- Update the timezone
- Change the hostname
- Change the root password
Next screen, just check you’ve your 2 eth, and they are up :
Then, last screen :
- Leave the DHCP because AWS distribute the IPs
- Contact Management server : choose “Contact”
- IP Address : 172.16.0.10
- One-Time Password : Paste yours
- Never contact installation server : uncheck the box
Choose finish and the script will do the rest :
3.5 / Policy Upload
Go back to the SMC Homepage, you should see your firewall. Click on the “Upload policy” button :
Select your firewall & your policy, and click OK :
We are almost done ! Everything is well configured, The Firewall communicate with the SMC & the log Server :
:) One step left :
3.6 / Change the AWS routing
Now we have everything up & running, only one step left : change the AWS routing.
Go back to your AWS account, in the VPC service, Route Tables and edit your private route table. Remember you configure the default route going to your NAT Gateway. We’ll change it to go through the Firewall Private NIC Interface :
3.7 / Source / Dest check
By default, AWS prohibits the routing of traffic between machines. You have to go to the console to deactivate an option to allow our Firewall to become a router.
Go to EC2, Instances, select your Instance, click on Actions, Networking & Change Source/Destination Check
Then, click on the Stop button
Conclusion
You did it ! there was a lot to do to get our SMC running on AWS. The SMC can now contact our firewalls connected to internet, and SMC can also be contacted over internet, in a completely secure way, because everything goes through the NGFW firewall.
