From 87f8982f1e2bd743caec90bc1ee68f5cfb969367 Mon Sep 17 00:00:00 2001 From: dmitrytc Date: Fri, 23 Jan 2026 00:29:17 +0000 Subject: [PATCH 1/2] feat(VSECPC-12867): Add TCP timeout --- aws/templates/gwlb-asg/gwlb.yaml | 3 +++ aws/templates/gwlb-asg/qs-gwlb.yaml | 3 +++ 2 files changed, 6 insertions(+) diff --git a/aws/templates/gwlb-asg/gwlb.yaml b/aws/templates/gwlb-asg/gwlb.yaml index e75f5fc3..4b411149 100644 --- a/aws/templates/gwlb-asg/gwlb.yaml +++ b/aws/templates/gwlb-asg/gwlb.yaml @@ -779,6 +779,9 @@ Resources: Listener: Type: AWS::ElasticLoadBalancingV2::Listener Properties: + ListenerAttributes: + - Key: tcp.idle_timeout.seconds + Value: 3600 DefaultActions: - Type: forward TargetGroupArn: !Ref TargetGroup diff --git a/aws/templates/gwlb-asg/qs-gwlb.yaml b/aws/templates/gwlb-asg/qs-gwlb.yaml index a97bfef0..bfcf3c20 100644 --- a/aws/templates/gwlb-asg/qs-gwlb.yaml +++ b/aws/templates/gwlb-asg/qs-gwlb.yaml @@ -947,6 +947,9 @@ Resources: Listener: Type: AWS::ElasticLoadBalancingV2::Listener Properties: + ListenerAttributes: + - Key: tcp.idle_timeout.seconds + Value: 3600 DefaultActions: - Type: forward TargetGroupArn: !Ref TargetGroup From 824170f50dcfdbbe8204900c7a88d94d2c3f3179 Mon Sep 17 00:00:00 2001 From: michaeltz Date: Sun, 25 Jan 2026 16:04:02 +0000 Subject: [PATCH 2/2] AWS Templates | Reorganized parameters sections --- aws/templates/asg/autoscale-master.yaml | 64 ++--- aws/templates/asg/autoscale.yaml | 66 ++--- aws/templates/cluster/cluster-master.yaml | 42 ++- aws/templates/cluster/cluster.yaml | 49 ++-- .../cross-az-cluster-master.yaml | 42 ++- .../cross-az-cluster/cross-az-cluster.yaml | 47 ++-- aws/templates/general/amis.yaml | 2 +- aws/templates/general/cme-iam-role.yaml | 6 +- .../geo-cluster/geo-cluster-master.yaml | 50 ++-- aws/templates/geo-cluster/geo-cluster.yaml | 53 ++-- aws/templates/gwlb-asg/gwlb-master.yaml | 250 ++++++++++++------ aws/templates/gwlb-asg/gwlb.yaml | 246 ++++++++++++----- aws/templates/gwlb-asg/qs-gwlb-master.yaml | 144 +++++----- aws/templates/gwlb-asg/qs-gwlb.yaml | 142 +++++----- aws/templates/gwlb-asg/tgw-gwlb-master.yaml | 122 +++++---- aws/templates/gwlb-asg/tgw-gwlb.yaml | 128 +++++---- .../management/management-master.yaml | 48 ++-- aws/templates/management/management.yaml | 49 ++-- aws/templates/mds/mds-master.yaml | 214 ++++----------- aws/templates/mds/mds.yaml | 69 +++-- aws/templates/single-gw/gateway-master.yaml | 40 ++- aws/templates/single-gw/gateway.yaml | 42 ++- .../standalone/standalone-master.yaml | 40 ++- aws/templates/standalone/standalone.yaml | 38 ++- aws/templates/tgw-asg/tgw-asg-master.yaml | 122 +++++---- aws/templates/tgw-asg/tgw-asg.yaml | 118 +++++---- .../tgw-cross-az-cluster-master.yaml | 44 ++- .../tgw-cross-az-cluster.yaml | 43 ++- aws/templates/tgw-ha/tgw-ha-master.yaml | 48 ++-- aws/templates/tgw-ha/tgw-ha.yaml | 49 ++-- 30 files changed, 1257 insertions(+), 1160 deletions(-) diff --git a/aws/templates/asg/autoscale-master.yaml b/aws/templates/asg/autoscale-master.yaml index 602403cf..6cbbf1ce 100755 --- a/aws/templates/asg/autoscale-master.yaml +++ b/aws/templates/asg/autoscale-master.yaml @@ -1,15 +1,25 @@ AWSTemplateFormatVersion: 2010-09-09 Description: | - Create an Auto Scaling group of Check Point gateways into a new VPC (20250821) + Create an Auto Scaling group of Check Point gateways into a new VPC (20260101) See CloudGuard Network for AWS Auto Scale Group deployment guide for detailed deployment and configuration steps. Metadata: AWS::CloudFormation::Interface: ParameterGroups: - Label: - default: VPC Network Configuration + default: Basic Settings + Parameters: + - GatewayVersion + - GatewayInstanceType + - GatewaySICKey + - KeyName + - Label: + default: VPC Network Settings Parameters: - AvailabilityZones - NumberOfAZs + - Label: + default: Advanced Settings + Parameters: - VPCCIDR - PublicSubnet1CIDR - PublicSubnet2CIDR @@ -19,45 +29,26 @@ Metadata: - PrivateSubnet2CIDR - PrivateSubnet3CIDR - PrivateSubnet4CIDR - - Label: - default: EC2 Instances Configuration - Parameters: - AutoScaleGroupName - GatewayName - - GatewayInstanceType - - KeyName - VolumeSize - VolumeType - EnableVolumeEncryption - EnableInstanceConnect - MetaDataToken - - Label: - default: Auto Scaling Configuration - Parameters: + - AdminEmail + - Shell - GatewaysMinSize - GatewaysMaxSize - - AdminEmail - GatewaysTargetGroups - - Label: - default: Check Point Settings - Parameters: - - GatewayVersion - - Shell - GatewayPasswordHash - GatewayMaintenancePasswordHash - - GatewaySICKey - AllowUploadDownload - CloudWatch - GatewayBootstrapScript - - Label: - default: Automatic Provisioning with Security Management Server Settings - Parameters: - ControlGatewayOverPrivateOrPublicAddress - ManagementServer - ConfigurationTemplate - - Label: - default: Proxy Configuration (optional) - Parameters: - ELBType - ELBPort - ELBClients @@ -87,7 +78,7 @@ Metadata: GatewayName: default: Gateways name GatewayInstanceType: - default: Gateways instance type + default: Gateways Instance type KeyName: default: Key name VolumeSize: @@ -101,21 +92,21 @@ Metadata: MetaDataToken: default: Metadata HTTP token GatewaysMinSize: - default: Minimum Gateway group size + default: Minimum Gateways group size GatewaysMaxSize: - default: Maximum Gateway group size + default: Maximum Gateways group size AdminEmail: default: Email address GatewaysTargetGroups: - default: Gateways target groups + default: Gateways Target Groups GatewayVersion: - default: Gateways version & license + default: Gateways Version & License Shell: default: Admin shell GatewayPasswordHash: default: Gateways Password hash GatewayMaintenancePasswordHash: - default: Gateway Maintenance Password hash + default: Gateways Maintenance Password hash GatewaySICKey: default: Gateways SIC key AllowUploadDownload: @@ -125,17 +116,17 @@ Metadata: GatewayBootstrapScript: default: Gateways bootstrap script ControlGatewayOverPrivateOrPublicAddress: - default: Gateways addresses + default: Management Server Settings - Gateways addresses ManagementServer: - default: Management Server + default: Management Server Settings - Management Name ConfigurationTemplate: - default: Configuration template + default: Management Server Settings - Configuration template ELBType: - default: Proxy type + default: Proxy Settings - Proxy type ELBPort: - default: Proxy port + default: Proxy Settings - Proxy port ELBClients: - default: Allowed proxy clients + default: Proxy Settings - Allowed proxy clients AutoScaleGroupName: default: Auto Scale Group name Parameters: @@ -433,7 +424,6 @@ Parameters: - r7iz.32xlarge - r7iz.metal-16xl - r7iz.metal-32xl - ConstraintDescription: must be a valid EC2 instance type. KeyName: Description: The EC2 Key Pair to allow SSH access to the instances. @@ -495,7 +485,7 @@ Parameters: Default: '' GatewayVersion: Type: String - Default: R82-BYOL + Default: R82-PAYG-NGTX AllowedValues: - R81.10-BYOL - R81.10-PAYG-NGTP diff --git a/aws/templates/asg/autoscale.yaml b/aws/templates/asg/autoscale.yaml index 4b10c009..e7f3c2ee 100644 --- a/aws/templates/asg/autoscale.yaml +++ b/aws/templates/asg/autoscale.yaml @@ -1,52 +1,43 @@ AWSTemplateFormatVersion: 2010-09-09 -Description: Create an Auto Scaling group of Check Point gateways into an existing VPC (20241027) +Description: Create an Auto Scaling group of Check Point gateways into an existing VPC (20260101) Metadata: AWS::CloudFormation::Interface: ParameterGroups: - Label: - default: VPC Network Configuration + default: Basic Settings + Parameters: + - GatewayVersion + - GatewayInstanceType + - GatewaySICKey + - KeyName + - Label: + default: VPC Network Settings Parameters: - VPC - GatewaysSubnets - Label: - default: EC2 Instances Configuration + default: Advanced Settings Parameters: - GatewayName - - GatewayInstanceType - - KeyName - VolumeSize - VolumeType - EnableVolumeEncryption - EnableInstanceConnect - MetaDataToken - - Label: - default: Auto Scaling Configuration - Parameters: - AutoScaleGroupName + - Shell - GatewaysMinSize - GatewaysMaxSize - - AdminEmail - GatewaysTargetGroups - - Label: - default: Check Point Settings - Parameters: - - GatewayVersion - - Shell - GatewayPasswordHash - GatewayMaintenancePasswordHash - - GatewaySICKey - - AllowUploadDownload + - AdminEmail - CloudWatch + - AllowUploadDownload - GatewayBootstrapScript - - Label: - default: Automatic Provisioning with Security Management Server Settings - Parameters: - ControlGatewayOverPrivateOrPublicAddress - ManagementServer - ConfigurationTemplate - - Label: - default: Proxy Configuration (optional) - Parameters: - ELBType - ELBPort - ELBClients @@ -58,7 +49,7 @@ Metadata: GatewayName: default: Gateways name GatewayInstanceType: - default: Gateways instance type + default: Gateways Instance type KeyName: default: Key name VolumeSize: @@ -72,21 +63,21 @@ Metadata: MetaDataToken: default: Metadata HTTP token GatewaysMinSize: - default: Minimum Gateway group size + default: Minimum Gateways group size GatewaysMaxSize: - default: Maximum Gateway group size + default: Maximum Gateways group size AdminEmail: default: Email address GatewaysTargetGroups: - default: Gateways target groups + default: Gateways Target groups GatewayVersion: - default: Gateways version & license + default: Gateways Version & License Shell: default: Admin shell GatewayPasswordHash: default: Gateways Password hash GatewayMaintenancePasswordHash: - default: Gateway Maintenance Password hash + default: Gateways Maintenance Password hash GatewaySICKey: default: Gateways SIC key AllowUploadDownload: @@ -96,17 +87,17 @@ Metadata: GatewayBootstrapScript: default: Gateways bootstrap script ControlGatewayOverPrivateOrPublicAddress: - default: Gateways addresses + default: Management Server Settings - Gateways addresses ManagementServer: - default: Management Server + default: Management Server Settings - Server ConfigurationTemplate: - default: Configuration template + default: Management Server Settings - Configuration template ELBType: - default: Proxy type + default: Proxy Settings - Proxy type ELBPort: - default: Proxy port + default: Proxy Settings - Proxy port ELBClients: - default: Allowed proxy clients + default: Proxy Settings - Allowed proxy clients AutoScaleGroupName: default: Auto Scale Group name Parameters: @@ -346,7 +337,6 @@ Parameters: - r7iz.32xlarge - r7iz.metal-16xl - r7iz.metal-32xl - ConstraintDescription: must be a valid EC2 instance type. KeyName: Description: The EC2 Key Pair to allow SSH access to the instances. @@ -408,7 +398,7 @@ Parameters: Default: '' GatewayVersion: Type: String - Default: R82-BYOL + Default: R82-PAYG-NGTX AllowedValues: - R81.10-BYOL - R81.10-PAYG-NGTP @@ -509,6 +499,7 @@ Parameters: Type: String Default: "" MaxLength: 100 + Conditions: ProvidedAdminEmail: !Not [!Equals [!Ref AdminEmail, '']] ProvidedTargetGroups: !Not [!Equals [!Ref GatewaysTargetGroups, '']] @@ -671,7 +662,7 @@ Resources: - !Join ['', [' maintenance_pwd_hash="$(echo ', 'Fn::Base64': !Ref GatewayMaintenancePasswordHash, ')"']] - !Join ['', [' bootstrap="$(echo ', 'Fn::Base64': !Ref GatewayBootstrapScript, ')"']] - !Sub [' version=${Version}', {Version: !Select [0, !Split ['-', !Ref GatewayVersion]]}] - - ' python3 /etc/cloud_config.py enableCloudWatch=\"${cw}\" sicKey=\"${sic}\" installationType=\"autoscale\" osVersion=\"${version}\" allowUploadDownload=\"${allow_info}\" templateVersion=\"20240204\" templateName=\"autoscale\" shell=\"${admin_shell}\" enableInstanceConnect=\"${eic}\" passwordHash=\"${pwd_hash}\" MaintenanceModePassword=\"${maintenance_pwd_hash}\" bootstrapScript64=\"${bootstrap}\"' + - ' python3 /etc/cloud_config.py enableCloudWatch=\"${cw}\" sicKey=\"${sic}\" installationType=\"autoscale\" osVersion=\"${version}\" allowUploadDownload=\"${allow_info}\" templateVersion=\"20260101\" templateName=\"autoscale\" shell=\"${admin_shell}\" enableInstanceConnect=\"${eic}\" passwordHash=\"${pwd_hash}\" MaintenanceModePassword=\"${maintenance_pwd_hash}\" bootstrapScript64=\"${bootstrap}\"' VersionDescription: Initial template version GatewayScaleUpPolicy: Type: AWS::AutoScaling::ScalingPolicy @@ -738,3 +729,4 @@ Outputs: SecurityGroup: Description: The Security Group of the Auto Scaling group. Value: !GetAtt PermissiveSecurityGroup.GroupId + diff --git a/aws/templates/cluster/cluster-master.yaml b/aws/templates/cluster/cluster-master.yaml index 0ce63016..405ff177 100755 --- a/aws/templates/cluster/cluster-master.yaml +++ b/aws/templates/cluster/cluster-master.yaml @@ -1,21 +1,23 @@ AWSTemplateFormatVersion: 2010-09-09 -Description: Deploy a Check Point Cluster in a new VPC (20241027) +Description: Deploy a Check Point Cluster in a new VPC (20260101) Metadata: AWS::CloudFormation::Interface: ParameterGroups: - Label: - default: VPC Network Configuration + default: Basic Settings Parameters: - AvailabilityZone + - GatewayVersion + - GatewayInstanceType + - GatewaySICKey + - KeyName + - Label: + default: Advanced Settings + Parameters: - VPCCIDR - PublicSubnetCIDR - PrivateSubnetCIDR - - Label: - default: EC2 Instance Configuration - Parameters: - GatewayName - - GatewayInstanceType - - KeyName - AllocatePublicAddress - VolumeSize - VolumeType @@ -24,22 +26,11 @@ Metadata: - GatewayPredefinedRole - TerminationProtection - MetaDataToken - - Label: - default: Check Point Settings - Parameters: - - GatewayVersion - Shell - GatewayPasswordHash - GatewayMaintenancePasswordHash - - GatewaySICKey - - Label: - default: Quick connect to Smart-1 Cloud (Recommended) - Parameters: - MemberAToken - MemberBToken - - Label: - default: Advanced Settings - Parameters: - ResourcesTagName - GatewayHostname - AllowUploadDownload @@ -57,9 +48,9 @@ Metadata: PrivateSubnetCIDR: default: Private subnet CIDR GatewayName: - default: Gateway Name + default: Gateways name GatewayInstanceType: - default: Security Gateways instance type + default: Gateways Instance type KeyName: default: Key name AllocatePublicAddress: @@ -79,15 +70,15 @@ Metadata: MetaDataToken: default: Metadata HTTP token GatewayVersion: - default: Version & license + default: Gateways Version & License Shell: default: Admin shell GatewayPasswordHash: default: Password hash GatewayMaintenancePasswordHash: - default: Gateway Maintenance Password hash + default: Gateways Maintenance Password hash GatewaySICKey: - default: SIC key + default: Gateways SIC key MemberAToken: default: Smart-1 Cloud Token for member A MemberBToken: @@ -95,7 +86,7 @@ Metadata: ResourcesTagName: default: Resources prefix tag GatewayHostname: - default: Gateway Hostname + default: Gateways Hostname AllowUploadDownload: default: Allow upload & download CloudWatch: @@ -357,7 +348,6 @@ Parameters: - r7iz.32xlarge - r7iz.metal-16xl - r7iz.metal-32xl - ConstraintDescription: must be a valid EC2 instance type. KeyName: Description: The EC2 Key Pair to allow SSH access to the instance. @@ -412,7 +402,7 @@ Parameters: - false GatewayVersion: Type: String - Default: R82-BYOL + Default: R82-PAYG-NGTX AllowedValues: - R81.10-BYOL - R81.10-PAYG-NGTP diff --git a/aws/templates/cluster/cluster.yaml b/aws/templates/cluster/cluster.yaml index da80d7f5..7c49a541 100755 --- a/aws/templates/cluster/cluster.yaml +++ b/aws/templates/cluster/cluster.yaml @@ -1,21 +1,26 @@ AWSTemplateFormatVersion: 2010-09-09 -Description: Deploys a Check Point Cluster into an existing VPC (20241027) +Description: Deploys a Check Point Cluster into an existing VPC (20260101) Metadata: AWS::CloudFormation::Interface: ParameterGroups: - Label: - default: VPC Network Configuration + default: Basic Settings + Parameters: + - GatewayVersion + - GatewayInstanceType + - GatewaySICKey + - KeyName + - Label: + default: VPC Network Settings Parameters: - VPC - PublicSubnet - PrivateSubnet - - InternalRouteTable - Label: - default: EC2 Instance Configuration + default: Advanced Settings Parameters: + - InternalRouteTable - GatewayName - - GatewayInstanceType - - KeyName - AllocatePublicAddress - VolumeSize - VolumeType @@ -24,22 +29,11 @@ Metadata: - GatewayPredefinedRole - TerminationProtection - MetaDataToken - - Label: - default: Check Point Settings - Parameters: - - GatewayVersion - Shell - GatewayPasswordHash - GatewayMaintenancePasswordHash - - GatewaySICKey - - Label: - default: Quick connect to Smart-1 Cloud (Recommended) - Parameters: - MemberAToken - MemberBToken - - Label: - default: Advanced Settings - Parameters: - ResourcesTagName - GatewayHostname - AllowUploadDownload @@ -57,9 +51,9 @@ Metadata: InternalRouteTable: default: Internal route table GatewayName: - default: Gateway Name + default: Gateways name GatewayInstanceType: - default: Security Gateways instance type + default: Gateways Instance type KeyName: default: Key name AllocatePublicAddress: @@ -79,15 +73,15 @@ Metadata: MetaDataToken: default: Metadata HTTP token GatewayVersion: - default: Version & license + default: Gateways Version & License Shell: default: Admin shell GatewayPasswordHash: default: Password hash GatewayMaintenancePasswordHash: - default: Gateway Maintenance Password hash + default: Gateways Maintenance Password hash GatewaySICKey: - default: SIC key + default: Gateways SIC key MemberAToken: default: Smart-1 Cloud Token for member A MemberBToken: @@ -95,7 +89,7 @@ Metadata: ResourcesTagName: default: Resources prefix tag GatewayHostname: - default: Gateway Hostname + default: Gateways Hostname AllowUploadDownload: default: Allow upload & download CloudWatch: @@ -120,7 +114,7 @@ Parameters: Type: AWS::EC2::Subnet::Id MinLength: 1 InternalRouteTable: - Description: The route table id in which to set 0.0.0.0/0 route to the Active Cluster member instance in this route table (e.g. rtb-12a34567). Route table cannot have an existing 0.0.0.0/0 route. If empty - traffic will not be routed through the Security Cluster, this requires manual configuration in the route table. (optional) + Description: The route table ID in which to set 0.0.0.0/0 route to the Active Cluster member instance in this route table (e.g. rtb-12a34567). Route table cannot have an existing 0.0.0.0/0 route. If empty - traffic will not be routed through the Security Cluster, this requires manual configuration in the route table. (optional) Type: String Default: '' GatewayName: @@ -351,7 +345,6 @@ Parameters: - r7iz.32xlarge - r7iz.metal-16xl - r7iz.metal-32xl - ConstraintDescription: must be a valid EC2 instance type. KeyName: Description: The EC2 Key Pair to allow SSH access to the instance. @@ -407,7 +400,7 @@ Parameters: - false GatewayVersion: Type: String - Default: R82-BYOL + Default: R82-PAYG-NGTX AllowedValues: - R81.10-BYOL - R81.10-PAYG-NGTP @@ -726,7 +719,7 @@ Resources: - !Join ['', [' maintenance_pwd_hash="$(echo ', 'Fn::Base64': !Ref GatewayMaintenancePasswordHash, ')"']] - !Join ['', [' bootstrap="$(echo ', 'Fn::Base64': !Ref GatewayBootstrapScript, ')"']] - !Sub [' version=${Version}', {Version: !Select [0, !Split ['-', !Ref GatewayVersion]]}] - - ' python3 /etc/cloud_config.py enableCloudWatch=\"${cw}\" waitHandle=\"${wait_handle}\" sicKey=\"${sic}\" "smart1CloudToken=\"${tokenA}\"" installationType=\"cluster\" osVersion=\"${version}\" allowUploadDownload=\"${allow_info}\" templateVersion=\"20240204\" templateName=\"cluster\" shell=\"${admin_shell}\" enableInstanceConnect=\"${eic}\" hostName=\"${hostname}\" ntpPrimary=\"${ntp1}\" ntpSecondary=\"${ntp2}\" passwordHash=\"${pwd_hash}\" MaintenanceModePassword=\"${maintenance_pwd_hash}\" elasticIp=\"${eip}\" bootstrapScript64=\"${bootstrap}\"' + - ' python3 /etc/cloud_config.py enableCloudWatch=\"${cw}\" waitHandle=\"${wait_handle}\" sicKey=\"${sic}\" "smart1CloudToken=\"${tokenA}\"" installationType=\"cluster\" osVersion=\"${version}\" allowUploadDownload=\"${allow_info}\" templateVersion=\"20260101\" templateName=\"cluster\" shell=\"${admin_shell}\" enableInstanceConnect=\"${eic}\" hostName=\"${hostname}\" ntpPrimary=\"${ntp1}\" ntpSecondary=\"${ntp2}\" passwordHash=\"${pwd_hash}\" MaintenanceModePassword=\"${maintenance_pwd_hash}\" elasticIp=\"${eip}\" bootstrapScript64=\"${bootstrap}\"' VersionDescription: Initial template version MemberBGatewayLaunchTemplate: Type: AWS::EC2::LaunchTemplate @@ -769,7 +762,7 @@ Resources: - !Join ['', [' maintenance_pwd_hash="$(echo ', 'Fn::Base64': !Ref GatewayMaintenancePasswordHash, ')"']] - !Join ['', [' bootstrap="$(echo ', 'Fn::Base64': !Ref GatewayBootstrapScript, ')"']] - !Sub [' version=${Version}', {Version: !Select [0, !Split ['-', !Ref GatewayVersion]]}] - - ' python3 /etc/cloud_config.py enableCloudWatch=\"${cw}\" waitHandle=\"${wait_handle}\" sicKey=\"${sic}\" "smart1CloudToken=\"${tokenB}\"" installationType=\"cluster\" osVersion=\"${version}\" allowUploadDownload=\"${allow_info}\" templateVersion=\"20230923\" templateName=\"cluster\" shell=\"${admin_shell}\" enableInstanceConnect=\"${eic}\" hostName=\"${hostname}\" ntpPrimary=\"${ntp1}\" ntpSecondary=\"${ntp2}\" passwordHash=\"${pwd_hash}\" MaintenanceModePassword=\"${maintenance_pwd_hash}\" elasticIp=\"${eip}\" bootstrapScript64=\"${bootstrap}\"' + - ' python3 /etc/cloud_config.py enableCloudWatch=\"${cw}\" waitHandle=\"${wait_handle}\" sicKey=\"${sic}\" "smart1CloudToken=\"${tokenB}\"" installationType=\"cluster\" osVersion=\"${version}\" allowUploadDownload=\"${allow_info}\" templateVersion=\"20260101\" templateName=\"cluster\" shell=\"${admin_shell}\" enableInstanceConnect=\"${eic}\" hostName=\"${hostname}\" ntpPrimary=\"${ntp1}\" ntpSecondary=\"${ntp2}\" passwordHash=\"${pwd_hash}\" MaintenanceModePassword=\"${maintenance_pwd_hash}\" elasticIp=\"${eip}\" bootstrapScript64=\"${bootstrap}\"' VersionDescription: Initial template version ClusterPublicAddress: Type: AWS::EC2::EIP diff --git a/aws/templates/cross-az-cluster/cross-az-cluster-master.yaml b/aws/templates/cross-az-cluster/cross-az-cluster-master.yaml index fe52e4d1..02b63b6f 100644 --- a/aws/templates/cross-az-cluster/cross-az-cluster-master.yaml +++ b/aws/templates/cross-az-cluster/cross-az-cluster-master.yaml @@ -1,23 +1,25 @@ AWSTemplateFormatVersion: 2010-09-09 -Description: Deploy a Check Point Cluster in a new VPC (20241027) +Description: Deploy a Check Point Cluster in a new VPC (20260101) Metadata: AWS::CloudFormation::Interface: ParameterGroups: - Label: - default: VPC Network Configuration + default: Basic Settings Parameters: - AvailabilityZones + - GatewayVersion + - GatewayInstanceType + - GatewaySICKey + - KeyName + - Label: + default: Advanced Settings + Parameters: - VPCCIDR - PublicSubnet1CIDR - PublicSubnet2CIDR - PrivateSubnet1CIDR - PrivateSubnet2CIDR - - Label: - default: EC2 Instance Configuration - Parameters: - GatewayName - - GatewayInstanceType - - KeyName - AllocatePublicAddress - VolumeSize - VolumeEncryption @@ -25,22 +27,11 @@ Metadata: - GatewayPredefinedRole - TerminationProtection - MetaDataToken - - Label: - default: Check Point Settings - Parameters: - - GatewayVersion - Shell - GatewayPasswordHash - GatewayMaintenancePasswordHash - - GatewaySICKey - - Label: - default: Quick connect to Smart-1 Cloud (Recommended) - Parameters: - MemberAToken - MemberBToken - - Label: - default: Advanced Settings - Parameters: - ResourcesTagName - GatewayHostname - AllowUploadDownload @@ -62,9 +53,9 @@ Metadata: PrivateSubnet2CIDR: default: Private subnet 2 CIDR GatewayName: - default: Gateway Name + default: Gateways name GatewayInstanceType: - default: Security Gateways instance type + default: Gateways Instance type KeyName: default: Key name AllocatePublicAddress: @@ -82,15 +73,15 @@ Metadata: MetaDataToken: default: Metadata HTTP token GatewayVersion: - default: Version & license + default: Gateways Version & License Shell: default: Admin shell GatewayPasswordHash: default: Password hash GatewayMaintenancePasswordHash: - default: Gateway Maintenance Password hash + default: Gateways Maintenance Password hash GatewaySICKey: - default: SIC key + default: Gateways SIC key MemberAToken: default: Smart-1 Cloud Token for member A MemberBToken: @@ -98,7 +89,7 @@ Metadata: ResourcesTagName: default: Resources prefix tag GatewayHostname: - default: Gateway Hostname + default: Gateways Hostname AllowUploadDownload: default: Allow upload & download CloudWatch: @@ -372,7 +363,6 @@ Parameters: - r7iz.32xlarge - r7iz.metal-16xl - r7iz.metal-32xl - ConstraintDescription: must be a valid EC2 instance type. KeyName: Description: The EC2 Key Pair to allow SSH access to the instance. @@ -420,7 +410,7 @@ Parameters: - false GatewayVersion: Type: String - Default: R82-BYOL + Default: R82-PAYG-NGTX AllowedValues: - R81.20-BYOL - R81.20-PAYG-NGTP diff --git a/aws/templates/cross-az-cluster/cross-az-cluster.yaml b/aws/templates/cross-az-cluster/cross-az-cluster.yaml index 9627f4f3..6eed8a92 100644 --- a/aws/templates/cross-az-cluster/cross-az-cluster.yaml +++ b/aws/templates/cross-az-cluster/cross-az-cluster.yaml @@ -1,23 +1,28 @@ AWSTemplateFormatVersion: 2010-09-09 -Description: Deploys a Check Point Cluster into an existing VPC (20241027) +Description: Deploys a Check Point Cluster into an existing VPC (20260101) Metadata: AWS::CloudFormation::Interface: ParameterGroups: - Label: - default: VPC Network Configuration + default: Basic Settings + Parameters: + - GatewayVersion + - GatewayInstanceType + - GatewaySICKey + - KeyName + - Label: + default: VPC Network Settings Parameters: - VPC - PublicSubnetA - PublicSubnetB - PrivateSubnetA - PrivateSubnetB - - InternalRouteTable - Label: - default: EC2 Instance Configuration + default: Advanced Settings Parameters: + - InternalRouteTable - GatewayName - - GatewayInstanceType - - KeyName - AllocatePublicAddress - VolumeSize - VolumeType @@ -26,22 +31,11 @@ Metadata: - GatewayPredefinedRole - TerminationProtection - MetaDataToken - - Label: - default: Check Point Settings - Parameters: - - GatewayVersion - Shell - GatewayPasswordHash - GatewayMaintenancePasswordHash - - GatewaySICKey - - Label: - default: Quick connect to Smart-1 Cloud (Recommended) - Parameters: - MemberAToken - MemberBToken - - Label: - default: Advanced Settings - Parameters: - ResourcesTagName - GatewayHostname - AllowUploadDownload @@ -63,9 +57,9 @@ Metadata: InternalRouteTable: default: Internal route table GatewayName: - default: Gateway Name + default: Gateways name GatewayInstanceType: - default: Security Gateways instance type + default: Security Gateways Instance type KeyName: default: Key name AllocatePublicAddress: @@ -85,15 +79,15 @@ Metadata: MetaDataToken: default: Metadata HTTP token GatewayVersion: - default: Version & license + default: Gateways Version & License Shell: default: Admin shell GatewayPasswordHash: default: Password hash GatewayMaintenancePasswordHash: - default: Gateway Maintenance Password hash + default: Gateways Maintenance Password hash GatewaySICKey: - default: SIC key + default: Gateways SIC key MemberAToken: default: Smart-1 Cloud Token for member A MemberBToken: @@ -101,7 +95,7 @@ Metadata: ResourcesTagName: default: Resources prefix tag GatewayHostname: - default: Gateway Hostname + default: Gateways Hostname AllowUploadDownload: default: Allow upload & download CloudWatch: @@ -369,7 +363,6 @@ Parameters: - r7iz.32xlarge - r7iz.metal-16xl - r7iz.metal-32xl - ConstraintDescription: must be a valid EC2 instance type. KeyName: Description: The EC2 Key Pair to allow SSH access to the instance. @@ -425,7 +418,7 @@ Parameters: - false GatewayVersion: Type: String - Default: R82-BYOL + Default: R82-PAYG-NGTX AllowedValues: - R81.20-BYOL - R81.20-PAYG-NGTP @@ -785,7 +778,7 @@ Resources: - !Join ['', [' maintenance_pwd_hash="$(echo ', 'Fn::Base64': !Ref GatewayMaintenancePasswordHash, ')"']] - !Join ['', [' bootstrap="$(echo ', 'Fn::Base64': !Ref GatewayBootstrapScript, ')"']] - !Sub [' version=${Version}', {Version: !Select [0, !Split ['-', !Ref GatewayVersion]]}] - - ' python3 /etc/cloud_config.py enableCloudWatch=\"${cw}\" waitHandle=\"${wait_handle}\" sicKey=\"${sic}\" "smart1CloudToken=\"${tokenA}\"" installationType=\"cross-az-cluster\" osVersion=\"${version}\" allowUploadDownload=\"${allow_info}\" templateVersion=\"20240204\" templateName=\"cross_az_cluster\" shell=\"${admin_shell}\" enableInstanceConnect=\"${eic}\" hostName=\"${hostname}\" ntpPrimary=\"${ntp1}\" ntpSecondary=\"${ntp2}\" passwordHash=\"${pwd_hash}\" MaintenanceModePassword=\"${maintenance_pwd_hash}\" elasticIp=\"${eip}\" otherMemberIp=\"${other_member_ip}\" clusterIp=\"${cluster_ip}\" secondaryIp=\"${secondary_ip}\" otherMemberPrivateClusterIp=\"${remote_secondary_ip}\" bootstrapScript64=\"${bootstrap}\"' + - ' python3 /etc/cloud_config.py enableCloudWatch=\"${cw}\" waitHandle=\"${wait_handle}\" sicKey=\"${sic}\" "smart1CloudToken=\"${tokenA}\"" installationType=\"cross-az-cluster\" osVersion=\"${version}\" allowUploadDownload=\"${allow_info}\" templateVersion=\"20260101\" templateName=\"cross_az_cluster\" shell=\"${admin_shell}\" enableInstanceConnect=\"${eic}\" hostName=\"${hostname}\" ntpPrimary=\"${ntp1}\" ntpSecondary=\"${ntp2}\" passwordHash=\"${pwd_hash}\" MaintenanceModePassword=\"${maintenance_pwd_hash}\" elasticIp=\"${eip}\" otherMemberIp=\"${other_member_ip}\" clusterIp=\"${cluster_ip}\" secondaryIp=\"${secondary_ip}\" otherMemberPrivateClusterIp=\"${remote_secondary_ip}\" bootstrapScript64=\"${bootstrap}\"' VersionDescription: Initial template version MemberBGatewayLaunchTemplate: Type: AWS::EC2::LaunchTemplate @@ -832,7 +825,7 @@ Resources: - !Join [ '', [' maintenance_pwd_hash="$(echo ', 'Fn::Base64': !Ref GatewayMaintenancePasswordHash, ')"' ] ] - !Join ['', [' bootstrap="$(echo ', 'Fn::Base64': !Ref GatewayBootstrapScript, ')"']] - !Sub [' version=${Version}', {Version: !Select [0, !Split ['-', !Ref GatewayVersion]]}] - - ' python3 /etc/cloud_config.py enableCloudWatch=\"${cw}\" waitHandle=\"${wait_handle}\" sicKey=\"${sic}\" "smart1CloudToken=\"${tokenB}\"" installationType=\"cross-az-cluster\" osVersion=\"${version}\" allowUploadDownload=\"${allow_info}\" templateVersion=\"20240204\" templateName=\"cross_az_cluster\" shell=\"${admin_shell}\" enableInstanceConnect=\"${eic}\" hostName=\"${hostname}\" ntpPrimary=\"${ntp1}\" ntpSecondary=\"${ntp2}\" passwordHash=\"${pwd_hash}\" MaintenanceModePassword=\"${maintenance_pwd_hash}\" elasticIp=\"${eip}\" otherMemberIp=\"${other_member_ip}\" clusterIp=\"${cluster_ip}\" secondaryIp=\"${secondary_ip}\" otherMemberPrivateClusterIp=\"${remote_secondary_ip}\" bootstrapScript64=\"${bootstrap}\"' + - ' python3 /etc/cloud_config.py enableCloudWatch=\"${cw}\" waitHandle=\"${wait_handle}\" sicKey=\"${sic}\" "smart1CloudToken=\"${tokenB}\"" installationType=\"cross-az-cluster\" osVersion=\"${version}\" allowUploadDownload=\"${allow_info}\" templateVersion=\"20260101\" templateName=\"cross_az_cluster\" shell=\"${admin_shell}\" enableInstanceConnect=\"${eic}\" hostName=\"${hostname}\" ntpPrimary=\"${ntp1}\" ntpSecondary=\"${ntp2}\" passwordHash=\"${pwd_hash}\" MaintenanceModePassword=\"${maintenance_pwd_hash}\" elasticIp=\"${eip}\" otherMemberIp=\"${other_member_ip}\" clusterIp=\"${cluster_ip}\" secondaryIp=\"${secondary_ip}\" otherMemberPrivateClusterIp=\"${remote_secondary_ip}\" bootstrapScript64=\"${bootstrap}\"' VersionDescription: Initial template version Outputs: ClusterPublicAddress: diff --git a/aws/templates/general/amis.yaml b/aws/templates/general/amis.yaml index bd3bd833..46e58ac8 100644 --- a/aws/templates/general/amis.yaml +++ b/aws/templates/general/amis.yaml @@ -1,5 +1,5 @@ AWSTemplateFormatVersion: '2010-09-09' -Description: Returns a Check Point Amazon Machine ID (20211212) +Description: Returns a Check Point Amazon Machine ID (20260101) Parameters: Version: Description: Security Gateway or Management Server version diff --git a/aws/templates/general/cme-iam-role.yaml b/aws/templates/general/cme-iam-role.yaml index 45680af7..afcadeb8 100644 --- a/aws/templates/general/cme-iam-role.yaml +++ b/aws/templates/general/cme-iam-role.yaml @@ -1,5 +1,5 @@ AWSTemplateFormatVersion: 2010-09-09 -Description: Creates an IAM role for selected permissions (20240507) +Description: Creates an IAM role for selected permissions (20260101) Metadata: AWS::CloudFormation::Interface: ParameterGroups: @@ -8,7 +8,7 @@ Metadata: Parameters: - Permissions - Label: - default: Advanced Configuration (optional) + default: Advanced Settings (optional) Parameters: - STSRoles - TrustedAccount @@ -156,4 +156,4 @@ Outputs: Value: !GetAtt CMEIAMRole.Arn InstanceProfile: Description: The Instance Profile ARN. - Value: !GetAtt InstanceProfile.Arn \ No newline at end of file + Value: !GetAtt InstanceProfile.Arn diff --git a/aws/templates/geo-cluster/geo-cluster-master.yaml b/aws/templates/geo-cluster/geo-cluster-master.yaml index b61e4e16..28cf516c 100644 --- a/aws/templates/geo-cluster/geo-cluster-master.yaml +++ b/aws/templates/geo-cluster/geo-cluster-master.yaml @@ -1,23 +1,25 @@ AWSTemplateFormatVersion: 2010-09-09 -Description: Deploy a Check Point cross AZ Cluster in a new VPC (20241027) +Description: Deploy a Check Point cross AZ Cluster in a new VPC (20260101) Metadata: AWS::CloudFormation::Interface: ParameterGroups: - Label: - default: VPC Network Configuration + default: Basic Settings Parameters: - AvailabilityZones + - GatewayVersion + - GatewayInstanceType + - GatewaySICKey + - KeyName + - Label: + default: Advanced Settings + Parameters: + - GatewayName - VPCCIDR - PublicSubnet1CIDR - PublicSubnet2CIDR - PrivateSubnet1CIDR - PrivateSubnet2CIDR - - Label: - default: EC2 Instance Configuration - Parameters: - - GatewayName - - GatewayInstanceType - - KeyName - AllocatePublicAddress - VolumeSize - VolumeType @@ -26,22 +28,11 @@ Metadata: - GatewayPredefinedRole - TerminationProtection - MetaDataToken - - Label: - default: Check Point Settings - Parameters: - - GatewayVersion - Shell - GatewayPasswordHash - GatewayMaintenancePasswordHash - - GatewaySICKey - - Label: - default: Quick connect to Smart-1 Cloud (Recommended) - Parameters: - MemberAToken - MemberBToken - - Label: - default: Advanced Settings - Parameters: - ResourcesTagName - GatewayHostname - AllowUploadDownload @@ -63,9 +54,9 @@ Metadata: PrivateSubnet2CIDR: default: Private subnet 2 CIDR GatewayName: - default: Gateway Name + default: Gateways name GatewayInstanceType: - default: Security Gateways instance type + default: Gateways Instance type KeyName: default: Key name AllocatePublicAddress: @@ -85,15 +76,15 @@ Metadata: MetaDataToken: default: Metadata HTTP token GatewayVersion: - default: Gateways version & license + default: Gateways Version & License Shell: default: Admin shell GatewayPasswordHash: default: Password hash GatewayMaintenancePasswordHash: - default: Gateway Maintenance Password hash + default: Gateways Maintenance Password hash GatewaySICKey: - default: SIC key + default: Gateways SIC key MemberAToken: default: Smart-1 Cloud Token for member A MemberBToken: @@ -101,7 +92,7 @@ Metadata: ResourcesTagName: default: Resources prefix tag GatewayHostname: - default: Gateway Hostname + default: Gateways Hostname AllowUploadDownload: default: Allow upload & download CloudWatch: @@ -375,7 +366,6 @@ Parameters: - r7iz.32xlarge - r7iz.metal-16xl - r7iz.metal-32xl - ConstraintDescription: must be a valid EC2 instance type. KeyName: Description: The EC2 Key Pair to allow SSH access to the Security Gateways. @@ -432,17 +422,11 @@ Parameters: GatewayVersion: Description: The license to install on the Security Gateways. Type: String - Default: R82-BYOL + Default: R81.10-BYOL AllowedValues: - R81.10-BYOL - R81.10-PAYG-NGTP - R81.10-PAYG-NGTX - - R82-BYOL - - R82-PAYG-NGTP - - R82-PAYG-NGTX - - R82.10-BYOL - - R82.10-PAYG-NGTP - - R82.10-PAYG-NGTX Shell: Description: Change the admin shell to enable advanced command line configuration. Type: String diff --git a/aws/templates/geo-cluster/geo-cluster.yaml b/aws/templates/geo-cluster/geo-cluster.yaml index 99a31e52..fd13361b 100644 --- a/aws/templates/geo-cluster/geo-cluster.yaml +++ b/aws/templates/geo-cluster/geo-cluster.yaml @@ -1,23 +1,27 @@ AWSTemplateFormatVersion: 2010-09-09 -Description: Deploys a Check Point cross AZ Cluster into an existing VPC (20241027) +Description: Deploys a Check Point cross AZ Cluster into an existing VPC (20260101) Metadata: AWS::CloudFormation::Interface: ParameterGroups: - Label: - default: VPC Network Configuration + default: Basic Settings + Parameters: + - GatewayVersion + - GatewayInstanceType + - GatewaySICKey + - KeyName + - Label: + default: VPC Network Settings Parameters: - VPC - PublicSubnetA - PublicSubnetB - PrivateSubnetA - PrivateSubnetB - - InternalRouteTable - Label: - default: EC2 Instance Configuration + default: Advanced Settings Parameters: - GatewayName - - GatewayInstanceType - - KeyName - AllocatePublicAddress - VolumeSize - VolumeType @@ -26,22 +30,12 @@ Metadata: - GatewayPredefinedRole - TerminationProtection - MetaDataToken - - Label: - default: Check Point Settings - Parameters: - - GatewayVersion + - InternalRouteTable - Shell - GatewayPasswordHash - GatewayMaintenancePasswordHash - - GatewaySICKey - - Label: - default: Quick connect to Smart-1 Cloud (Recommended) - Parameters: - MemberAToken - MemberBToken - - Label: - default: Advanced Settings - Parameters: - ResourcesTagName - GatewayHostname - AllowUploadDownload @@ -63,9 +57,9 @@ Metadata: InternalRouteTable: default: Internal route table GatewayName: - default: Gateway Name + default: Gateways name GatewayInstanceType: - default: Security Gateways instance type + default: Gateways Instance type KeyName: default: Key name AllocatePublicAddress: @@ -85,15 +79,15 @@ Metadata: MetaDataToken: default: Metadata HTTP token GatewayVersion: - default: Gateways version & license + default: Gateways Version & License Shell: default: Admin shell GatewayPasswordHash: default: Password hash GatewayMaintenancePasswordHash: - default: Gateway Maintenance Password hash + default: Gateways Maintenance Password hash GatewaySICKey: - default: SIC key + default: Gateways SIC key MemberAToken: default: Smart-1 Cloud Token for member A MemberBToken: @@ -101,7 +95,7 @@ Metadata: ResourcesTagName: default: Resources prefix tag GatewayHostname: - default: Gateway Hostname + default: Gateways Hostname AllowUploadDownload: default: Allow upload & download CloudWatch: @@ -369,7 +363,6 @@ Parameters: - r7iz.32xlarge - r7iz.metal-16xl - r7iz.metal-32xl - ConstraintDescription: must be a valid EC2 instance type. KeyName: Description: The EC2 Key Pair to allow SSH access to the Security Gateways. @@ -426,17 +419,11 @@ Parameters: GatewayVersion: Description: The license to install on the Security Gateways. Type: String - Default: R82-BYOL + Default: R81.10-BYOL AllowedValues: - R81.10-BYOL - R81.10-PAYG-NGTP - R81.10-PAYG-NGTX - - R82-BYOL - - R82-PAYG-NGTP - - R82-PAYG-NGTX - - R82.10-BYOL - - R82.10-PAYG-NGTP - - R82.10-PAYG-NGTX Shell: Description: Change the admin shell to enable advanced command line configuration. Type: String @@ -717,7 +704,7 @@ Resources: - !Join ['', [' maintenance_pwd_hash="$(echo ', 'Fn::Base64': !Ref GatewayMaintenancePasswordHash, ')"']] - !Join ['', [' bootstrap="$(echo ', 'Fn::Base64': !Ref GatewayBootstrapScript, ')"']] - !Sub [' version=${Version}', {Version: !Select [0, !Split ['-', !Ref GatewayVersion]]}] - - ' python3 /etc/cloud_config.py enableCloudWatch=\"${cw}\" waitHandle=\"${wait_handle}\" sicKey=\"${sic}\" "smart1CloudToken=\"${tokenA}\"" installationType=\"geo-cluster\" osVersion=\"${version}\" allowUploadDownload=\"${allow_info}\" templateVersion=\"20240204\" templateName=\"geo_cluster\" shell=\"${admin_shell}\" enableInstanceConnect=\"${eic}\" hostName=\"${hostname}\" ntpPrimary=\"${ntp1}\" ntpSecondary=\"${ntp2}\" passwordHash=\"${pwd_hash}\" elasticIp=\"${eip}\" MaintenanceModePassword=\"${maintenance_pwd_hash}\" otherMemberIp=\"${other_member_ip}\" bootstrapScript64=\"${bootstrap}\"' + - ' python3 /etc/cloud_config.py enableCloudWatch=\"${cw}\" waitHandle=\"${wait_handle}\" sicKey=\"${sic}\" "smart1CloudToken=\"${tokenA}\"" installationType=\"geo-cluster\" osVersion=\"${version}\" allowUploadDownload=\"${allow_info}\" templateVersion=\"20260101\" templateName=\"geo_cluster\" shell=\"${admin_shell}\" enableInstanceConnect=\"${eic}\" hostName=\"${hostname}\" ntpPrimary=\"${ntp1}\" ntpSecondary=\"${ntp2}\" passwordHash=\"${pwd_hash}\" elasticIp=\"${eip}\" MaintenanceModePassword=\"${maintenance_pwd_hash}\" otherMemberIp=\"${other_member_ip}\" bootstrapScript64=\"${bootstrap}\"' MemberBGatewayLaunchTemplate: Type: AWS::EC2::LaunchTemplate Properties: @@ -759,7 +746,7 @@ Resources: - !Join [ '', [' maintenance_pwd_hash="$(echo ', 'Fn::Base64': !Ref GatewayMaintenancePasswordHash, ')"' ] ] - !Join ['', [' bootstrap="$(echo ', 'Fn::Base64': !Ref GatewayBootstrapScript, ')"']] - !Sub [' version=${Version}', {Version: !Select [0, !Split ['-', !Ref GatewayVersion]]}] - - ' python3 /etc/cloud_config.py enableCloudWatch=\"${cw}\" waitHandle=\"${wait_handle}\" sicKey=\"${sic}\" "smart1CloudToken=\"${tokenB}\"" installationType=\"geo-cluster\" osVersion=\"${version}\" allowUploadDownload=\"${allow_info}\" templateVersion=\"20240204\" templateName=\"geo_cluster\" shell=\"${admin_shell}\" enableInstanceConnect=\"${eic}\" hostName=\"${hostname}\" ntpPrimary=\"${ntp1}\" ntpSecondary=\"${ntp2}\" passwordHash=\"${pwd_hash}\" MaintenanceModePassword=\"${maintenance_pwd_hash}\" elasticIp=\"${eip}\" otherMemberIp=\"${other_member_ip}\" bootstrapScript64=\"${bootstrap}\"' + - ' python3 /etc/cloud_config.py enableCloudWatch=\"${cw}\" waitHandle=\"${wait_handle}\" sicKey=\"${sic}\" "smart1CloudToken=\"${tokenB}\"" installationType=\"geo-cluster\" osVersion=\"${version}\" allowUploadDownload=\"${allow_info}\" templateVersion=\"20260101\" templateName=\"geo_cluster\" shell=\"${admin_shell}\" enableInstanceConnect=\"${eic}\" hostName=\"${hostname}\" ntpPrimary=\"${ntp1}\" ntpSecondary=\"${ntp2}\" passwordHash=\"${pwd_hash}\" MaintenanceModePassword=\"${maintenance_pwd_hash}\" elasticIp=\"${eip}\" otherMemberIp=\"${other_member_ip}\" bootstrapScript64=\"${bootstrap}\"' VersionDescription: Initial template version MemberAPublicAddress: Type: AWS::EC2::EIP diff --git a/aws/templates/gwlb-asg/gwlb-master.yaml b/aws/templates/gwlb-asg/gwlb-master.yaml index 7f31fd88..44af66eb 100644 --- a/aws/templates/gwlb-asg/gwlb-master.yaml +++ b/aws/templates/gwlb-asg/gwlb-master.yaml @@ -1,23 +1,31 @@ AWSTemplateFormatVersion: 2010-09-09 Description: | - Deploy a Gateway Load Balancer, Check Point CloudGuard IaaS Security Gateway Auto Scaling Group, and optionally a Security Management Server, in a new VPC (20250508). + Deploy a Gateway Load Balancer, Check Point CloudGuard IaaS Security Gateway Auto Scaling Group, and optionally a Security Management Server, in a new VPC (20260101). Metadata: AWS::CloudFormation::Interface: ParameterGroups: - Label: - default: VPC Network Configuration + default: Basic Settings + Parameters: + - GatewayVersion + - GatewayInstanceType + - GatewaySICKey + - KeyName + - AdminCIDR + - GatewaysAddresses + - Label: + default: VPC Network Settings Parameters: - AvailabilityZones - NumberOfAZs + - Label: + default: Advanced Settings + Parameters: - VPCCIDR - PublicSubnet1CIDR - PublicSubnet2CIDR - PublicSubnet3CIDR - PublicSubnet4CIDR - - Label: - default: General Settings - Parameters: - - KeyName - EnableVolumeEncryption - VolumeSize - VolumeType @@ -29,42 +37,28 @@ Metadata: - ConfigurationTemplate - AdminEmail - Shell - - Label: - default: Gateway Load Balancer Configuration - Parameters: - GWLBName - TargetGroupName - AcceptConnectionRequired - CrossZoneLoadBalancing - - Label: - default: Check Point CloudGuard IaaS Security Gateways Auto Scaling Group Configuration - Parameters: - AutoScaleGroupName - GatewayName - - GatewayInstanceType - GatewaysMinSize - GatewaysMaxSize - - GatewayVersion - GatewayPasswordHash - GatewayMaintenancePasswordHash - - GatewaySICKey - ControlGatewayOverPrivateOrPublicAddress - IPMode - AllocatePublicAddress - CloudWatch - GatewayBootstrapScript - - Label: - default: Check Point CloudGuard IaaS Security Management Server Configuration - Parameters: - ManagementDeploy - ManagementInstanceType - ManagementVersion - ManagementPasswordHash - ManagementMaintenancePasswordHash - GatewaysPolicy - - AdminCIDR - GatewayManagement - - GatewaysAddresses ParameterLabels: AvailabilityZones: default: Availability Zones @@ -107,7 +101,7 @@ Metadata: Shell: default: Admin shell GWLBName: - default: Gateway Load Balancer Name + default: Gateways Load Balancer Name TargetGroupName: default: Target Group Name AcceptConnectionRequired: @@ -115,19 +109,19 @@ Metadata: CrossZoneLoadBalancing: default: Enable Cross Zone Load Balancing GatewayName: - default: Gateways instance name + default: Gateways name GatewayInstanceType: - default: Gateways instance type + default: Gateways Instance type GatewaysMinSize: default: Minimum group size GatewaysMaxSize: default: Maximum group size GatewayVersion: - default: Gateways version & license + default: Gateways Version & License GatewayPasswordHash: default: Gateways Password hash GatewayMaintenancePasswordHash: - default: Gateway Maintenance Password hash + default: Gateways Maintenance Password hash GatewaySICKey: default: Gateways SIC key ControlGatewayOverPrivateOrPublicAddress: @@ -139,25 +133,25 @@ Metadata: GatewayBootstrapScript: default: Gateways bootstrap script ManagementDeploy: - default: Deploy Management Server + default: Management Server Settings - Deploy Management Server ManagementInstanceType: - default: Management instance type + default: Management Server Settings - Instance type ManagementVersion: - default: Management version & license + default: Management Server Settings - Version & License ManagementPasswordHash: - default: Management password hash + default: Management Server Settings - password hash ManagementMaintenancePasswordHash: - default: Management Maintenance Password hash + default: Management Server Settings - Maintenance Password hash GatewaysPolicy: - default: Security Policy + default: Management Server Settings - Security Policy AdminCIDR: - default: Administrator addresses + default: Management Server Settings - Allow SmartConsole connections from these networks GatewayManagement: - default: Manage Gateways + default: Management Server Settings - Manage Gateways GatewaysAddresses: - default: Gateways addresses + default: Management Server Settings - Gateways addresses AutoScaleGroupName: - default: Auto Scale Group name + default: Auto Scale Group Name Parameters: AvailabilityZones: Description: List of Availability Zones (AZs) to use for the subnets in the VPC. Select at least two. @@ -530,7 +524,6 @@ Parameters: - r7iz.32xlarge - r7iz.metal-16xl - r7iz.metal-32xl - ConstraintDescription: Must be a valid EC2 instance type GatewaysMinSize: Description: The minimal number of Security Gateways. @@ -545,7 +538,7 @@ Parameters: GatewayVersion: Description: The version and license to install on the Security Gateways. Type: String - Default: R82-BYOL + Default: R82-PAYG-NGTX AllowedValues: - R81.20-BYOL - R81.20-PAYG-NGTP @@ -589,7 +582,7 @@ Parameters: - true - false IPMode: - Description: Specifies the IP mode for inspection of traffic encapsulation in IPv4 Geneve headers. When set to DualStack, both IPv4 and IPv6 traffic are inspected. For supported versions and Jumbo Hotfix requirements, refer to the admin guide. + Description: Specifies the IP mode for inspection of traffic encapsulation in IPv4 Geneve headers. When set to DualStack, both IPv4 and IPv6 traffic are inspected. For supported versions and Jumbo Hotfix requirements, refer to the admin guide. Type: String AllowedValues: - IPv4 @@ -608,9 +601,9 @@ Parameters: Default: '' NoEcho: true ManagementDeploy: - Description: Select 'false' to use an existing Security Management Server or to deploy one later and to ignore the other parameters of this section. + Description: Select 'false' to use an existing Security Management Server or to deploy one later and to ignore the parameters below. Type: String - Default: true + Default: false AllowedValues: - true - false @@ -627,12 +620,6 @@ Parameters: - c5.12xlarge - c5.18xlarge - c5.24xlarge - - c5n.large - - c5n.xlarge - - c5n.2xlarge - - c5n.4xlarge - - c5n.9xlarge - - c5n.18xlarge - c5d.large - c5d.xlarge - c5d.2xlarge @@ -641,23 +628,12 @@ Parameters: - c5d.12xlarge - c5d.18xlarge - c5d.24xlarge - - m5.large - - m5.xlarge - - m5.2xlarge - - m5.4xlarge - - m5.8xlarge - - m5.12xlarge - - m5.16xlarge - - m5.24xlarge - - m6i.large - - m6i.xlarge - - m6i.2xlarge - - m6i.4xlarge - - m6i.8xlarge - - m6i.12xlarge - - m6i.16xlarge - - m6i.24xlarge - - m6i.32xlarge + - c5n.large + - c5n.xlarge + - c5n.2xlarge + - c5n.4xlarge + - c5n.9xlarge + - c5n.18xlarge - c6i.large - c6i.xlarge - c6i.2xlarge @@ -676,6 +652,104 @@ Parameters: - c6in.16xlarge - c6in.24xlarge - c6in.32xlarge + - c7a.large + - c7a.xlarge + - c7a.2xlarge + - c7a.4xlarge + - c7a.8xlarge + - c7a.12xlarge + - c7a.16xlarge + - c7a.24xlarge + - c7a.32xlarge + - c7a.48xlarge + - c7a.metal-48xl + - c7i.large + - c7i.xlarge + - c7i.2xlarge + - c7i.4xlarge + - c7i.8xlarge + - c7i.12xlarge + - c7i.16xlarge + - c7i.24xlarge + - c7i.32xlarge + - c7i.48xlarge + - c7i.metal-24xl + - c7i.metal-48xl + - c7i-flex.large + - c7i-flex.xlarge + - c7i-flex.2xlarge + - c7i-flex.4xlarge + - c7i-flex.8xlarge + - c7i-flex.12xlarge + - c7i-flex.16xlarge + - m5.large + - m5.xlarge + - m5.2xlarge + - m5.4xlarge + - m5.8xlarge + - m5.12xlarge + - m5.16xlarge + - m5.24xlarge + - m6a.large + - m6a.xlarge + - m6a.2xlarge + - m6a.4xlarge + - m6a.8xlarge + - m6a.12xlarge + - m6a.16xlarge + - m6a.24xlarge + - m6a.32xlarge + - m6a.48xlarge + - m6i.large + - m6i.xlarge + - m6i.2xlarge + - m6i.4xlarge + - m6i.8xlarge + - m6i.12xlarge + - m6i.16xlarge + - m6i.24xlarge + - m6i.32xlarge + - m7a.large + - m7a.xlarge + - m7a.2xlarge + - m7a.4xlarge + - m7a.8xlarge + - m7a.12xlarge + - m7a.16xlarge + - m7a.24xlarge + - m7a.32xlarge + - m7a.48xlarge + - m7i.large + - m7i.xlarge + - m7i.2xlarge + - m7i.4xlarge + - m7i.8xlarge + - m7i.12xlarge + - m7i.16xlarge + - m7i.24xlarge + - m7i.48xlarge + - m7i.metal-24xl + - m7i.metal-48xl + - m8i.large + - m8i.xlarge + - m8i.2xlarge + - m8i.4xlarge + - m8i.8xlarge + - m8i.12xlarge + - m8i.16xlarge + - m8i.24xlarge + - m8i.32xlarge + - m8i.48xlarge + - m8i.96xlarge + - m8i.metal-48xl + - m8i.metal-96xl + - m8i-flex.large + - m8i-flex.xlarge + - m8i-flex.2xlarge + - m8i-flex.4xlarge + - m8i-flex.8xlarge + - m8i-flex.12xlarge + - m8i-flex.16xlarge - r5.large - r5.xlarge - r5.2xlarge @@ -708,6 +782,14 @@ Parameters: - r5n.12xlarge - r5n.16xlarge - r5n.24xlarge + - r6gd.large + - r6gd.xlarge + - r6gd.2xlarge + - r6gd.4xlarge + - r6gd.8xlarge + - r6gd.12xlarge + - r6gd.16xlarge + - r6gd.metal - r6i.large - r6i.xlarge - r6i.2xlarge @@ -717,21 +799,41 @@ Parameters: - r6i.16xlarge - r6i.24xlarge - r6i.32xlarge - - m6a.large - - m6a.xlarge - - m6a.2xlarge - - m6a.4xlarge - - m6a.8xlarge - - m6a.12xlarge - - m6a.16xlarge - - m6a.24xlarge - - m6a.32xlarge - - m6a.48xlarge + - r7a.xlarge + - r7a.2xlarge + - r7a.4xlarge + - r7a.8xlarge + - r7a.12xlarge + - r7a.16xlarge + - r7a.24xlarge + - r7a.32xlarge + - r7a.48xlarge + - r7i.large + - r7i.xlarge + - r7i.2xlarge + - r7i.4xlarge + - r7i.8xlarge + - r7i.12xlarge + - r7i.16xlarge + - r7i.24xlarge + - r7i.48xlarge + - r7i.metal-24xl + - r7i.metal-48xl + - r7iz.large + - r7iz.xlarge + - r7iz.2xlarge + - r7iz.4xlarge + - r7iz.8xlarge + - r7iz.12xlarge + - r7iz.16xlarge + - r7iz.32xlarge + - r7iz.metal-16xl + - r7iz.metal-32xl ConstraintDescription: Must be a valid EC2 instance type ManagementVersion: Description: The license to install on the Security Management Server. Type: String - Default: R82-BYOL + Default: R82-PAYG AllowedValues: - R81.10-BYOL - R81.10-PAYG diff --git a/aws/templates/gwlb-asg/gwlb.yaml b/aws/templates/gwlb-asg/gwlb.yaml index 4b411149..5be6d5f7 100644 --- a/aws/templates/gwlb-asg/gwlb.yaml +++ b/aws/templates/gwlb-asg/gwlb.yaml @@ -1,65 +1,59 @@ AWSTemplateFormatVersion: 2010-09-09 Description: | - Deploy a Gateway Load Balancer, Check Point CloudGuard IaaS Security Gateway Auto Scaling Group, and optionally a Security Management Server, in a new VPC (20250508) + Deploy a Gateway Load Balancer, Check Point CloudGuard IaaS Security Gateway Auto Scaling Group, and optionally a Security Management Server, in a new VPC (20260101) Metadata: AWS::CloudFormation::Interface: ParameterGroups: - Label: - default: Network Configuration + default: Basic Settings + Parameters: + - GatewayVersion + - GatewayInstanceType + - GatewaySICKey + - KeyName + - AdminCIDR + - GatewaysAddresses + - Label: + default: VPC Network Settings Parameters: - VPC - GatewaysSubnets - Label: - default: General Settings + default: Advanced Settings Parameters: - - KeyName + - GWLBName - EnableVolumeEncryption + - IPMode + - AllocatePublicAddress - VolumeSize - VolumeType - EnableInstanceConnect - TerminationProtection - MetaDataToken - AllowUploadDownload + - AutoScaleGroupName - ManagementServer - ConfigurationTemplate - AdminEmail - Shell - - Label: - default: Gateway Load Balancer Configuration - Parameters: - - GWLBName - TargetGroupName - AcceptConnectionRequired - CrossZoneLoadBalancing - - Label: - default: Check Point CloudGuard IaaS Security Gateways Auto Scaling Group Configuration - Parameters: - - AutoScaleGroupName - GatewayName - - GatewayInstanceType - GatewaysMinSize - GatewaysMaxSize - - GatewayVersion - GatewayPasswordHash - GatewayMaintenancePasswordHash - - GatewaySICKey - ControlGatewayOverPrivateOrPublicAddress - - AllocatePublicAddress - - IPMode - CloudWatch - GatewayBootstrapScript - - Label: - default: Check Point CloudGuard IaaS Security Management Server Configuration - Parameters: - ManagementDeploy - ManagementInstanceType - ManagementVersion - ManagementPasswordHash - ManagementMaintenancePasswordHash - GatewaysPolicy - - AdminCIDR - GatewayManagement - - GatewaysAddresses ParameterLabels: VPC: default: VPC @@ -100,15 +94,15 @@ Metadata: CrossZoneLoadBalancing: default: Enable Cross Zone Load Balancing GatewayName: - default: Gateways instance name + default: Gateways name GatewayInstanceType: - default: Gateways instance type + default: Gateways Instance type GatewaysMinSize: default: Minimum group size GatewaysMaxSize: default: Maximum group size GatewayVersion: - default: Gateways version & license + default: Gateways Version & License GatewayPasswordHash: default: Gateways Password hash GatewayMaintenancePasswordHash: @@ -124,23 +118,23 @@ Metadata: GatewayBootstrapScript: default: Gateways bootstrap script ManagementDeploy: - default: Deploy Management Server + default: Management Server Settings - Deploy Management Server ManagementInstanceType: - default: Management instance type + default: Management Server Settings - Instance type ManagementVersion: - default: Management version & license + default: Management Server Settings - Version & License ManagementPasswordHash: - default: Management password hash + default: Management Server Settings - password hash ManagementMaintenancePasswordHash: - default: Management Maintenance Password hash + default: Management Server Settings - Maintenance Password hash GatewaysPolicy: - default: Security Policy + default: Management Server Settings - Security Policy AdminCIDR: - default: Administrator addresses + default: Management Server Settings - Allow SmartConsole connections from these networks GatewayManagement: - default: Manage Gateways + default: Management Server Settings - Manage Gateways GatewaysAddresses: - default: Gateways addresses + default: Management Server Settings - Gateways addresses AutoScaleGroupName: default: Auto Scale Group name Parameters: @@ -480,7 +474,6 @@ Parameters: - r7iz.32xlarge - r7iz.metal-16xl - r7iz.metal-32xl - ConstraintDescription: Must be a valid EC2 instance type GatewaysMinSize: Description: The minimal number of Security Gateways. @@ -495,7 +488,7 @@ Parameters: GatewayVersion: Description: The version and license to install on the Security Gateways. Type: String - Default: R82-BYOL + Default: R82-PAYG-NGTX AllowedValues: - R81.20-BYOL - R81.20-PAYG-NGTP @@ -558,9 +551,9 @@ Parameters: Default: '' NoEcho: true ManagementDeploy: - Description: Select 'false' to use an existing Security Management Server or to deploy one later and to ignore the other parameters of this section. + Description: Select 'false' to use an existing Security Management Server or to deploy one later and to ignore the parameters related to it in the advanced settings section. Type: String - Default: true + Default: false AllowedValues: - true - false @@ -577,12 +570,6 @@ Parameters: - c5.12xlarge - c5.18xlarge - c5.24xlarge - - c5n.large - - c5n.xlarge - - c5n.2xlarge - - c5n.4xlarge - - c5n.9xlarge - - c5n.18xlarge - c5d.large - c5d.xlarge - c5d.2xlarge @@ -591,23 +578,12 @@ Parameters: - c5d.12xlarge - c5d.18xlarge - c5d.24xlarge - - m5.large - - m5.xlarge - - m5.2xlarge - - m5.4xlarge - - m5.8xlarge - - m5.12xlarge - - m5.16xlarge - - m5.24xlarge - - m6i.large - - m6i.xlarge - - m6i.2xlarge - - m6i.4xlarge - - m6i.8xlarge - - m6i.12xlarge - - m6i.16xlarge - - m6i.24xlarge - - m6i.32xlarge + - c5n.large + - c5n.xlarge + - c5n.2xlarge + - c5n.4xlarge + - c5n.9xlarge + - c5n.18xlarge - c6i.large - c6i.xlarge - c6i.2xlarge @@ -626,6 +602,104 @@ Parameters: - c6in.16xlarge - c6in.24xlarge - c6in.32xlarge + - c7a.large + - c7a.xlarge + - c7a.2xlarge + - c7a.4xlarge + - c7a.8xlarge + - c7a.12xlarge + - c7a.16xlarge + - c7a.24xlarge + - c7a.32xlarge + - c7a.48xlarge + - c7a.metal-48xl + - c7i.large + - c7i.xlarge + - c7i.2xlarge + - c7i.4xlarge + - c7i.8xlarge + - c7i.12xlarge + - c7i.16xlarge + - c7i.24xlarge + - c7i.32xlarge + - c7i.48xlarge + - c7i.metal-24xl + - c7i.metal-48xl + - c7i-flex.large + - c7i-flex.xlarge + - c7i-flex.2xlarge + - c7i-flex.4xlarge + - c7i-flex.8xlarge + - c7i-flex.12xlarge + - c7i-flex.16xlarge + - m5.large + - m5.xlarge + - m5.2xlarge + - m5.4xlarge + - m5.8xlarge + - m5.12xlarge + - m5.16xlarge + - m5.24xlarge + - m6a.large + - m6a.xlarge + - m6a.2xlarge + - m6a.4xlarge + - m6a.8xlarge + - m6a.12xlarge + - m6a.16xlarge + - m6a.24xlarge + - m6a.32xlarge + - m6a.48xlarge + - m6i.large + - m6i.xlarge + - m6i.2xlarge + - m6i.4xlarge + - m6i.8xlarge + - m6i.12xlarge + - m6i.16xlarge + - m6i.24xlarge + - m6i.32xlarge + - m7a.large + - m7a.xlarge + - m7a.2xlarge + - m7a.4xlarge + - m7a.8xlarge + - m7a.12xlarge + - m7a.16xlarge + - m7a.24xlarge + - m7a.32xlarge + - m7a.48xlarge + - m7i.large + - m7i.xlarge + - m7i.2xlarge + - m7i.4xlarge + - m7i.8xlarge + - m7i.12xlarge + - m7i.16xlarge + - m7i.24xlarge + - m7i.48xlarge + - m7i.metal-24xl + - m7i.metal-48xl + - m8i.large + - m8i.xlarge + - m8i.2xlarge + - m8i.4xlarge + - m8i.8xlarge + - m8i.12xlarge + - m8i.16xlarge + - m8i.24xlarge + - m8i.32xlarge + - m8i.48xlarge + - m8i.96xlarge + - m8i.metal-48xl + - m8i.metal-96xl + - m8i-flex.large + - m8i-flex.xlarge + - m8i-flex.2xlarge + - m8i-flex.4xlarge + - m8i-flex.8xlarge + - m8i-flex.12xlarge + - m8i-flex.16xlarge - r5.large - r5.xlarge - r5.2xlarge @@ -658,6 +732,14 @@ Parameters: - r5n.12xlarge - r5n.16xlarge - r5n.24xlarge + - r6gd.large + - r6gd.xlarge + - r6gd.2xlarge + - r6gd.4xlarge + - r6gd.8xlarge + - r6gd.12xlarge + - r6gd.16xlarge + - r6gd.metal - r6i.large - r6i.xlarge - r6i.2xlarge @@ -667,21 +749,41 @@ Parameters: - r6i.16xlarge - r6i.24xlarge - r6i.32xlarge - - m6a.large - - m6a.xlarge - - m6a.2xlarge - - m6a.4xlarge - - m6a.8xlarge - - m6a.12xlarge - - m6a.16xlarge - - m6a.24xlarge - - m6a.32xlarge - - m6a.48xlarge + - r7a.xlarge + - r7a.2xlarge + - r7a.4xlarge + - r7a.8xlarge + - r7a.12xlarge + - r7a.16xlarge + - r7a.24xlarge + - r7a.32xlarge + - r7a.48xlarge + - r7i.large + - r7i.xlarge + - r7i.2xlarge + - r7i.4xlarge + - r7i.8xlarge + - r7i.12xlarge + - r7i.16xlarge + - r7i.24xlarge + - r7i.48xlarge + - r7i.metal-24xl + - r7i.metal-48xl + - r7iz.large + - r7iz.xlarge + - r7iz.2xlarge + - r7iz.4xlarge + - r7iz.8xlarge + - r7iz.12xlarge + - r7iz.16xlarge + - r7iz.32xlarge + - r7iz.metal-16xl + - r7iz.metal-32xl ConstraintDescription: Must be a valid EC2 instance type ManagementVersion: Description: The license to install on the Security Management Server. Type: String - Default: R82-BYOL + Default: R82-PAYG AllowedValues: - R81.10-BYOL - R81.10-PAYG diff --git a/aws/templates/gwlb-asg/qs-gwlb-master.yaml b/aws/templates/gwlb-asg/qs-gwlb-master.yaml index 9cfb7497..37072958 100644 --- a/aws/templates/gwlb-asg/qs-gwlb-master.yaml +++ b/aws/templates/gwlb-asg/qs-gwlb-master.yaml @@ -1,21 +1,36 @@ AWSTemplateFormatVersion: 2010-09-09 -Description: Deploy a Gateway Load Balancer, Check Point CloudGuard IaaS Security Gateway Auto Scaling Group, and optionally a Security Management Server, in a new VPC (20241027) +Description: Deploy a Gateway Load Balancer, Check Point CloudGuard IaaS Security Gateway Auto Scaling Group, and optionally a Security Management Server, in a new VPC (20260101) Metadata: AWS::CloudFormation::Interface: ParameterGroups: - Label: - default: Security VPC Network Configuration + default: Basic Settings + Parameters: + - GatewayVersion + - GatewayInstanceType + - GatewaySICKey + - KeyName + - Label: + default: CloudGuard Auto Scaling Group Settings Parameters: - AvailabilityZones - NumberOfAZs + - Label: + default: CloudGuard Management Server Settings + Parameters: + - ManagementDeploy + - ManagementVersion + - ManagementInstanceType + - AdminCIDR + - GatewaysAddresses + - Label: + default: Advanced Settings + Parameters: - SecurityVPCCIDR - SecurityPublicSubnet1CIDR - SecurityPublicSubnet2CIDR - SecurityPublicSubnet3CIDR - SecurityPublicSubnet4CIDR - - Label: - default: Servers VPC Network Configuration - Parameters: - ServersVPCCIDR - ServersPublicSubnet1CIDR - ServersPublicSubnet2CIDR @@ -27,11 +42,6 @@ Metadata: - GWLBeSubnet4CIDR - SubnetTagsInboundCIDR - SubnetTagsOutboundCIDR - - - Label: - default: General Settings - Parameters: - - KeyName - EnableVolumeEncryption - VolumeSize - VolumeType @@ -43,49 +53,29 @@ Metadata: - ConfigurationTemplate - AdminEmail - Shell - - Label: - default: Gateway Load Balancer Configuration - Parameters: - GWLBName - TargetGroupName - AcceptConnectionRequired - CrossZoneLoadBalancing - - Label: - default: Check Point CloudGuard IaaS Security Gateways Auto Scaling Group Configuration - Parameters: - - AutoScaleGroupName + - AutoScaleGroupName - GatewayName - - GatewayInstanceType - GatewaysMinSize - GatewaysMaxSize - - GatewayVersion - GatewayPasswordHash - GatewayMaintenancePasswordHash - - GatewaySICKey - ControlGatewayOverPrivateOrPublicAddress - AllocatePublicAddress - CloudWatch - - Label: - default: Check Point CloudGuard IaaS Security Management Server Configuration - Parameters: - - ManagementDeploy - - ManagementInstanceType - - ManagementVersion - - ManagementPasswordHash - - ManagementMaintenancePasswordHash - - GatewaysPolicy - - GatewaysBlades - - AdminCIDR - - GatewayManagement - - GatewaysAddresses - - Label: - default: Web Servers Auto Scaling Group Configuration - Parameters: - ServerAMI - ALBProtocol - ServicePort - ServerInstanceType - ResourcesTagName + - ManagementPasswordHash + - ManagementMaintenancePasswordHash + - GatewaysPolicy + - GatewaysBlades + - GatewayManagement ParameterLabels: AvailabilityZones: default: Availability Zones @@ -111,10 +101,10 @@ Metadata: default: Servers Auto Scaling Group Public Subnet 3 ServersPublicSubnet4CIDR: default: Servers Auto Scaling Group Public Subnet 4 - SubnetTagsOutboundCIDR: + SubnetTagsOutboundCIDR: default: Outbound Subnet tagging for Inspection SubnetTagsInboundCIDR: - default: Inbound Subnet tagging for Inspection + default: Inbound Subnet tagging for Inspection GWLBeSubnet1CIDR: default: GWLBe subnet 1 CIDR GWLBeSubnet2CIDR: @@ -156,15 +146,15 @@ Metadata: CrossZoneLoadBalancing: default: Enable Cross Zone Load Balancing GatewayName: - default: Gateways instance name + default: Gateways name GatewayInstanceType: - default: Gateways instance type + default: Gateways Instance type GatewaysMinSize: default: Minimum group size GatewaysMaxSize: default: Maximum group size GatewayVersion: - default: Gateways version & license + default: Gateways Version & License GatewayPasswordHash: default: Gateways Password hash GatewayMaintenancePasswordHash: @@ -182,19 +172,19 @@ Metadata: ManagementDeploy: default: Deploy Management Server ManagementInstanceType: - default: Management instance type + default: Management Instance type ManagementVersion: - default: Management version & license + default: Management Version & License ManagementPasswordHash: - default: Management password hash + default: Management Server Settings - Management password hash ManagementMaintenancePasswordHash: - default: Management Maintenance Password hash + default: Management Server Settings - Management Maintenance Password hash GatewaysPolicy: - default: Security Policy + default: Management Server Settings - Security Policy AdminCIDR: - default: Administrator addresses + default: Allow SmartConsole connections from these networks GatewayManagement: - default: Manage Gateways + default: Management Server Settings - Manage Gateways GatewaysAddresses: default: Gateways addresses ALBProtocol: @@ -635,7 +625,6 @@ Parameters: - r7iz.32xlarge - r7iz.metal-16xl - r7iz.metal-32xl - ConstraintDescription: Must be a valid EC2 instance type GatewaysMinSize: Description: The minimal number of Security Gateways. @@ -650,7 +639,7 @@ Parameters: GatewayVersion: Description: The version and license to install on the Security Gateways. Type: String - Default: R82-BYOL + Default: R82-PAYG-NGTX AllowedValues: - R81.20-BYOL - R81.20-PAYG-NGTP @@ -701,7 +690,7 @@ Parameters: - true - false ManagementDeploy: - Description: Select 'false' to use an existing Security Management Server or to deploy one later and to ignore the other parameters of this section. + Description: Select 'false' to use an existing Security Management Server or to deploy one later and to ignore the parameters below. Type: String Default: true AllowedValues: @@ -752,6 +741,17 @@ Parameters: - c6in.16xlarge - c6in.24xlarge - c6in.32xlarge + - c7a.large + - c7a.xlarge + - c7a.2xlarge + - c7a.4xlarge + - c7a.8xlarge + - c7a.12xlarge + - c7a.16xlarge + - c7a.24xlarge + - c7a.32xlarge + - c7a.48xlarge + - c7a.metal-48xl - c7i.large - c7i.xlarge - c7i.2xlarge @@ -762,6 +762,8 @@ Parameters: - c7i.24xlarge - c7i.32xlarge - c7i.48xlarge + - c7i.metal-24xl + - c7i.metal-48xl - c7i-flex.large - c7i-flex.xlarge - c7i-flex.2xlarge @@ -817,13 +819,6 @@ Parameters: - m7i.48xlarge - m7i.metal-24xl - m7i.metal-48xl - - m7i-flex.large - - m7i-flex.xlarge - - m7i-flex.2xlarge - - m7i-flex.4xlarge - - m7i-flex.8xlarge - - m7i-flex.12xlarge - - m7i-flex.16xlarge - m8i.large - m8i.xlarge - m8i.2xlarge @@ -876,6 +871,14 @@ Parameters: - r5n.12xlarge - r5n.16xlarge - r5n.24xlarge + - r6gd.large + - r6gd.xlarge + - r6gd.2xlarge + - r6gd.4xlarge + - r6gd.8xlarge + - r6gd.12xlarge + - r6gd.16xlarge + - r6gd.metal - r6i.large - r6i.xlarge - r6i.2xlarge @@ -894,13 +897,32 @@ Parameters: - r7a.24xlarge - r7a.32xlarge - r7a.48xlarge - - + - r7i.large + - r7i.xlarge + - r7i.2xlarge + - r7i.4xlarge + - r7i.8xlarge + - r7i.12xlarge + - r7i.16xlarge + - r7i.24xlarge + - r7i.48xlarge + - r7i.metal-24xl + - r7i.metal-48xl + - r7iz.large + - r7iz.xlarge + - r7iz.2xlarge + - r7iz.4xlarge + - r7iz.8xlarge + - r7iz.12xlarge + - r7iz.16xlarge + - r7iz.32xlarge + - r7iz.metal-16xl + - r7iz.metal-32xl ConstraintDescription: Must be a valid EC2 instance type ManagementVersion: Description: The license to install on the Security Management Server. Type: String - Default: R82-BYOL + Default: R82-PAYG AllowedValues: - R81.10-BYOL - R81.10-PAYG diff --git a/aws/templates/gwlb-asg/qs-gwlb.yaml b/aws/templates/gwlb-asg/qs-gwlb.yaml index bfcf3c20..549a22e6 100644 --- a/aws/templates/gwlb-asg/qs-gwlb.yaml +++ b/aws/templates/gwlb-asg/qs-gwlb.yaml @@ -1,29 +1,32 @@ AWSTemplateFormatVersion: 2010-09-09 -Description: "Deploy a Quick-Start Gateway Load Balancer, Check Point CloudGuard IaaS Security Gateway Auto Scaling Group, optionally: Security Management Server and Application Server Autoscale in an existing VPC (20241027)" +Description: "Deploy a Quick-Start Gateway Load Balancer, Check Point CloudGuard IaaS Security Gateway Auto Scaling Group, optionally: Security Management Server and Application Server Autoscale in an existing VPC (20260101)" Metadata: AWS::CloudFormation::Interface: ParameterGroups: - Label: - default: General Network Configuration + default: Basic Settings Parameters: - - NumberOfAZs + - GatewayVersion + - GatewayInstanceType + - GatewaySICKey + - KeyName - Label: - default: Security Network Configuration + default: VPC Network Settings Parameters: + - NumberOfAZs - SecurityVPC - GatewaysSubnets - Label: - default: Servers Network Configuration + default: CloudGuard Management Server Settings Parameters: - - ServersVPC - - ServersSubnets - - ServersCIDRs - - GWLBeSubnets - - ServerIGW + - ManagementDeploy + - ManagementVersion + - ManagementInstanceType + - AdminCIDR + - GatewaysAddresses - Label: - default: General Settings + default: Advanced Settings Parameters: - - KeyName - EnableVolumeEncryption - VolumeSize - VolumeType @@ -35,49 +38,34 @@ Metadata: - ConfigurationTemplate - AdminEmail - Shell - - Label: - default: Gateway Load Balancer Configuration - Parameters: - GWLBName - TargetGroupName - AcceptConnectionRequired - CrossZoneLoadBalancing - - Label: - default: Check Point CloudGuard IaaS Security Gateways Auto Scaling Group Configuration - Parameters: - AutoScaleGroupName - GatewayName - - GatewayInstanceType - GatewaysMinSize - GatewaysMaxSize - - GatewayVersion - GatewayPasswordHash - GatewayMaintenancePasswordHash - - GatewaySICKey - ControlGatewayOverPrivateOrPublicAddress - AllocatePublicAddress - CloudWatch - - Label: - default: Check Point CloudGuard IaaS Security Management Server Configuration - Parameters: - - ManagementDeploy - - ManagementInstanceType - - ManagementVersion - - ManagementPasswordHash - - ManagementMaintenancePasswordHash - - GatewaysPolicy - - GatewaysBlades - - AdminCIDR - - GatewayManagement - - GatewaysAddresses - - Label: - default: Web Servers Auto Scaling Group Configuration - Parameters: - ServerInstanceType - ServerAMI - ALBProtocol - ServicePort - ResourcesTagName + - ManagementPasswordHash + - ManagementMaintenancePasswordHash + - GatewaysPolicy + - GatewaysBlades + - GatewayManagement + - ServersVPC + - ServersSubnets + - ServersCIDRs + - GWLBeSubnets + - ServerIGW ParameterLabels: NumberOfAZs: default: Number of AZs @@ -128,15 +116,15 @@ Metadata: CrossZoneLoadBalancing: default: Enable Cross Zone Load Balancing GatewayName: - default: Gateways instance name + default: Gateways name GatewayInstanceType: - default: Gateways instance type + default: Gateways Instance type GatewaysMinSize: default: Minimum group size GatewaysMaxSize: default: Maximum group size GatewayVersion: - default: Gateways version & license + default: Gateways Version & License GatewayPasswordHash: default: Gateways Password hash GatewayMaintenancePasswordHash: @@ -152,25 +140,25 @@ Metadata: ManagementDeploy: default: Deploy Management Server ManagementInstanceType: - default: Management instance type + default: Management Instance type ManagementVersion: - default: Management version & license + default: Management Version & License ManagementPasswordHash: - default: Management password hash + default: Management Server Settings - Management password hash ManagementMaintenancePasswordHash: - default: Management Maintenance Password hash + default: Management Server Settings - Management Maintenance Password hash GatewaysPolicy: - default: Security Policy + default: Management Server Settings - Security Policy GatewaysBlades: - default: Default Blades + default: Management Server Settings - Default Blades AdminCIDR: - default: Administrator addresses + default: Allow SmartConsole connections from these networks GatewayManagement: - default: Manage Gateways + default: Management Server Settings - Manage Gateways GatewaysAddresses: default: Gateways addresses ServerInstanceType: - default: Servers instance type + default: Servers Instance type ServerAMI: default: AMI ID ALBProtocol: @@ -540,7 +528,6 @@ Parameters: - r7iz.32xlarge - r7iz.metal-16xl - r7iz.metal-32xl - ConstraintDescription: Must be a valid EC2 instance type GatewaysMinSize: Description: The minimal number of Security Gateways. @@ -555,7 +542,7 @@ Parameters: GatewayVersion: Description: The version and license to install on the Security Gateways. Type: String - Default: R82-BYOL + Default: R82-PAYG-NGTX AllowedValues: - R81.20-BYOL - R81.20-PAYG-NGTP @@ -657,6 +644,17 @@ Parameters: - c6in.16xlarge - c6in.24xlarge - c6in.32xlarge + - c7a.large + - c7a.xlarge + - c7a.2xlarge + - c7a.4xlarge + - c7a.8xlarge + - c7a.12xlarge + - c7a.16xlarge + - c7a.24xlarge + - c7a.32xlarge + - c7a.48xlarge + - c7a.metal-48xl - c7i.large - c7i.xlarge - c7i.2xlarge @@ -667,6 +665,8 @@ Parameters: - c7i.24xlarge - c7i.32xlarge - c7i.48xlarge + - c7i.metal-24xl + - c7i.metal-48xl - c7i-flex.large - c7i-flex.xlarge - c7i-flex.2xlarge @@ -722,13 +722,6 @@ Parameters: - m7i.48xlarge - m7i.metal-24xl - m7i.metal-48xl - - m7i-flex.large - - m7i-flex.xlarge - - m7i-flex.2xlarge - - m7i-flex.4xlarge - - m7i-flex.8xlarge - - m7i-flex.12xlarge - - m7i-flex.16xlarge - m8i.large - m8i.xlarge - m8i.2xlarge @@ -781,6 +774,14 @@ Parameters: - r5n.12xlarge - r5n.16xlarge - r5n.24xlarge + - r6gd.large + - r6gd.xlarge + - r6gd.2xlarge + - r6gd.4xlarge + - r6gd.8xlarge + - r6gd.12xlarge + - r6gd.16xlarge + - r6gd.metal - r6i.large - r6i.xlarge - r6i.2xlarge @@ -799,13 +800,32 @@ Parameters: - r7a.24xlarge - r7a.32xlarge - r7a.48xlarge - - + - r7i.large + - r7i.xlarge + - r7i.2xlarge + - r7i.4xlarge + - r7i.8xlarge + - r7i.12xlarge + - r7i.16xlarge + - r7i.24xlarge + - r7i.48xlarge + - r7i.metal-24xl + - r7i.metal-48xl + - r7iz.large + - r7iz.xlarge + - r7iz.2xlarge + - r7iz.4xlarge + - r7iz.8xlarge + - r7iz.12xlarge + - r7iz.16xlarge + - r7iz.32xlarge + - r7iz.metal-16xl + - r7iz.metal-32xl ConstraintDescription: Must be a valid EC2 instance type ManagementVersion: Description: The license to install on the Security Management Server. Type: String - Default: R82-BYOL + Default: R82-PAYG AllowedValues: - R81.10-BYOL - R81.10-PAYG diff --git a/aws/templates/gwlb-asg/tgw-gwlb-master.yaml b/aws/templates/gwlb-asg/tgw-gwlb-master.yaml index 5e05ae54..bc4d4642 100644 --- a/aws/templates/gwlb-asg/tgw-gwlb-master.yaml +++ b/aws/templates/gwlb-asg/tgw-gwlb-master.yaml @@ -1,13 +1,25 @@ AWSTemplateFormatVersion: 2010-09-09 -Description: Deploy a Gateway Load Balancer, Check Point CloudGuard IaaS Security Gateway Auto Scaling Group, and optionally a Security Management Server, Gateway Load Balancer Endpoints and NAT Gateways for each AZ, in a new VPC for Transit Gateway (20241027) +Description: Deploy a Gateway Load Balancer, Check Point CloudGuard IaaS Security Gateway Auto Scaling Group, and optionally a Security Management Server, Gateway Load Balancer Endpoints and NAT Gateways for each AZ, in a new VPC for Transit Gateway (20260101) Metadata: AWS::CloudFormation::Interface: ParameterGroups: - Label: - default: VPC Network Configuration + default: Basic Settings + Parameters: + - GatewayVersion + - GatewayInstanceType + - GatewaySICKey + - KeyName + - AdminCIDR + - GatewaysAddresses + - Label: + default: VPC Network Settings Parameters: - AvailabilityZones - NumberOfAZs + - Label: + default: Advanced Settings + Parameters: - VPCCIDR - PublicSubnet1CIDR - PublicSubnet2CIDR @@ -25,10 +37,6 @@ Metadata: - GWLBeSubnet2CIDR - GWLBeSubnet3CIDR - GWLBeSubnet4CIDR - - Label: - default: General Settings - Parameters: - - KeyName - EnableVolumeEncryption - VolumeSize - VolumeType @@ -40,40 +48,26 @@ Metadata: - ConfigurationTemplate - AdminEmail - Shell - - Label: - default: Gateway Load Balancer Configuration - Parameters: - GWLBName - TargetGroupName - CrossZoneLoadBalancing - - Label: - default: Check Point CloudGuard IaaS Security Gateways Auto Scaling Group Configuration - Parameters: - AutoScaleGroupName - GatewayName - - GatewayInstanceType - GatewaysMinSize - GatewaysMaxSize - - GatewayVersion - GatewayPasswordHash - GatewayMaintenancePasswordHash - - GatewaySICKey - ControlGatewayOverPrivateOrPublicAddress - AllocatePublicAddress - CloudWatch - GatewayBootstrapScript - - Label: - default: Check Point CloudGuard IaaS Security Management Server Configuration - Parameters: - ManagementDeploy - ManagementInstanceType - ManagementVersion - ManagementPasswordHash - ManagementMaintenancePasswordHash - GatewaysPolicy - - AdminCIDR - GatewayManagement - - GatewaysAddresses ParameterLabels: AvailabilityZones: default: Availability Zones @@ -138,25 +132,25 @@ Metadata: Shell: default: Admin shell GWLBName: - default: Gateway Load Balancer Name + default: Gateways Load Balancer name TargetGroupName: default: Target Group Name CrossZoneLoadBalancing: default: Enable Cross Zone Load Balancing GatewayName: - default: Gateways instance name + default: Gateways name GatewayInstanceType: - default: Gateways instance type + default: Gateways Instance type GatewaysMinSize: default: Minimum group size GatewaysMaxSize: default: Maximum group size GatewayVersion: - default: Gateways version & license + default: Gateways Version & License GatewayPasswordHash: default: Gateways Password hash GatewayMaintenancePasswordHash: - default: Gateway Maintenance Password hash + default: Gateways Maintenance Password hash GatewaySICKey: default: Gateways SIC key ControlGatewayOverPrivateOrPublicAddress: @@ -168,23 +162,23 @@ Metadata: GatewayBootstrapScript: default: Gateways bootstrap script ManagementDeploy: - default: Deploy Management Server + default: Management Server Settings - Deploy Management Server ManagementInstanceType: - default: Management instance type + default: Management Server Settings - Instance type ManagementVersion: - default: Management version & license + default: Management Server Settings - Version & License ManagementPasswordHash: - default: Management password hash + default: Management Server Settings - Password hash ManagementMaintenancePasswordHash: - default: Management Maintenance Password hash + default: Management Server Settings - Maintenance Password hash GatewaysPolicy: - default: Security Policy + default: Management Server Settings - Security Policy AdminCIDR: - default: Administrator addresses + default: Management Server Settings - Allow SmartConsole connections from these networks GatewayManagement: - default: Manage Gateways + default: Management Server Settings - Manage Gateways GatewaysAddresses: - default: Gateways addresses + default: Management Server Settings - Gateways addresses AutoScaleGroupName: default: Auto Scale Group name Parameters: @@ -619,7 +613,6 @@ Parameters: - r7iz.32xlarge - r7iz.metal-16xl - r7iz.metal-32xl - ConstraintDescription: Must be a valid EC2 instance type GatewaysMinSize: Description: The minimal number of Security Gateways. @@ -634,7 +627,7 @@ Parameters: GatewayVersion: Description: The version and license to install on the Security Gateways. Type: String - Default: R82-BYOL + Default: R82-PAYG-NGTX AllowedValues: - R81.20-BYOL - R81.20-PAYG-NGTP @@ -690,9 +683,9 @@ Parameters: Default: '' NoEcho: true ManagementDeploy: - Description: Select 'false' to use an existing Security Management Server or to deploy one later and to ignore the other parameters of this section. + Description: Select 'false' to use an existing Security Management Server or to deploy one later and to ignore the parameters below. Type: String - Default: true + Default: false AllowedValues: - true - false @@ -741,6 +734,17 @@ Parameters: - c6in.16xlarge - c6in.24xlarge - c6in.32xlarge + - c7a.large + - c7a.xlarge + - c7a.2xlarge + - c7a.4xlarge + - c7a.8xlarge + - c7a.12xlarge + - c7a.16xlarge + - c7a.24xlarge + - c7a.32xlarge + - c7a.48xlarge + - c7a.metal-48xl - c7i.large - c7i.xlarge - c7i.2xlarge @@ -751,6 +755,8 @@ Parameters: - c7i.24xlarge - c7i.32xlarge - c7i.48xlarge + - c7i.metal-24xl + - c7i.metal-48xl - c7i-flex.large - c7i-flex.xlarge - c7i-flex.2xlarge @@ -806,13 +812,6 @@ Parameters: - m7i.48xlarge - m7i.metal-24xl - m7i.metal-48xl - - m7i-flex.large - - m7i-flex.xlarge - - m7i-flex.2xlarge - - m7i-flex.4xlarge - - m7i-flex.8xlarge - - m7i-flex.12xlarge - - m7i-flex.16xlarge - m8i.large - m8i.xlarge - m8i.2xlarge @@ -865,6 +864,14 @@ Parameters: - r5n.12xlarge - r5n.16xlarge - r5n.24xlarge + - r6gd.large + - r6gd.xlarge + - r6gd.2xlarge + - r6gd.4xlarge + - r6gd.8xlarge + - r6gd.12xlarge + - r6gd.16xlarge + - r6gd.metal - r6i.large - r6i.xlarge - r6i.2xlarge @@ -883,13 +890,32 @@ Parameters: - r7a.24xlarge - r7a.32xlarge - r7a.48xlarge - - + - r7i.large + - r7i.xlarge + - r7i.2xlarge + - r7i.4xlarge + - r7i.8xlarge + - r7i.12xlarge + - r7i.16xlarge + - r7i.24xlarge + - r7i.48xlarge + - r7i.metal-24xl + - r7i.metal-48xl + - r7iz.large + - r7iz.xlarge + - r7iz.2xlarge + - r7iz.4xlarge + - r7iz.8xlarge + - r7iz.12xlarge + - r7iz.16xlarge + - r7iz.32xlarge + - r7iz.metal-16xl + - r7iz.metal-32xl ConstraintDescription: Must be a valid EC2 instance type ManagementVersion: Description: The license to install on the Security Management Server. Type: String - Default: R82-BYOL + Default: R82-PAYG AllowedValues: - R81.10-BYOL - R81.10-PAYG diff --git a/aws/templates/gwlb-asg/tgw-gwlb.yaml b/aws/templates/gwlb-asg/tgw-gwlb.yaml index 5f00b8b7..15f0802a 100644 --- a/aws/templates/gwlb-asg/tgw-gwlb.yaml +++ b/aws/templates/gwlb-asg/tgw-gwlb.yaml @@ -1,10 +1,19 @@ AWSTemplateFormatVersion: 2010-09-09 -Description: Deploy a Gateway Load Balancer, Check Point CloudGuard IaaS Security Gateway Auto Scaling Group, and optionally a Security Management Server, Gateway Load Balancer Endpoints and NAT Gateways for each AZ, in an existing VPC for Transit Gateway (20241027) +Description: Deploy a Gateway Load Balancer, Check Point CloudGuard IaaS Security Gateway Auto Scaling Group, and optionally a Security Management Server, Gateway Load Balancer Endpoints and NAT Gateways for each AZ, in an existing VPC for Transit Gateway (20260101) Metadata: AWS::CloudFormation::Interface: ParameterGroups: - Label: - default: VPC Network Configuration + default: Basic Settings + Parameters: + - GatewayVersion + - GatewayInstanceType + - GatewaySICKey + - KeyName + - AdminCIDR + - GatewaysAddresses + - Label: + default: VPC Network Settings Parameters: - VPC - IGWID @@ -15,6 +24,9 @@ Metadata: - TgwSubnet2Id - TgwSubnet3Id - TgwSubnet4Id + - Label: + default: Advanced Settings + Parameters: - NatGwSubnet1CIDR - NatGwSubnet2CIDR - NatGwSubnet3CIDR @@ -23,10 +35,6 @@ Metadata: - GWLBeSubnet2CIDR - GWLBeSubnet3CIDR - GWLBeSubnet4CIDR - - Label: - default: General Settings - Parameters: - - KeyName - EnableVolumeEncryption - VolumeSize - VolumeType @@ -38,40 +46,26 @@ Metadata: - ConfigurationTemplate - AdminEmail - Shell - - Label: - default: Check Point CloudGuard IaaS Security Gateways Auto Scaling Group Configuration - Parameters: - AutoScaleGroupName - GatewayName - - GatewayInstanceType - GatewaysMinSize - GatewaysMaxSize - - GatewayVersion - GatewayPasswordHash - GatewayMaintenancePasswordHash - - GatewaySICKey - ControlGatewayOverPrivateOrPublicAddress - AllocatePublicAddress - CloudWatch - GatewayBootstrapScript - - Label: - default: Gateway Load Balancer Configuration - Parameters: - GWLBName - TargetGroupName - CrossZoneLoadBalancing - - Label: - default: Check Point CloudGuard IaaS Security Management Server Configuration - Parameters: - ManagementDeploy - ManagementInstanceType - ManagementVersion - ManagementPasswordHash - ManagementMaintenancePasswordHash - GatewaysPolicy - - AdminCIDR - GatewayManagement - - GatewaysAddresses ParameterLabels: VPC: default: VPC @@ -132,19 +126,19 @@ Metadata: Shell: default: Admin shell GatewayName: - default: Gateways instance name + default: Gateways name GatewayInstanceType: - default: Gateways instance type + default: Gateways Instance type GatewaysMinSize: default: Minimum group size GatewaysMaxSize: default: Maximum group size GatewayVersion: - default: Gateways version & license + default: Gateways Version & License GatewayPasswordHash: default: Gateways Password hash GatewayMaintenancePasswordHash: - default: Gateway Maintenance Password hash + default: Gateways Maintenance Password hash GatewaySICKey: default: Gateways SIC key ControlGatewayOverPrivateOrPublicAddress: @@ -156,29 +150,29 @@ Metadata: GatewayBootstrapScript: default: Gateways bootstrap script GWLBName: - default: Gateway Load Balancer Name + default: Gateways Load Balancer Name TargetGroupName: default: Target Group Name CrossZoneLoadBalancing: default: Enable Cross Zone Load Balancing ManagementDeploy: - default: Deploy Management Server + default: Management Server Settings - Deploy Management Server ManagementInstanceType: - default: Management instance type + default: Management Server Settings - Instance type ManagementVersion: - default: Management version & license + default: Management Server Settings - Version & License ManagementPasswordHash: - default: Management password hash + default: Management Server Settings - Password hash ManagementMaintenancePasswordHash: - default: Management Maintenance Password hash + default: Management Server Settings - Maintenance Password hash GatewaysPolicy: - default: Security Policy + default: Management Server Settings - Security Policy AdminCIDR: - default: Administrator addresses + default: Management Server Settings - Allow SmartConsole connections from these networks GatewayManagement: - default: Manage Gateways + default: Management Server Settings - Manage Gateways GatewaysAddresses: - default: Gateways addresses + default: Management Server Settings - Gateways addresses AutoScaleGroupName: default: Auto Scale Group name Parameters: @@ -188,7 +182,7 @@ Parameters: MinLength: 1 ConstraintDescription: You must select a VPC. IGWID: - Description: VPC's Internet Gateway Id (e.g. igw-123a4567). + Description: VPC's Internet Gateway ID (e.g. igw-123a4567). Type: String MinLength: 1 ConstraintDescription: You must insert an Internet Gateway Id. @@ -210,12 +204,12 @@ Parameters: Description: The TGW attachment subnet ID located in the 1st Availability Zone. Type: String MinLength: 1 - ConstraintDescription: You must insert Tgw Subnet Id for Availability Zone 1. + ConstraintDescription: You must insert Tgw Subnet ID for Availability Zone 1. TgwSubnet2Id: Description: The TGW attachment subnet ID located in the 2nd Availability Zone. Type: String MinLength: 1 - ConstraintDescription: You must insert Tgw Subnet Id for Availability Zone 2. + ConstraintDescription: You must insert Tgw Subnet ID for Availability Zone 2. TgwSubnet3Id: Description: The TGW attachment subnet ID located in the 3rd Availability Zone. Type: String @@ -574,7 +568,6 @@ Parameters: - r7iz.32xlarge - r7iz.metal-16xl - r7iz.metal-32xl - ConstraintDescription: Must be a valid EC2 instance type. GatewaysMinSize: Description: The minimal number of Security Gateways. @@ -589,7 +582,7 @@ Parameters: GatewayVersion: Description: The version and license to install on the Security Gateways. Type: String - Default: R82-BYOL + Default: R82-PAYG-NGTX AllowedValues: - R81.20-BYOL - R81.20-PAYG-NGTP @@ -662,9 +655,9 @@ Parameters: - true - false ManagementDeploy: - Description: Select 'false' to use an existing Security Management Server or to deploy one later and to ignore the other parameters of this section. + Description: Select 'false' to use an existing Security Management Server or to deploy one later and to ignore the parameters below. Type: String - Default: true + Default: false AllowedValues: - true - false @@ -713,6 +706,17 @@ Parameters: - c6in.16xlarge - c6in.24xlarge - c6in.32xlarge + - c7a.large + - c7a.xlarge + - c7a.2xlarge + - c7a.4xlarge + - c7a.8xlarge + - c7a.12xlarge + - c7a.16xlarge + - c7a.24xlarge + - c7a.32xlarge + - c7a.48xlarge + - c7a.metal-48xl - c7i.large - c7i.xlarge - c7i.2xlarge @@ -723,6 +727,8 @@ Parameters: - c7i.24xlarge - c7i.32xlarge - c7i.48xlarge + - c7i.metal-24xl + - c7i.metal-48xl - c7i-flex.large - c7i-flex.xlarge - c7i-flex.2xlarge @@ -778,13 +784,6 @@ Parameters: - m7i.48xlarge - m7i.metal-24xl - m7i.metal-48xl - - m7i-flex.large - - m7i-flex.xlarge - - m7i-flex.2xlarge - - m7i-flex.4xlarge - - m7i-flex.8xlarge - - m7i-flex.12xlarge - - m7i-flex.16xlarge - m8i.large - m8i.xlarge - m8i.2xlarge @@ -837,6 +836,14 @@ Parameters: - r5n.12xlarge - r5n.16xlarge - r5n.24xlarge + - r6gd.large + - r6gd.xlarge + - r6gd.2xlarge + - r6gd.4xlarge + - r6gd.8xlarge + - r6gd.12xlarge + - r6gd.16xlarge + - r6gd.metal - r6i.large - r6i.xlarge - r6i.2xlarge @@ -855,13 +862,32 @@ Parameters: - r7a.24xlarge - r7a.32xlarge - r7a.48xlarge - - + - r7i.large + - r7i.xlarge + - r7i.2xlarge + - r7i.4xlarge + - r7i.8xlarge + - r7i.12xlarge + - r7i.16xlarge + - r7i.24xlarge + - r7i.48xlarge + - r7i.metal-24xl + - r7i.metal-48xl + - r7iz.large + - r7iz.xlarge + - r7iz.2xlarge + - r7iz.4xlarge + - r7iz.8xlarge + - r7iz.12xlarge + - r7iz.16xlarge + - r7iz.32xlarge + - r7iz.metal-16xl + - r7iz.metal-32xl ConstraintDescription: Must be a valid EC2 instance type. ManagementVersion: Description: The license to install on the Security Management Server. Type: String - Default: R82-BYOL + Default: R82-PAYG AllowedValues: - R81.10-BYOL - R81.10-PAYG diff --git a/aws/templates/management/management-master.yaml b/aws/templates/management/management-master.yaml index f5a2b2bf..dfbf7e66 100755 --- a/aws/templates/management/management-master.yaml +++ b/aws/templates/management/management-master.yaml @@ -1,22 +1,29 @@ AWSTemplateFormatVersion: 2010-09-09 Description: | - Deploys a Check Point Management Server into a new VPC (20250821) + Deploys a Check Point Management Server into a new VPC (20260101) See sk130372 administration guide for detailed deployment and configuration steps. Metadata: AWS::CloudFormation::Interface: ParameterGroups: - Label: - default: VPC Network Configuration + default: Basic Settings + Parameters: + - ManagementVersion + - ManagementInstanceType + - SICKey + - KeyName + - AdminCIDR + - GatewaysAddresses + - Label: + default: VPC Network Settings Parameters: - AvailabilityZone - - VPCCIDR - - PublicSubnet1CIDR - Label: - default: EC2 Instance Configuration + default: Security Management Server Settings Parameters: + - VPCCIDR + - PublicSubnet1CIDR - ManagementName - - ManagementInstanceType - - KeyName - AllocatePublicAddress - VolumeSize - VolumeType @@ -24,30 +31,16 @@ Metadata: - EnableInstanceConnect - TerminationProtection - MetaDataToken - - Label: - default: IAM Permissions (ignored when the installation is not Primary Management - Server) - Parameters: - ManagementPermissions - ManagementPredefinedRole - ManagementSTSRoles - - Label: - default: Check Point Settings - Parameters: - - ManagementVersion - Shell - ManagementPasswordHash - ManagementMaintenancePasswordHash - - Label: - default: Security Management Server Settings - Parameters: - ManagementHostname - ManagementInstallationType - - SICKey - AllowUploadDownload - - AdminCIDR - GatewayManagement - - GatewaysAddresses - ManagementBootstrapScript - NTPPrimary - NTPSecondary @@ -61,7 +54,7 @@ Metadata: ManagementName: default: Management name ManagementInstanceType: - default: Instance type + default: Management Instance type KeyName: default: Key name AllocatePublicAddress: @@ -85,7 +78,7 @@ Metadata: ManagementSTSRoles: default: STS roles ManagementVersion: - default: Version & license + default: Management Version & License Shell: default: Admin shell ManagementPasswordHash: @@ -93,11 +86,11 @@ Metadata: ManagementMaintenancePasswordHash: default: Management Maintenance Password hash ManagementHostname: - default: Management hostname + default: Management Hostname ManagementInstallationType: - default: Management installation type + default: Management Installation type SICKey: - default: SIC key + default: Management SIC key AllowUploadDownload: default: Allow upload & download AdminCIDR: @@ -320,7 +313,6 @@ Parameters: - r7a.24xlarge - r7a.32xlarge - r7a.48xlarge - ConstraintDescription: must be a valid EC2 instance type. KeyName: Description: The EC2 Key Pair to allow SSH access to the instance. @@ -394,7 +386,7 @@ Parameters: ManagementVersion: Description: The license to install on the Security Management Server. Type: String - Default: R82-BYOL + Default: R82-PAYG AllowedValues: - R81.10-BYOL - R81.10-PAYG diff --git a/aws/templates/management/management.yaml b/aws/templates/management/management.yaml index c8258f9c..ef405aeb 100755 --- a/aws/templates/management/management.yaml +++ b/aws/templates/management/management.yaml @@ -1,19 +1,26 @@ AWSTemplateFormatVersion: 2010-09-09 -Description: Deploys a Check Point Management Server into an existing VPC (20241027) +Description: Deploys a Check Point Management Server into an existing VPC (20260101) Metadata: AWS::CloudFormation::Interface: ParameterGroups: - Label: - default: VPC Network Configuration + default: Basic Settings + Parameters: + - ManagementVersion + - ManagementInstanceType + - SICKey + - KeyName + - AdminCIDR + - GatewaysAddresses + - Label: + default: VPC Network Settings Parameters: - VPC - ManagementSubnet - Label: - default: EC2 Instance Configuration + default: Advanced Settings Parameters: - ManagementName - - ManagementInstanceType - - KeyName - AllocatePublicAddress - VolumeSize - VolumeType @@ -21,30 +28,16 @@ Metadata: - EnableInstanceConnect - TerminationProtection - MetaDataToken - - Label: - default: IAM Permissions (ignored when the installation is not Primary Management - Server) - Parameters: - ManagementPermissions - ManagementPredefinedRole - ManagementSTSRoles - - Label: - default: Check Point Settings - Parameters: - - ManagementVersion - Shell - ManagementPasswordHash - ManagementMaintenancePasswordHash - - Label: - default: Security Management Server Settings - Parameters: - ManagementHostname - ManagementInstallationType - - SICKey - AllowUploadDownload - - AdminCIDR - GatewayManagement - - GatewaysAddresses - ManagementBootstrapScript - NTPPrimary - NTPSecondary @@ -56,7 +49,7 @@ Metadata: ManagementName: default: Management name ManagementInstanceType: - default: Instance type + default: Management Instance type KeyName: default: Key name AllocatePublicAddress: @@ -80,7 +73,7 @@ Metadata: ManagementSTSRoles: default: STS roles ManagementVersion: - default: Version & license + default: Management Version & License Shell: default: Admin shell ManagementPasswordHash: @@ -88,15 +81,15 @@ Metadata: ManagementMaintenancePasswordHash: default: Management Maintenance Password hash ManagementHostname: - default: Management hostname + default: Management Hostname ManagementInstallationType: - default: Management installation type + default: Management Installation type SICKey: - default: SIC key + default: Management SIC key AllowUploadDownload: default: Allow upload & download AdminCIDR: - default: Administrator addresses + default: Allow SmartConsole connections from these networks GatewayManagement: default: Gateways management GatewaysAddresses: @@ -308,8 +301,6 @@ Parameters: - r7a.24xlarge - r7a.32xlarge - r7a.48xlarge - - ConstraintDescription: must be a valid EC2 instance type. KeyName: Description: The EC2 Key Pair to allow SSH access to the instance. @@ -383,7 +374,7 @@ Parameters: ManagementVersion: Description: The license to install on the Security Management Server. Type: String - Default: R82-BYOL + Default: R82-PAYG AllowedValues: - R81.10-BYOL - R81.10-PAYG @@ -638,7 +629,7 @@ Resources: - !Join ['', [' pwd_hash="$(echo ', 'Fn::Base64': !Ref ManagementPasswordHash, ')"']] - !Join ['', [' maintenance_pwd_hash="$(echo ', 'Fn::Base64': !Ref ManagementMaintenancePasswordHash, ')"']] - !Sub [' version=${Version}', {Version: !Select [0, !Split ['-', !Ref ManagementVersion]]}] - - ' python3 /etc/cloud_config.py waitHandle=\"${wait_handle}\" sicKey=\"${sic}\" installationType=\"management\" osVersion=\"${version}\" allowUploadDownload=\"${allow_info}\" templateVersion=\"20240204\" templateName=\"management\" shell=\"${admin_shell}\" enableInstanceConnect=\"${eic}\" hostName=\"${hostname}\" ntpPrimary=\"${ntp1}\" ntpSecondary=\"${ntp2}\" passwordHash=\"${pwd_hash}\" MaintenanceModePassword=\"${maintenance_pwd_hash}\" "management_installation_type=\"${mgmt_install_type}\"" adminSubnet=\"${admin_subnet}\" allocatePublicAddress=\"${eip}\" overTheInternet=\"${pub_mgmt}\" bootstrapScript64=\"${bootstrap}\"' + - ' python3 /etc/cloud_config.py waitHandle=\"${wait_handle}\" sicKey=\"${sic}\" installationType=\"management\" osVersion=\"${version}\" allowUploadDownload=\"${allow_info}\" templateVersion=\"20260101\" templateName=\"management\" shell=\"${admin_shell}\" enableInstanceConnect=\"${eic}\" hostName=\"${hostname}\" ntpPrimary=\"${ntp1}\" ntpSecondary=\"${ntp2}\" passwordHash=\"${pwd_hash}\" MaintenanceModePassword=\"${maintenance_pwd_hash}\" "management_installation_type=\"${mgmt_install_type}\"" adminSubnet=\"${admin_subnet}\" allocatePublicAddress=\"${eip}\" overTheInternet=\"${pub_mgmt}\" bootstrapScript64=\"${bootstrap}\"' VersionDescription: Initial template version PublicAddress: Type: AWS::EC2::EIP diff --git a/aws/templates/mds/mds-master.yaml b/aws/templates/mds/mds-master.yaml index 95687940..def15c27 100755 --- a/aws/templates/mds/mds-master.yaml +++ b/aws/templates/mds/mds-master.yaml @@ -1,49 +1,42 @@ AWSTemplateFormatVersion: '2010-09-09' -Description: Deploys a Check Point Multi-Domain Server into a new VPC (__VERSION__) +Description: Deploys a Check Point Multi-Domain Server into a new VPC (20260101) Metadata: AWS::CloudFormation::Interface: ParameterGroups: - Label: - default: VPC Network Configuration + default: Basic Settings + Parameters: + - MDSVersion + - MDSInstanceType + - MDSSICKey + - KeyName + - AdminCIDR + - GatewaysAddresses + - Label: + default: VPC Network Settings Parameters: - AvailabilityZone - - VPCCIDR - - PublicSubnet1CIDR - Label: - default: EC2 Instance Configuration + default: Advanced Settings Parameters: + - VPCCIDR + - PublicSubnet1CIDR - MDSName - - MDSInstanceType - - KeyName - VolumeSize - VolumeType - VolumeEncryption - EnableInstanceConnect - TerminationProtection - MetaDataToken - - Label: - default: IAM Permissions (ignored when the installation type is not Primary - Multi-Domain Server) - Parameters: - MDSPermissions - MDSPredefinedRole - MDSSTSRoles - - Label: - default: Check Point Settings - Parameters: - - MDSVersion - Shell - MDSPasswordHash - MDSMaintenancePasswordHash - - Label: - default: Multi-Domain Server Settings - Parameters: - MDSHostname - MDSInstallationType - - MDSSICKey - AllowUploadDownload - - AdminCIDR - - GatewaysAddresses - MDSBootstrapScript - NTPPrimary - NTPSecondary @@ -57,7 +50,7 @@ Metadata: MDSName: default: MDS name MDSInstanceType: - default: Instance type + default: MDS Instance type KeyName: default: Key name VolumeSize: @@ -79,7 +72,7 @@ Metadata: MDSSTSRoles: default: STS roles MDSVersion: - default: Version & license + default: MDS Version & License Shell: default: Admin shell MDSPasswordHash: @@ -87,11 +80,11 @@ Metadata: MDSMaintenancePasswordHash: default: MDS Maintenance Password hash MDSHostname: - default: MDS hostname + default: MDS Hostname MDSInstallationType: - default: MDS installation type + default: MDS Installation type MDSSICKey: - default: SIC key + default: MDS SIC key AllowUploadDownload: default: Allow upload & download AdminCIDR: @@ -491,7 +484,7 @@ Resources: VPCStack: Type: AWS::CloudFormation::Stack Properties: - TemplateURL: __URL__/utils/vpc.yaml + TemplateURL: https://cgi-cfts.s3.amazonaws.com/utils/vpc.yaml Parameters: AvailabilityZones: !Ref AvailabilityZone NumberOfAZs: 1 @@ -499,136 +492,45 @@ Resources: PublicSubnet1CIDR: !Ref PublicSubnet1CIDR CreatePrivateSubnets: false CreateAttachmentSubnets: false - AMI: + MDSStack: Type: AWS::CloudFormation::Stack Properties: - TemplateURL: __URL__/utils/amis.yaml + TemplateURL: https://cgi-cfts.s3.amazonaws.com/management/mds.yaml Parameters: - Version: !Join ['-', [!Ref MDSVersion, MGMT]] - MDSSecurityGroup: - Type: AWS::EC2::SecurityGroup - Properties: - GroupDescription: MDS security group - VpcId: !GetAtt VPCStack.Outputs.VPCID - SecurityGroupIngress: - - CidrIp: !Ref GatewaysAddresses - IpProtocol: tcp - FromPort: 257 - ToPort: 257 - - CidrIp: !Ref GatewaysAddresses - IpProtocol: tcp - FromPort: 8211 - ToPort: 8211 - - CidrIp: !Ref GatewaysAddresses - IpProtocol: tcp - FromPort: 18191 - ToPort: 18191 - - CidrIp: !Ref GatewaysAddresses - IpProtocol: tcp - FromPort: 18192 - ToPort: 18192 - - CidrIp: !Ref GatewaysAddresses - IpProtocol: tcp - FromPort: 18208 - ToPort: 18208 - - CidrIp: !Ref GatewaysAddresses - IpProtocol: tcp - FromPort: 18210 - ToPort: 18210 - - CidrIp: !Ref GatewaysAddresses - IpProtocol: tcp - FromPort: 18211 - ToPort: 18211 - - CidrIp: !Ref GatewaysAddresses - IpProtocol: tcp - FromPort: 18221 - ToPort: 18221 - - CidrIp: !Ref GatewaysAddresses - IpProtocol: tcp - FromPort: 18264 - ToPort: 18264 - - CidrIp: !Ref AdminCIDR - IpProtocol: tcp - FromPort: 22 - ToPort: 22 - - CidrIp: !Ref AdminCIDR - IpProtocol: tcp - FromPort: 443 - ToPort: 443 - - CidrIp: !Ref AdminCIDR - IpProtocol: tcp - FromPort: 18190 - ToPort: 18190 - - CidrIp: !Ref AdminCIDR - IpProtocol: tcp - FromPort: 19009 - ToPort: 19009 - MDSRoleStack: - Type: AWS::CloudFormation::Stack - Condition: CreateRole - Properties: - TemplateURL: __URL__/iam/cme-iam-role.yaml - Parameters: - Permissions: !Ref MDSPermissions - STSRoles: !Join [',', !Ref MDSSTSRoles] - InstanceProfile: - Type: AWS::IAM::InstanceProfile - Condition: PreRole - Properties: - Path: / - Roles: - - !Ref MDSPredefinedRole - MDSInstance: - Type: AWS::EC2::Instance - DependsOn: [MDSSecurityGroup, MDSLaunchTemplate] - Properties: - LaunchTemplate: - LaunchTemplateId: !Ref MDSLaunchTemplate - Version: !GetAtt MDSLaunchTemplate.LatestVersionNumber - DisableApiTermination: !Ref TerminationProtection - Tags: - - Key: Name - Value: !Ref MDSName - NetworkInterfaces: - - DeviceIndex: 0 - AssociatePublicIpAddress: false - Description: eth0 - GroupSet: - - !Ref MDSSecurityGroup - DeleteOnTermination: true - SubnetId: !GetAtt VPCStack.Outputs.PublicSubnet1ID - MDSLaunchTemplate: - Type: AWS::EC2::LaunchTemplate - Properties: - LaunchTemplateData: + MDSVersion: !Ref MDSVersion + MDSInstanceType: !Ref MDSInstanceType + MDSSICKey: !Ref MDSSICKey KeyName: !Ref KeyName - ImageId: !GetAtt AMI.Outputs.ImageId - InstanceType: !Ref MDSInstanceType - MetadataOptions: - HttpTokens: !If [EnableMetaDataToken, required, optional] - BlockDeviceMappings: - - DeviceName: '/dev/xvda' - Ebs: - Encrypted: !If [ EncryptedVolume, true, false ] - KmsKeyId: !If [ EncryptedVolume, !Ref VolumeEncryption, !Ref 'AWS::NoValue' ] - VolumeType: !Ref VolumeType - VolumeSize: !Ref VolumeSize - IamInstanceProfile: - Name: !If [ UseRole, !If [ PreRole, !Ref InstanceProfile, !GetAtt MDSRoleStack.Outputs.CMEIAMRole ], !Ref 'AWS::NoValue' ] - UserData: !Base64 - Fn::Join: - - |+ - - - - '#cloud-config' - - 'runcmd:' - - ' - |' - - ' set -e' - - !Sub ' admin_shell=${Shell} ; allow_info=${AllowUploadDownload} ; hostname=${MDSHostname} ; eic=${EnableInstanceConnect} ; ntp1=${NTPPrimary} ; ntp2=${NTPSecondary} ; admin_subnet=${AdminCIDR}' - - !If [PrimaryMDS, ' primary=true ; secondary=false', !If [SecondaryMDS, ' primary=false ; secondary=true', ' primary=false ; secondary=false']] - - !If [PrimaryMDS, ' sic=notused', !Join ['', [' sic="$(echo ', 'Fn::Base64': !Ref MDSSICKey, ')"']]] - - !Join ['', [' bootstrap="$(echo ', 'Fn::Base64': !Ref MDSBootstrapScript, ')"']] - - !Join ['', [' pwd_hash="$(echo ', 'Fn::Base64': !Ref MDSPasswordHash, ')"']] - - !Join ['', [' maintenance_pwd_hash="$(echo ', 'Fn::Base64': !Ref MDSMaintenancePasswordHash, ')"']] - - !Sub [' version=${Version}', {Version: !Select [0, !Split ['-', !Ref MDSVersion]]}] - - ' python3 /etc/cloud_config.py sicKey=\"${sic}\" installationType=\"mds\" osVersion=\"${version}\" allowUploadDownload=\"${allow_info}\" templateVersion=\"__VERSION__\" templateName=\"mds\" shell=\"${admin_shell}\" enableInstanceConnect=\"${eic}\" hostName=\"${hostname}\" ntpPrimary=\"${ntp1}\" ntpSecondary=\"${ntp2}\" passwordHash=\"${pwd_hash}\" MaintenanceModePassword=\"${maintenance_pwd_hash}\" primary=\"${primary}\" secondary=\"${secondary}\" adminSubnet=\"${admin_subnet}\" bootstrapScript64=\"${bootstrap}\"' - VersionDescription: Initial template version \ No newline at end of file + VPC: !GetAtt VPCStack.Outputs.VPCID + MDSSubnet: !GetAtt VPCStack.Outputs.PublicSubnet1ID + AdminCIDR: !Ref AdminCIDR + GatewaysAddresses: !Ref GatewaysAddresses + MDSName: !Ref MDSName + VolumeSize: !Ref VolumeSize + VolumeType: !Ref VolumeType + VolumeEncryption: !Ref VolumeEncryption + EnableInstanceConnect: !Ref EnableInstanceConnect + TerminationProtection: !Ref TerminationProtection + MetaDataToken: !Ref MetaDataToken + MDSPermissions: !Ref MDSPermissions + MDSPredefinedRole: !Ref MDSPredefinedRole + MDSSTSRoles: !Join [',', !Ref MDSSTSRoles] + Shell: !Ref Shell + MDSPasswordHash: !Ref MDSPasswordHash + MDSMaintenancePasswordHash: !Ref MDSMaintenancePasswordHash + MDSHostname: !Ref MDSHostname + MDSInstallationType: !Ref MDSInstallationType + AllowUploadDownload: !Ref AllowUploadDownload + MDSBootstrapScript: !Ref MDSBootstrapScript + NTPPrimary: !Ref NTPPrimary + NTPSecondary: !Ref NTPSecondary +Outputs: + InstanceId: + Description: The instance ID of the Multi-Domain Server. + Value: !GetAtt MDSStack.Outputs.InstanceId + PrivateIp: + Description: The private IP address of the Multi-Domain Server. + Value: !GetAtt MDSStack.Outputs.PrivateIp + SecurityGroupId: + Description: The security group ID attached to the Multi-Domain Server. + Value: !GetAtt MDSStack.Outputs.SecurityGroupId \ No newline at end of file diff --git a/aws/templates/mds/mds.yaml b/aws/templates/mds/mds.yaml index 6e7ab6b6..186b49d4 100644 --- a/aws/templates/mds/mds.yaml +++ b/aws/templates/mds/mds.yaml @@ -1,48 +1,42 @@ AWSTemplateFormatVersion: '2010-09-09' -Description: Deploys a Check Point Multi-Domain Server into an existing VPC (20241027) +Description: Deploys a Check Point Multi-Domain Server into an existing VPC (20260101) Metadata: AWS::CloudFormation::Interface: ParameterGroups: - Label: - default: VPC Network Configuration + default: Basic Settings + Parameters: + - MDSVersion + - MDSInstanceType + - MDSSICKey + - KeyName + - Label: + default: VPC Network Settings Parameters: - VPC - MDSSubnet + - AdminCIDR + - GatewaysAddresses - Label: - default: EC2 Instance Configuration + default: Advanced Settings Parameters: - MDSName - - MDSInstanceType - - KeyName - VolumeSize - VolumeType - VolumeEncryption - EnableInstanceConnect - TerminationProtection - MetaDataToken - - Label: - default: IAM Permissions (ignored when the installation type is not Primary - Multi-Domain Server) - Parameters: - MDSPermissions - MDSPredefinedRole - MDSSTSRoles - - Label: - default: Check Point Settings - Parameters: - MDSVersion - Shell - MDSPasswordHash - MDSMaintenancePasswordHash - - Label: - default: Multi-Domain Server Settings - Parameters: - MDSHostname - MDSInstallationType - - MDSSICKey - AllowUploadDownload - - AdminCIDR - - GatewaysAddresses - MDSBootstrapScript - NTPPrimary - NTPSecondary @@ -54,7 +48,7 @@ Metadata: MDSName: default: MDS name MDSInstanceType: - default: Instance type + default: MDS Instance type KeyName: default: Key name VolumeSize: @@ -76,7 +70,7 @@ Metadata: MDSSTSRoles: default: STS roles MDSVersion: - default: Version & license + default: MDS Version & License Shell: default: Admin shell MDSPasswordHash: @@ -84,11 +78,11 @@ Metadata: MDSMaintenancePasswordHash: default: MDS Maintenance Password hash MDSHostname: - default: MDS hostname + default: MDS Hostname MDSInstallationType: - default: MDS installation type + default: MDS Installation type MDSSICKey: - default: SIC key + default: MDS SIC key AllowUploadDownload: default: Allow upload & download AdminCIDR: @@ -120,6 +114,7 @@ Parameters: Type: String Default: m5.2xlarge AllowedValues: + - c5.large - c5.xlarge - c5.2xlarge - c5.4xlarge @@ -127,6 +122,7 @@ Parameters: - c5.12xlarge - c5.18xlarge - c5.24xlarge + - c5d.large - c5d.xlarge - c5d.2xlarge - c5d.4xlarge @@ -134,11 +130,13 @@ Parameters: - c5d.12xlarge - c5d.18xlarge - c5d.24xlarge + - c5n.large - c5n.xlarge - c5n.2xlarge - c5n.4xlarge - c5n.9xlarge - c5n.18xlarge + - c6i.large - c6i.xlarge - c6i.2xlarge - c6i.4xlarge @@ -147,6 +145,7 @@ Parameters: - c6i.16xlarge - c6i.24xlarge - c6i.32xlarge + - c6in.large - c6in.xlarge - c6in.2xlarge - c6in.4xlarge @@ -179,6 +178,7 @@ Parameters: - c7i-flex.8xlarge - c7i-flex.12xlarge - c7i-flex.16xlarge + - m5.large - m5.xlarge - m5.2xlarge - m5.4xlarge @@ -186,6 +186,7 @@ Parameters: - m5.12xlarge - m5.16xlarge - m5.24xlarge + - m6a.large - m6a.xlarge - m6a.2xlarge - m6a.4xlarge @@ -195,6 +196,7 @@ Parameters: - m6a.24xlarge - m6a.32xlarge - m6a.48xlarge + - m6i.large - m6i.xlarge - m6i.2xlarge - m6i.4xlarge @@ -241,6 +243,7 @@ Parameters: - m8i-flex.8xlarge - m8i-flex.12xlarge - m8i-flex.16xlarge + - r5.large - r5.xlarge - r5.2xlarge - r5.4xlarge @@ -248,6 +251,7 @@ Parameters: - r5.12xlarge - r5.16xlarge - r5.24xlarge + - r5a.large - r5a.xlarge - r5a.2xlarge - r5a.4xlarge @@ -255,6 +259,7 @@ Parameters: - r5a.12xlarge - r5a.16xlarge - r5a.24xlarge + - r5b.large - r5b.xlarge - r5b.2xlarge - r5b.4xlarge @@ -262,6 +267,7 @@ Parameters: - r5b.12xlarge - r5b.16xlarge - r5b.24xlarge + - r5n.large - r5n.xlarge - r5n.2xlarge - r5n.4xlarge @@ -275,6 +281,7 @@ Parameters: - r6gd.12xlarge - r6gd.16xlarge - r6gd.metal + - r6i.large - r6i.xlarge - r6i.2xlarge - r6i.4xlarge @@ -398,7 +405,7 @@ Parameters: AllowedPattern: '[\$\./a-zA-Z0-9]*' NoEcho: true MDSMaintenancePasswordHash: - Description: Check Point recommends setting Admin user's password and maintenance-mode password for recovery purposes. For R81.10 and below the Admin user's password is used also as maintenance-mode password. (To generate a password hash use the command "grub2-mkpasswd-pbkdf2" on Linux and paste it here). (optional) + Description: Check Point recommends setting Admin user's password and maintenance-mode password for recovery purposes (use command " grub2-mkpasswd-pbkdf2" to get the PASSWORD's hash). For R81.10 and below the Admin user's password is used also as maintenance-mode password. (optional) Type: String Default: '' AllowedPattern: '[\$\./a-zA-Z0-9]*' @@ -609,5 +616,15 @@ Resources: - !Join ['', [' pwd_hash="$(echo ', 'Fn::Base64': !Ref MDSPasswordHash, ')"']] - !Join ['', [' maintenance_pwd_hash="$(echo ', 'Fn::Base64': !Ref MDSMaintenancePasswordHash, ')"']] - !Sub [' version=${Version}', {Version: !Select [0, !Split ['-', !Ref MDSVersion]]}] - - ' python3 /etc/cloud_config.py sicKey=\"${sic}\" installationType=\"mds\" osVersion=\"${version}\" allowUploadDownload=\"${allow_info}\" templateVersion=\"20240204\" templateName=\"mds\" shell=\"${admin_shell}\" enableInstanceConnect=\"${eic}\" hostName=\"${hostname}\" ntpPrimary=\"${ntp1}\" ntpSecondary=\"${ntp2}\" passwordHash=\"${pwd_hash}\" MaintenanceModePassword=\"${maintenance_pwd_hash}\" primary=\"${primary}\" secondary=\"${secondary}\" adminSubnet=\"${admin_subnet}\" bootstrapScript64=\"${bootstrap}\"' - VersionDescription: Initial template version \ No newline at end of file + - ' python3 /etc/cloud_config.py sicKey=\"${sic}\" installationType=\"mds\" osVersion=\"${version}\" allowUploadDownload=\"${allow_info}\" templateVersion=\"20260101\" templateName=\"mds\" shell=\"${admin_shell}\" enableInstanceConnect=\"${eic}\" hostName=\"${hostname}\" ntpPrimary=\"${ntp1}\" ntpSecondary=\"${ntp2}\" passwordHash=\"${pwd_hash}\" MaintenanceModePassword=\"${maintenance_pwd_hash}\" primary=\"${primary}\" secondary=\"${secondary}\" adminSubnet=\"${admin_subnet}\" bootstrapScript64=\"${bootstrap}\"' + VersionDescription: Initial template version +Outputs: + InstanceId: + Description: InstanceId of the deployed MDS + Value: !Ref MDSInstance + PrivateIp: + Description: Private IP address of the deployed MDS + Value: !GetAtt MDSInstance.PrivateIp + SecurityGroupId: + Description: Security Group ID of the deployed MDS + Value: !Ref MDSSecurityGroup \ No newline at end of file diff --git a/aws/templates/single-gw/gateway-master.yaml b/aws/templates/single-gw/gateway-master.yaml index eddf2021..8e1b61f8 100644 --- a/aws/templates/single-gw/gateway-master.yaml +++ b/aws/templates/single-gw/gateway-master.yaml @@ -1,21 +1,23 @@ AWSTemplateFormatVersion: 2010-09-09 -Description: Deploys a Check Point Security Gateway into a new VPC (20240204) +Description: Deploys a Check Point Security Gateway into a new VPC (20260101) Metadata: AWS::CloudFormation::Interface: ParameterGroups: - Label: - default: VPC Network Configuration + default: Basic Settings Parameters: - AvailabilityZone - - VPCCIDR - - PublicSubnetCIDR - - PrivateSubnetCIDR + - GatewayVersion + - GatewayInstanceType + - GatewaySICKey + - KeyName - Label: - default: EC2 Instance Configuration + default: Advanced Settings Parameters: - GatewayName - - GatewayInstanceType - - KeyName + - VPCCIDR + - PublicSubnetCIDR + - PrivateSubnetCIDR - AllocatePublicAddress - VolumeSize - VolumeType @@ -23,21 +25,10 @@ Metadata: - EnableInstanceConnect - TerminationProtection - MetaDataToken - - Label: - default: Check Point Settings - Parameters: - - GatewayVersion - Shell - - GatewaySICKey - GatewayPasswordHash - GatewayMaintenancePasswordHash - - Label: - default: Quick connect to Smart-1 Cloud (Recommended) - Parameters: - GatewayToken - - Label: - default: Advanced Settings - Parameters: - ResourcesTagName - GatewayHostname - AllowUploadDownload @@ -45,9 +36,6 @@ Metadata: - GatewayBootstrapScript - NTPPrimary - NTPSecondary - - Label: - default: Automatic Provisioning with Security Management Server Settings (optional) - Parameters: - ControlGatewayOverPrivateOrPublicAddress - ManagementServer - ConfigurationTemplate @@ -81,7 +69,7 @@ Metadata: MetaDataToken: default: Metadata HTTP token GatewayVersion: - default: Gateway Version & license + default: Gateway Version & License Shell: default: Admin shell GatewaySICKey: @@ -362,7 +350,6 @@ Parameters: - r7iz.32xlarge - r7iz.metal-16xl - r7iz.metal-32xl - ConstraintDescription: Must be a valid EC2 instance type KeyName: Description: The EC2 Key Pair to allow SSH access to the instance. @@ -413,7 +400,7 @@ Parameters: - false GatewayVersion: Type: String - Default: R82-BYOL + Default: R82-PAYG-NGTX AllowedValues: - R81.10-BYOL - R81.10-PAYG-NGTP @@ -421,6 +408,9 @@ Parameters: - R81.20-BYOL - R81.20-PAYG-NGTP - R81.20-PAYG-NGTX + - R82-BYOL + - R82-PAYG-NGTP + - R82-PAYG-NGTX Shell: Description: Change the admin shell to enable advanced command line configuration. Type: String diff --git a/aws/templates/single-gw/gateway.yaml b/aws/templates/single-gw/gateway.yaml index 233826f2..8679e8d3 100644 --- a/aws/templates/single-gw/gateway.yaml +++ b/aws/templates/single-gw/gateway.yaml @@ -1,21 +1,25 @@ AWSTemplateFormatVersion: 2010-09-09 -Description: Deploys a Check Point Security Gateway into an existing VPC (20241027) +Description: Deploys a Check Point Security Gateway into an existing VPC (20260101) Metadata: AWS::CloudFormation::Interface: ParameterGroups: - Label: - default: VPC Network Configuration + default: Basic Settings + Parameters: + - GatewayVersion + - GatewayInstanceType + - GatewaySICKey + - KeyName + - Label: + default: VPC Network Settings Parameters: - VPC - PublicSubnet - PrivateSubnet - - InternalRouteTable - Label: - default: EC2 Instance Configuration + default: Advanced Settings Parameters: - GatewayName - - GatewayInstanceType - - KeyName - AllocatePublicAddress - VolumeSize - VolumeType @@ -23,21 +27,10 @@ Metadata: - EnableInstanceConnect - TerminationProtection - MetaDataToken - - Label: - default: Check Point Settings - Parameters: - - GatewayVersion + - InternalRouteTable - Shell - - GatewaySICKey - GatewayPasswordHash - GatewayMaintenancePasswordHash - - Label: - default: Quick connect to Smart-1 Cloud (Recommended) - Parameters: - - GatewayToken - - Label: - default: Advanced Settings - Parameters: - ResourcesTagName - GatewayHostname - AllowUploadDownload @@ -45,9 +38,7 @@ Metadata: - GatewayBootstrapScript - NTPPrimary - NTPSecondary - - Label: - default: Automatic Provisioning with Security Management Server Settings (optional) - Parameters: + - GatewayToken - ControlGatewayOverPrivateOrPublicAddress - ManagementServer - ConfigurationTemplate @@ -81,7 +72,7 @@ Metadata: MetaDataToken: default: Metadata HTTP token GatewayVersion: - default: Gateway Version & license + default: Gateway Version & License Shell: default: Admin shell GatewaySICKey: @@ -125,7 +116,7 @@ Parameters: Type: AWS::EC2::Subnet::Id MinLength: 1 InternalRouteTable: - Description: The route table id in which to set 0.0.0.0/0 route to the Gateway instance (e.g. rtb-12a34567). Route table cannot have an existing 0.0.0.0/0 route. If empty - traffic will not be routed through the Security Gateway, this requires manual configuration in the route table. (optional) + Description: The route table ID in which to set 0.0.0.0/0 route to the Gateway instance (e.g. rtb-12a34567). Route table cannot have an existing 0.0.0.0/0 route. If empty - traffic will not be routed through the Security Gateway, this requires manual configuration in the route table. (optional) Type: String Default: '' GatewayName: @@ -356,7 +347,6 @@ Parameters: - r7iz.32xlarge - r7iz.metal-16xl - r7iz.metal-32xl - ConstraintDescription: Must be a valid EC2 instance type KeyName: Description: The EC2 Key Pair to allow SSH access to the instance. @@ -407,7 +397,7 @@ Parameters: - false GatewayVersion: Type: String - Default: R82-BYOL + Default: R82-PAYG-NGTX AllowedValues: - R81.10-BYOL - R81.10-PAYG-NGTP @@ -675,7 +665,7 @@ Resources: - !Join ['', [' maintenance_pwd_hash="$(echo ', 'Fn::Base64': !Ref GatewayMaintenancePasswordHash, ')"']] - !Join ['', [' bootstrap="$(echo ', 'Fn::Base64': !Ref GatewayBootstrapScript, ')"']] - !Sub [' version=${Version}', {Version: !Select [0, !Split ['-', !Ref GatewayVersion]]}] - - ' python3 /etc/cloud_config.py enableCloudWatch=\"${cw}\" waitHandle=\"${wait_handle}\" sicKey=\"${sic}\" "smart1CloudToken=\"${token}\"" installationType=\"gateway\" osVersion=\"${version}\" allowUploadDownload=\"${allow_info}\" templateVersion=\"20240204\" templateName=\"gateway\" shell=\"${admin_shell}\" enableInstanceConnect=\"${eic}\" hostName=\"${hostname}\" ntpPrimary=\"${ntp1}\" ntpSecondary=\"${ntp2}\" passwordHash=\"${pwd_hash}\" MaintenanceModePassword=\"${maintenance_pwd_hash}\" allocatePublicAddress=\"${eip}\" bootstrapScript64=\"${bootstrap}\"' + - ' python3 /etc/cloud_config.py enableCloudWatch=\"${cw}\" waitHandle=\"${wait_handle}\" sicKey=\"${sic}\" "smart1CloudToken=\"${token}\"" installationType=\"gateway\" osVersion=\"${version}\" allowUploadDownload=\"${allow_info}\" templateVersion=\"20260101\" templateName=\"gateway\" shell=\"${admin_shell}\" enableInstanceConnect=\"${eic}\" hostName=\"${hostname}\" ntpPrimary=\"${ntp1}\" ntpSecondary=\"${ntp2}\" passwordHash=\"${pwd_hash}\" MaintenanceModePassword=\"${maintenance_pwd_hash}\" allocatePublicAddress=\"${eip}\" bootstrapScript64=\"${bootstrap}\"' VersionDescription: Initial template version PublicAddress: Type: AWS::EC2::EIP diff --git a/aws/templates/standalone/standalone-master.yaml b/aws/templates/standalone/standalone-master.yaml index cae6131a..6ef4071d 100644 --- a/aws/templates/standalone/standalone-master.yaml +++ b/aws/templates/standalone/standalone-master.yaml @@ -1,22 +1,27 @@ AWSTemplateFormatVersion: 2010-09-09 Description: Deploys either a manually configurable or a Check Point CloudGuard IaaS - Security Gateway & Management (Standalone) instance in a new VPC (20241027) + Security Gateway & Management (Standalone) instance in a new VPC (20260101) Metadata: AWS::CloudFormation::Interface: ParameterGroups: - Label: - default: VPC Network Configuration + default: Basic Settings + Parameters: + - StandaloneVersion + - StandaloneInstanceType + - KeyName + - AdminCIDR + - Label: + default: VPC Network Settings Parameters: - AvailabilityZone - - VPCCIDR - - PublicSubnetCIDR - - PrivateSubnetCIDR - Label: - default: EC2 Instance Configuration + default: Advanced Settings Parameters: - StandaloneName - - StandaloneInstanceType - - KeyName + - VPCCIDR + - PublicSubnetCIDR + - PrivateSubnetCIDR - AllocatePublicAddress - VolumeSize - VolumeType @@ -24,16 +29,9 @@ Metadata: - EnableInstanceConnect - TerminationProtection - MetaDataToken - - Label: - default: Check Point Settings - Parameters: - - StandaloneVersion - Shell - StandalonePasswordHash - StandaloneMaintenancePasswordHash - - Label: - default: Advanced Settings - Parameters: - ResourcesTagName - StandaloneHostname - AllowUploadDownload @@ -41,7 +39,6 @@ Metadata: - StandaloneBootstrapScript - NTPPrimary - NTPSecondary - - AdminCIDR - GatewaysAddresses ParameterLabels: AvailabilityZone: @@ -55,7 +52,7 @@ Metadata: StandaloneName: default: Standalone Name StandaloneInstanceType: - default: Instance type + default: Standalone Instance type KeyName: default: Key name AllocatePublicAddress: @@ -73,7 +70,7 @@ Metadata: MetaDataToken: default: Metadata HTTP token StandaloneVersion: - default: License + default: Standalone Version & License Shell: default: Admin shell StandalonePasswordHash: @@ -95,7 +92,7 @@ Metadata: NTPSecondary: default: Secondary NTP server AdminCIDR: - default: Administrator addresses + default: Allow SmartConsole connections from these networks GatewaysAddresses: default: Gateways addresses Parameters: @@ -174,7 +171,7 @@ Parameters: StandaloneVersion: Description: Standalone Version & License. Type: String - Default: R82-BYOL + Default: R82-PAYG-NGTP AllowedValues: - R81.10-PAYG-NGTP - R81.10-BYOL @@ -182,8 +179,8 @@ Parameters: - R81.20-BYOL - R82-PAYG-NGTP - R82-BYOL - - R82.10-PAYG-NGTP - R82.10-BYOL + - R82.10-PAYG-NGTP Shell: Description: Change the admin shell to enable advanced command line configuration. Type: String @@ -422,7 +419,6 @@ Parameters: - r7iz.32xlarge - r7iz.metal-16xl - r7iz.metal-32xl - ConstraintDescription: Must be a valid EC2 instance type ResourcesTagName: Description: The name tag of the resources. (optional) diff --git a/aws/templates/standalone/standalone.yaml b/aws/templates/standalone/standalone.yaml index 063bd767..7d6598ec 100644 --- a/aws/templates/standalone/standalone.yaml +++ b/aws/templates/standalone/standalone.yaml @@ -1,22 +1,27 @@ AWSTemplateFormatVersion: 2010-09-09 Description: Deploys either a manually configurable or a Check Point CloudGuard IaaS - Security Gateway & Management (Standalone) instance into an existing VPC (20241027) + Security Gateway & Management (Standalone) instance into an existing VPC (20260101) Metadata: AWS::CloudFormation::Interface: ParameterGroups: - Label: - default: VPC Network Configuration + default: Basic Settings + Parameters: + - StandaloneVersion + - StandaloneInstanceType + - KeyName + - AdminCIDR + - Label: + default: VPC Network Settings Parameters: - VPC - PublicSubnet - PrivateSubnet - - InternalRouteTable - Label: - default: EC2 Instance Configuration + default: Advanced Settings Parameters: + - InternalRouteTable - StandaloneName - - StandaloneInstanceType - - KeyName - AllocatePublicAddress - VolumeSize - VolumeType @@ -24,16 +29,9 @@ Metadata: - EnableInstanceConnect - TerminationProtection - MetaDataToken - - Label: - default: Check Point Settings - Parameters: - - StandaloneVersion - Shell - StandalonePasswordHash - StandaloneMaintenancePasswordHash - - Label: - default: Advanced Settings - Parameters: - ResourcesTagName - StandaloneHostname - AllowUploadDownload @@ -41,7 +39,6 @@ Metadata: - StandaloneBootstrapScript - NTPPrimary - NTPSecondary - - AdminCIDR - GatewaysAddresses ParameterLabels: VPC: @@ -73,7 +70,7 @@ Metadata: MetaDataToken: default: Metadata HTTP token StandaloneVersion: - default: License + default: Standalone Version & License Shell: default: Admin shell StandalonePasswordHash: @@ -95,7 +92,7 @@ Metadata: NTPSecondary: default: Secondary NTP server AdminCIDR: - default: Administrator addresses + default: Allow SmartConsole connections from these networks GatewaysAddresses: default: Gateways addresses Parameters: @@ -111,7 +108,7 @@ Parameters: Type: AWS::EC2::Subnet::Id MinLength: 1 InternalRouteTable: - Description: The route table id in which to set 0.0.0.0/0 route to the Security Gateway instance in this route table (e.g. rtb-12a34567). Route table cannot have an existing 0.0.0.0/0 route. If empty - traffic will not be routed through the Security Gateway, this requires manual configuration in the route table. (optional) + Description: The route table ID in which to set 0.0.0.0/0 route to the Security Gateway instance in this route table (e.g. rtb-12a34567). Route table cannot have an existing 0.0.0.0/0 route. If empty - traffic will not be routed through the Security Gateway, this requires manual configuration in the route table. (optional) Type: String Default: '' StandaloneName: @@ -333,7 +330,6 @@ Parameters: - r7iz.32xlarge - r7iz.metal-16xl - r7iz.metal-32xl - ConstraintDescription: Must be a valid EC2 instance type KeyName: Description: The EC2 Key Pair to allow SSH access to the instance. @@ -385,7 +381,7 @@ Parameters: StandaloneVersion: Description: Standalone Version & License. Type: String - Default: R82-BYOL + Default: R82-PAYG-NGTP AllowedValues: - R81.10-PAYG-NGTP - R81.10-BYOL @@ -393,8 +389,8 @@ Parameters: - R81.20-BYOL - R82-PAYG-NGTP - R82-BYOL - - R82.10-PAYG-NGTP - R82.10-BYOL + - R82.10-PAYG-NGTP Shell: Description: Change the admin shell to enable advanced command line configuration. Type: String @@ -616,7 +612,7 @@ Resources: - !Join [ '', [ ' pwd_hash="$(echo ', 'Fn::Base64': !Ref StandalonePasswordHash, ')"' ] ] - !Join [ '', [ ' maintenance_pwd_hash="$(echo ', 'Fn::Base64': !Ref StandaloneMaintenancePasswordHash, ')"' ] ] - !Sub [ ' version=${Version}', { Version: !Select [ 0, !Split [ '-', !Ref StandaloneVersion ] ] } ] - - ' python3 /etc/cloud_config.py enableCloudWatch=\"${cw}\" waitHandle=\"${wait_handle}\" installationType=\"standalone\" osVersion=\"${version}\" allowUploadDownload=\"${allow_info}\" templateVersion=\"20240204\" templateName=\"standalone\" shell=\"${admin_shell}\" enableInstanceConnect=\"${eic}\" hostName=\"${hostname}\" ntpPrimary=\"${ntp1}\" ntpSecondary=\"${ntp2}\" passwordHash=\"${pwd_hash}\" MaintenanceModePassword=\"${maintenance_pwd_hash}\" adminSubnet=\"${admin_subnet}\" allocatePublicAddress=\"${eip}\" bootstrapScript64=\"${bootstrap}\"' + - ' python3 /etc/cloud_config.py enableCloudWatch=\"${cw}\" waitHandle=\"${wait_handle}\" installationType=\"standalone\" osVersion=\"${version}\" allowUploadDownload=\"${allow_info}\" templateVersion=\"20260101\" templateName=\"standalone\" shell=\"${admin_shell}\" enableInstanceConnect=\"${eic}\" hostName=\"${hostname}\" ntpPrimary=\"${ntp1}\" ntpSecondary=\"${ntp2}\" passwordHash=\"${pwd_hash}\" MaintenanceModePassword=\"${maintenance_pwd_hash}\" adminSubnet=\"${admin_subnet}\" allocatePublicAddress=\"${eip}\" bootstrapScript64=\"${bootstrap}\"' VersionDescription: Initial template version PublicAddress: Type: AWS::EC2::EIP diff --git a/aws/templates/tgw-asg/tgw-asg-master.yaml b/aws/templates/tgw-asg/tgw-asg-master.yaml index 54389be1..b04311a2 100644 --- a/aws/templates/tgw-asg/tgw-asg-master.yaml +++ b/aws/templates/tgw-asg/tgw-asg-master.yaml @@ -1,22 +1,28 @@ AWSTemplateFormatVersion: 2010-09-09 -Description: Deploy an Auto Scaling Group of CloudGuard Security Gateways for Transit Gateway with an optional Management Server in a new VPC (20241027) +Description: Deploy an Auto Scaling Group of CloudGuard Security Gateways for Transit Gateway with an optional Management Server in a new VPC (20260101) Metadata: AWS::CloudFormation::Interface: ParameterGroups: - Label: - default: Network Configuration + default: Basic Settings + Parameters: + - GatewayVersion + - GatewayInstanceType + - GatewaySICKey + - KeyName + - Label: + default: VPC Network Settings Parameters: - AvailabilityZones - NumberOfAZs + - Label: + default: Advanced Settings + Parameters: - VPCCIDR - PublicSubnet1CIDR - PublicSubnet2CIDR - PublicSubnet3CIDR - PublicSubnet4CIDR - - Label: - default: General Settings - Parameters: - - KeyName - EnableVolumeEncryption - VolumeSize - VolumeType @@ -24,24 +30,15 @@ Metadata: - TerminationProtection - MetaDataToken - AllowUploadDownload - - Label: - default: Check Point CloudGuard IaaS Security Gateways Auto Scaling Group Configuration - Parameters: - AutoScaleGroupName - GatewayName - - GatewayInstanceType - GatewaysMinSize - GatewaysMaxSize - - GatewayVersion - GatewayPasswordHash - GatewayMaintenancePasswordHash - - GatewaySICKey - CloudWatch - ASN - AdminEmail - - Label: - default: Check Point CloudGuard IaaS Security Management Server Configuration - Parameters: - ManagementDeploy - ManagementInstanceType - ManagementVersion @@ -53,9 +50,6 @@ Metadata: - AdminCIDR - GatewayManagement - GatewaysAddresses - - Label: - default: Automatic Provisioning with Security Management Server Settings - Parameters: - ControlGatewayOverPrivateOrPublicAddress - ManagementServer - ConfigurationTemplate @@ -91,21 +85,21 @@ Metadata: AllowUploadDownload: default: Allow upload & download GatewayName: - default: GatewayName + default: Gateways name GatewayInstanceType: - default: Gateways instance type + default: Gateways Instance type GatewaysMinSize: default: Minimum group size GatewaysMaxSize: default: Maximum group size GatewayVersion: - default: Gateways version & license + default: Gateways Version & License GatewayPasswordHash: default: Password hash GatewayMaintenancePasswordHash: - default: Gateway Maintenance Password hash + default: Gateways Maintenance Password hash GatewaySICKey: - default: SIC key + default: Gateways SIC key CloudWatch: default: CloudWatch metrics ASN: @@ -113,27 +107,27 @@ Metadata: AdminEmail: default: Email address ManagementDeploy: - default: Deploy Management Server + default: Management Server Settings - Deploy Management Server ManagementInstanceType: - default: Instance type + default: Management Server Settings - Instance type ManagementVersion: - default: Version & license + default: Management Server Settings - Version & License ManagementPasswordHash: - default: Password hash + default: Management Server Settings - Password hash ManagementMaintenancePasswordHash: - default: Management Maintenance Password hash + default: Management Server Settings - Maintenance Password hash ManagementPermissions: - default: IAM role + default: Management Server Settings - IAM role ManagementPredefinedRole: - default: Existing IAM role name + default: Management Server Settings - Existing IAM role name GatewaysBlades: - default: Default Blades + default: Management Server Settings - Default Blades AdminCIDR: - default: Administrator addresses + default: Management Server Settings - Allow SmartConsole connections from these networks GatewayManagement: - default: Manage Gateways + default: Management Server Settings - Manage Gateways GatewaysAddresses: - default: Gateways addresses + default: Management Server Settings - Gateways addresses ControlGatewayOverPrivateOrPublicAddress: default: Gateways addresses ManagementServer: @@ -462,7 +456,6 @@ Parameters: - r7iz.32xlarge - r7iz.metal-16xl - r7iz.metal-32xl - ConstraintDescription: Must be a valid EC2 instance type GatewaysMinSize: Description: The minimal number of Security Gateways. @@ -477,7 +470,7 @@ Parameters: GatewayVersion: Description: The version and license to install on the Security Gateways. Type: String - Default: R82-BYOL + Default: R82-PAYG-NGTX AllowedValues: - R81.10-BYOL - R81.10-PAYG-NGTP @@ -528,9 +521,9 @@ Parameters: AllowedPattern: '^(([a-zA-Z0-9_\-\.]+)@((\[[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.)|(([a-zA-Z0-9\-]+\.)+))([a-zA-Z]{2,4}|[0-9]{1,3})(\]?))?$' ConstraintDescription: Must be a valid email address. ManagementDeploy: - Description: Select 'false' to use an existing Security Management Server or to deploy one later and to ignore the other parameters of this section. + Description: Select 'false' to use an existing Security Management Server or to deploy one later and to ignore the parameters related to it in the advanced settings section. Type: String - Default: true + Default: false AllowedValues: - true - false @@ -579,6 +572,17 @@ Parameters: - c6in.16xlarge - c6in.24xlarge - c6in.32xlarge + - c7a.large + - c7a.xlarge + - c7a.2xlarge + - c7a.4xlarge + - c7a.8xlarge + - c7a.12xlarge + - c7a.16xlarge + - c7a.24xlarge + - c7a.32xlarge + - c7a.48xlarge + - c7a.metal-48xl - c7i.large - c7i.xlarge - c7i.2xlarge @@ -589,6 +593,8 @@ Parameters: - c7i.24xlarge - c7i.32xlarge - c7i.48xlarge + - c7i.metal-24xl + - c7i.metal-48xl - c7i-flex.large - c7i-flex.xlarge - c7i-flex.2xlarge @@ -644,13 +650,6 @@ Parameters: - m7i.48xlarge - m7i.metal-24xl - m7i.metal-48xl - - m7i-flex.large - - m7i-flex.xlarge - - m7i-flex.2xlarge - - m7i-flex.4xlarge - - m7i-flex.8xlarge - - m7i-flex.12xlarge - - m7i-flex.16xlarge - m8i.large - m8i.xlarge - m8i.2xlarge @@ -703,6 +702,14 @@ Parameters: - r5n.12xlarge - r5n.16xlarge - r5n.24xlarge + - r6gd.large + - r6gd.xlarge + - r6gd.2xlarge + - r6gd.4xlarge + - r6gd.8xlarge + - r6gd.12xlarge + - r6gd.16xlarge + - r6gd.metal - r6i.large - r6i.xlarge - r6i.2xlarge @@ -721,13 +728,32 @@ Parameters: - r7a.24xlarge - r7a.32xlarge - r7a.48xlarge - - + - r7i.large + - r7i.xlarge + - r7i.2xlarge + - r7i.4xlarge + - r7i.8xlarge + - r7i.12xlarge + - r7i.16xlarge + - r7i.24xlarge + - r7i.48xlarge + - r7i.metal-24xl + - r7i.metal-48xl + - r7iz.large + - r7iz.xlarge + - r7iz.2xlarge + - r7iz.4xlarge + - r7iz.8xlarge + - r7iz.12xlarge + - r7iz.16xlarge + - r7iz.32xlarge + - r7iz.metal-16xl + - r7iz.metal-32xl ConstraintDescription: Must be a valid EC2 instance type ManagementVersion: Description: The version and license to install on the Security Management Server. Type: String - Default: R82-BYOL + Default: R82-PAYG AllowedValues: - R81.10-BYOL - R81.10-PAYG diff --git a/aws/templates/tgw-asg/tgw-asg.yaml b/aws/templates/tgw-asg/tgw-asg.yaml index 90de3def..37f48414 100644 --- a/aws/templates/tgw-asg/tgw-asg.yaml +++ b/aws/templates/tgw-asg/tgw-asg.yaml @@ -1,17 +1,23 @@ AWSTemplateFormatVersion: '2010-09-09' -Description: Deploy an Auto Scaling Group of CloudGuard Security Gateways for Transit Gateway with an optional Management Server into an existing VPC (20241027) +Description: Deploy an Auto Scaling Group of CloudGuard Security Gateways for Transit Gateway with an optional Management Server into an existing VPC (20260101) Metadata: AWS::CloudFormation::Interface: ParameterGroups: - Label: - default: Network Configuration + default: Basic Settings + Parameters: + - GatewayVersion + - GatewayInstanceType + - GatewaySICKey + - KeyName + - Label: + default: VPC Network Settings Parameters: - VPC - GatewaysSubnets - Label: - default: General Settings + default: Advanced Settings Parameters: - - KeyName - EnableVolumeEncryption - VolumeSize - VolumeType @@ -19,24 +25,15 @@ Metadata: - TerminationProtection - MetaDataToken - AllowUploadDownload - - Label: - default: Check Point CloudGuard IaaS Security Gateways Auto Scaling Group Configuration - Parameters: - AutoScaleGroupName - GatewayName - - GatewayInstanceType - GatewaysMinSize - GatewaysMaxSize - - GatewayVersion - GatewayPasswordHash - GatewayMaintenancePasswordHash - - GatewaySICKey - CloudWatch - ASN - AdminEmail - - Label: - default: Check Point CloudGuard IaaS Security Management Server Configuration - Parameters: - ManagementDeploy - ManagementInstanceType - ManagementVersion @@ -48,9 +45,6 @@ Metadata: - AdminCIDR - GatewayManagement - GatewaysAddresses - - Label: - default: Automatic Provisioning with Security Management Server Settings - Parameters: - ControlGatewayOverPrivateOrPublicAddress - ManagementServer - ConfigurationTemplate @@ -76,21 +70,21 @@ Metadata: AllowUploadDownload: default: Allow upload & download GatewayName: - default: Name + default: Gateways name GatewayInstanceType: - default: Instance type + default: Gateways Instance type GatewaysMinSize: default: Minimum group size GatewaysMaxSize: default: Maximum group size GatewayVersion: - default: Version & license + default: Gateways Version & License GatewayPasswordHash: default: Password hash GatewayMaintenancePasswordHash: - default: Gateway Maintenance Password hash + default: Gateways Maintenance Password hash GatewaySICKey: - default: SIC key + default: Gateways SIC key CloudWatch: default: CloudWatch metrics ASN: @@ -98,27 +92,27 @@ Metadata: AdminEmail: default: Email address ManagementDeploy: - default: Deploy Management Server + default: Management Server Settings - Deploy Management Server ManagementInstanceType: - default: Instance type + default: Management Server Settings - Instance type ManagementVersion: - default: Version & license + default: Management Server Settings - Version & License ManagementPasswordHash: - default: Password hash + default: Management Server Settings - Password hash ManagementMaintenancePasswordHash: default: Management Maintenance Password hash ManagementPermissions: - default: IAM role + default: Management Server Settings - IAM role ManagementPredefinedRole: - default: Existing IAM role name + default: Management Server Settings - Existing IAM role name GatewaysBlades: - default: Default Blades + default: Management Server Settings - Default Blades AdminCIDR: - default: Administrator addresses + default: Management Server Settings - Allow SmartConsole connections from these networks GatewaysAddresses: - default: Gateways addresses + default: Management Server Settings - Gateways addresses GatewayManagement: - default: Manage Gateways + default: Management Server Settings - Manage Gateways ControlGatewayOverPrivateOrPublicAddress: default: Gateways addresses ManagementServer: @@ -416,7 +410,6 @@ Parameters: - r7iz.32xlarge - r7iz.metal-16xl - r7iz.metal-32xl - ConstraintDescription: Must be a valid EC2 instance type GatewaysMinSize: Description: The minimal number of Security Gateways. @@ -431,7 +424,7 @@ Parameters: GatewayVersion: Description: The version and license to install on the Security Gateways. Type: String - Default: R82-BYOL + Default: R82-PAYG-NGTX AllowedValues: - R81.10-BYOL - R81.10-PAYG-NGTP @@ -482,9 +475,9 @@ Parameters: AllowedPattern: '^(([a-zA-Z0-9_\-\.]+)@((\[[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.)|(([a-zA-Z0-9\-]+\.)+))([a-zA-Z]{2,4}|[0-9]{1,3})(\]?))?$' ConstraintDescription: Must be a valid email address. ManagementDeploy: - Description: Select 'false' to use an existing Security Management Server or to deploy one later and to ignore the other parameters of this section. + Description: Select 'false' to use an existing Security Management Server or to deploy one later and to ignore the parameters related to it in the advanced settings section. Type: String - Default: true + Default: false AllowedValues: - true - false @@ -533,6 +526,17 @@ Parameters: - c6in.16xlarge - c6in.24xlarge - c6in.32xlarge + - c7a.large + - c7a.xlarge + - c7a.2xlarge + - c7a.4xlarge + - c7a.8xlarge + - c7a.12xlarge + - c7a.16xlarge + - c7a.24xlarge + - c7a.32xlarge + - c7a.48xlarge + - c7a.metal-48xl - c7i.large - c7i.xlarge - c7i.2xlarge @@ -543,6 +547,8 @@ Parameters: - c7i.24xlarge - c7i.32xlarge - c7i.48xlarge + - c7i.metal-24xl + - c7i.metal-48xl - c7i-flex.large - c7i-flex.xlarge - c7i-flex.2xlarge @@ -598,13 +604,6 @@ Parameters: - m7i.48xlarge - m7i.metal-24xl - m7i.metal-48xl - - m7i-flex.large - - m7i-flex.xlarge - - m7i-flex.2xlarge - - m7i-flex.4xlarge - - m7i-flex.8xlarge - - m7i-flex.12xlarge - - m7i-flex.16xlarge - m8i.large - m8i.xlarge - m8i.2xlarge @@ -657,6 +656,14 @@ Parameters: - r5n.12xlarge - r5n.16xlarge - r5n.24xlarge + - r6gd.large + - r6gd.xlarge + - r6gd.2xlarge + - r6gd.4xlarge + - r6gd.8xlarge + - r6gd.12xlarge + - r6gd.16xlarge + - r6gd.metal - r6i.large - r6i.xlarge - r6i.2xlarge @@ -675,13 +682,32 @@ Parameters: - r7a.24xlarge - r7a.32xlarge - r7a.48xlarge - - + - r7i.large + - r7i.xlarge + - r7i.2xlarge + - r7i.4xlarge + - r7i.8xlarge + - r7i.12xlarge + - r7i.16xlarge + - r7i.24xlarge + - r7i.48xlarge + - r7i.metal-24xl + - r7i.metal-48xl + - r7iz.large + - r7iz.xlarge + - r7iz.2xlarge + - r7iz.4xlarge + - r7iz.8xlarge + - r7iz.12xlarge + - r7iz.16xlarge + - r7iz.32xlarge + - r7iz.metal-16xl + - r7iz.metal-32xl ConstraintDescription: Must be a valid EC2 instance type ManagementVersion: Description: The version and license to install on the Security Management Server. Type: String - Default: R82-BYOL + Default: R82-PAYG AllowedValues: - R81.10-BYOL - R81.10-PAYG @@ -774,7 +800,6 @@ Resources: TemplateURL: https://cgi-cfts.s3.amazonaws.com/management/management.yaml Parameters: VPC: !Ref VPC - AutoScaleGroupName: !If [GenerateAutoScalingName, !Join ["-", [!Ref 'AWS::StackName', GatewayGroup]], !Ref AutoScaleGroupName] ManagementSubnet: !Select [0, !Ref GatewaysSubnets] ManagementName: !Ref ManagementServer ManagementInstanceType: !Ref ManagementInstanceType @@ -829,6 +854,7 @@ Resources: TemplateURL: https://cgi-cfts.s3.amazonaws.com/autoscale/autoscale.yaml Parameters: VPC: !Ref VPC + AutoScaleGroupName: !If [GenerateAutoScalingName, !Join ["-", [!Ref 'AWS::StackName', GatewayGroup]], !Ref AutoScaleGroupName] GatewaysSubnets: !Join [',', !Ref GatewaysSubnets] GatewayName: !Ref GatewayName GatewayInstanceType: !Ref GatewayInstanceType diff --git a/aws/templates/tgw-cross-az-cluster/tgw-cross-az-cluster-master.yaml b/aws/templates/tgw-cross-az-cluster/tgw-cross-az-cluster-master.yaml index 015bc104..98abfc6c 100644 --- a/aws/templates/tgw-cross-az-cluster/tgw-cross-az-cluster-master.yaml +++ b/aws/templates/tgw-cross-az-cluster/tgw-cross-az-cluster-master.yaml @@ -1,12 +1,20 @@ AWSTemplateFormatVersion: 2010-09-09 -Description: Deploy a Check Point TGW Cross Availabilty Zone Cluster in a new VPC (20241027) +Description: Deploy a Check Point TGW Cross Availabilty Zone Cluster in a new VPC (20260101) Metadata: AWS::CloudFormation::Interface: ParameterGroups: - Label: - default: VPC Network Configuration + default: Basic Settings Parameters: - AvailabilityZones + - GatewayVersion + - GatewayInstanceType + - GatewaySICKey + - KeyName + - Label: + default: Advanced Settings + Parameters: + - GatewayName - VPCCIDR - PublicSubnet1CIDR - PublicSubnet2CIDR @@ -14,12 +22,6 @@ Metadata: - PrivateSubnet2CIDR - TgwSubnet1CIDR - TgwSubnet2CIDR - - Label: - default: EC2 Instance Configuration - Parameters: - - GatewayName - - GatewayInstanceType - - KeyName - AllocatePublicAddress - VolumeSize - VolumeType @@ -28,22 +30,11 @@ Metadata: - GatewayPredefinedRole - TerminationProtection - MetaDataToken - - Label: - default: Check Point Settings - Parameters: - - GatewayVersion - Shell - GatewayPasswordHash - GatewayMaintenancePasswordHash - - GatewaySICKey - - Label: - default: Quick connect to Smart-1 Cloud (Recommended) - Parameters: - MemberAToken - MemberBToken - - Label: - default: Advanced Settings - Parameters: - ResourcesTagName - GatewayHostname - AllowUploadDownload @@ -69,9 +60,9 @@ Metadata: TgwSubnet2CIDR: default: TGW HA subnet 2 CIDR GatewayName: - default: Gateway Name + default: Gateways name GatewayInstanceType: - default: Security Gateways instance type + default: Gateways Instance type KeyName: default: Key name AllocatePublicAddress: @@ -91,15 +82,15 @@ Metadata: MetaDataToken: default: Metadata HTTP token GatewayVersion: - default: Gateways version & license + default: Gateways Version & License Shell: default: Admin shell GatewayPasswordHash: default: Password hash GatewayMaintenancePasswordHash: - default: Gateway Maintenance Password hash + default: Gateways Maintenance Password hash GatewaySICKey: - default: SIC key + default: Gateways SIC key MemberAToken: default: Smart-1 Cloud Token for member A MemberBToken: @@ -107,7 +98,7 @@ Metadata: ResourcesTagName: default: Resources prefix tag GatewayHostname: - default: Gateway Hostname + default: Gateways Hostname AllowUploadDownload: default: Allow upload & download CloudWatch: @@ -392,7 +383,6 @@ Parameters: - r7iz.32xlarge - r7iz.metal-16xl - r7iz.metal-32xl - ConstraintDescription: must be a valid EC2 instance type. KeyName: Description: The EC2 Key Pair to allow SSH access to the instance. @@ -447,7 +437,7 @@ Parameters: - false GatewayVersion: Type: String - Default: R82-BYOL + Default: R82-PAYG-NGTX AllowedValues: - R81.20-BYOL - R81.20-PAYG-NGTP diff --git a/aws/templates/tgw-cross-az-cluster/tgw-cross-az-cluster.yaml b/aws/templates/tgw-cross-az-cluster/tgw-cross-az-cluster.yaml index 5ed06b17..71292f89 100644 --- a/aws/templates/tgw-cross-az-cluster/tgw-cross-az-cluster.yaml +++ b/aws/templates/tgw-cross-az-cluster/tgw-cross-az-cluster.yaml @@ -1,10 +1,17 @@ AWSTemplateFormatVersion: 2010-09-09 -Description: Deploys a Check Point TGW Cross Availabilty Zone Cluster into an existing VPC (20241027) +Description: Deploys a Check Point TGW Cross Availabilty Zone Cluster into an existing VPC (20260101) Metadata: AWS::CloudFormation::Interface: ParameterGroups: - Label: - default: VPC Network Configuration + default: Basic Settings + Parameters: + - GatewayVersion + - GatewayInstanceType + - GatewaySICKey + - KeyName + - Label: + default: VPC Network Settings Parameters: - VPC - PublicSubnetA @@ -13,13 +20,11 @@ Metadata: - PrivateSubnetB - TgwHASubnetA - TgwHASubnetB - - InternalRouteTable - Label: - default: EC2 Instance Configuration + default: Advanced Settings Parameters: + - InternalRouteTable - GatewayName - - GatewayInstanceType - - KeyName - AllocatePublicAddress - VolumeSize - VolumeType @@ -28,22 +33,11 @@ Metadata: - GatewayPredefinedRole - TerminationProtection - MetaDataToken - - Label: - default: Check Point Settings - Parameters: - - GatewayVersion - Shell - GatewayPasswordHash - GatewayMaintenancePasswordHash - - GatewaySICKey - - Label: - default: Quick connect to Smart-1 Cloud (Recommended) - Parameters: - MemberAToken - MemberBToken - - Label: - default: Advanced Settings - Parameters: - ResourcesTagName - GatewayHostname - AllowUploadDownload @@ -69,9 +63,9 @@ Metadata: InternalRouteTable: default: Internal route table GatewayName: - default: Gateway Name + default: Gateways name GatewayInstanceType: - default: Security Gateways instance type + default: Gateways Instance type KeyName: default: Key name AllocatePublicAddress: @@ -91,15 +85,15 @@ Metadata: MetaDataToken: default: Metadata HTTP token GatewayVersion: - default: Gateways version & license + default: Gateways Version & License Shell: default: Admin shell GatewayPasswordHash: default: Password hash GatewayMaintenancePasswordHash: - default: Gateway Maintenance Password hash + default: Gateways Maintenance Password hash GatewaySICKey: - default: SIC key + default: Gateways SIC key MemberAToken: default: Smart-1 Cloud Token for member A MemberBToken: @@ -107,7 +101,7 @@ Metadata: ResourcesTagName: default: Resources prefix tag GatewayHostname: - default: Gateway Hostname + default: Gateways Hostname AllowUploadDownload: default: Allow upload & download CloudWatch: @@ -386,7 +380,6 @@ Parameters: - r7iz.32xlarge - r7iz.metal-16xl - r7iz.metal-32xl - ConstraintDescription: must be a valid EC2 instance type. KeyName: Description: The EC2 Key Pair to allow SSH access to the Security Gateways. @@ -443,7 +436,7 @@ Parameters: GatewayVersion: Description: The license to install on the Security Gateways. Type: String - Default: R82-BYOL + Default: R82-PAYG-NGTX AllowedValues: - R81.20-BYOL - R81.20-PAYG-NGTP diff --git a/aws/templates/tgw-ha/tgw-ha-master.yaml b/aws/templates/tgw-ha/tgw-ha-master.yaml index c6fea97d..d4309e75 100644 --- a/aws/templates/tgw-ha/tgw-ha-master.yaml +++ b/aws/templates/tgw-ha/tgw-ha-master.yaml @@ -1,12 +1,20 @@ AWSTemplateFormatVersion: 2010-09-09 -Description: Deploy a Check Point TGW HA cross AZ Cluster in a new VPC (20241027) +Description: Deploy a Check Point TGW HA cross AZ Cluster in a new VPC (20260101) Metadata: AWS::CloudFormation::Interface: ParameterGroups: - Label: - default: VPC Network Configuration + default: Basic Settings Parameters: - AvailabilityZones + - GatewayVersion + - GatewayInstanceType + - GatewaySICKey + - KeyName + - Label: + default: Advanced Settings + Parameters: + - GatewayName - VPCCIDR - PublicSubnet1CIDR - PublicSubnet2CIDR @@ -14,12 +22,6 @@ Metadata: - PrivateSubnet2CIDR - TgwSubnet1CIDR - TgwSubnet2CIDR - - Label: - default: EC2 Instance Configuration - Parameters: - - GatewayName - - GatewayInstanceType - - KeyName - AllocatePublicAddress - VolumeSize - VolumeType @@ -28,22 +30,11 @@ Metadata: - GatewayPredefinedRole - TerminationProtection - MetaDataToken - - Label: - default: Check Point Settings - Parameters: - - GatewayVersion - Shell - GatewayPasswordHash - GatewayMaintenancePasswordHash - - GatewaySICKey - - Label: - default: Quick connect to Smart-1 Cloud (Recommended) - Parameters: - MemberAToken - MemberBToken - - Label: - default: Advanced Settings - Parameters: - ResourcesTagName - GatewayHostname - AllowUploadDownload @@ -69,9 +60,9 @@ Metadata: TgwSubnet2CIDR: default: TGW HA subnet 2 CIDR GatewayName: - default: Gateway Name + default: Gateways name GatewayInstanceType: - default: Security Gateways instance type + default: Gateways Instance type KeyName: default: Key name AllocatePublicAddress: @@ -91,15 +82,15 @@ Metadata: MetaDataToken: default: Metadata HTTP token GatewayVersion: - default: Gateways version & license + default: Gateways Version & License Shell: default: Admin shell GatewayPasswordHash: default: Password hash GatewayMaintenancePasswordHash: - default: Gateway Maintenance Password hash + default: Gateways Maintenance Password hash GatewaySICKey: - default: SIC key + default: Gateways SIC key MemberAToken: default: Smart-1 Cloud Token for member A MemberBToken: @@ -107,7 +98,7 @@ Metadata: ResourcesTagName: default: Resources prefix tag GatewayHostname: - default: Gateway Hostname + default: Gateways Hostname AllowUploadDownload: default: Allow upload & download CloudWatch: @@ -393,7 +384,6 @@ Parameters: - r7iz.32xlarge - r7iz.metal-16xl - r7iz.metal-32xl - ConstraintDescription: must be a valid EC2 instance type. KeyName: Description: The EC2 Key Pair to allow SSH access to the instance. @@ -453,12 +443,6 @@ Parameters: - R81.10-BYOL - R81.10-PAYG-NGTP - R81.10-PAYG-NGTX - - R82-BYOL - - R82-PAYG-NGTP - - R82-PAYG-NGTX - - R82.10-BYOL - - R82.10-PAYG-NGTP - - R82.10-PAYG-NGTX Shell: Description: Change the admin shell to enable advanced command line configuration. Type: String diff --git a/aws/templates/tgw-ha/tgw-ha.yaml b/aws/templates/tgw-ha/tgw-ha.yaml index 9db2c650..83e5ad31 100644 --- a/aws/templates/tgw-ha/tgw-ha.yaml +++ b/aws/templates/tgw-ha/tgw-ha.yaml @@ -1,10 +1,17 @@ AWSTemplateFormatVersion: 2010-09-09 -Description: Deploys a Check Point TGW HA Cluster into an existing VPC (20241027) +Description: Deploys a Check Point TGW HA Cluster into an existing VPC (20260101) Metadata: AWS::CloudFormation::Interface: ParameterGroups: - Label: - default: VPC Network Configuration + default: Basic Settings + Parameters: + - GatewayVersion + - GatewayInstanceType + - GatewaySICKey + - KeyName + - Label: + default: VPC Network Settings Parameters: - VPC - PublicSubnetA @@ -13,13 +20,11 @@ Metadata: - PrivateSubnetB - TgwHASubnetA - TgwHASubnetB - - InternalRouteTable - Label: - default: EC2 Instance Configuration + default: Advanced Settings Parameters: + - InternalRouteTable - GatewayName - - GatewayInstanceType - - KeyName - AllocatePublicAddress - VolumeSize - VolumeType @@ -28,22 +33,11 @@ Metadata: - GatewayPredefinedRole - TerminationProtection - MetaDataToken - - Label: - default: Check Point Settings - Parameters: - - GatewayVersion - Shell - GatewayPasswordHash - GatewayMaintenancePasswordHash - - GatewaySICKey - - Label: - default: Quick connect to Smart-1 Cloud (Recommended) - Parameters: - MemberAToken - MemberBToken - - Label: - default: Advanced Settings - Parameters: - ResourcesTagName - GatewayHostname - AllowUploadDownload @@ -69,9 +63,9 @@ Metadata: InternalRouteTable: default: Internal route table GatewayName: - default: Gateway Name + default: Gateways name GatewayInstanceType: - default: Security Gateways instance type + default: Gateways Instance type KeyName: default: Key name AllocatePublicAddress: @@ -91,15 +85,15 @@ Metadata: MetaDataToken: default: Metadata HTTP token GatewayVersion: - default: Gateways version & license + default: Gateways Version & License Shell: default: Admin shell GatewayPasswordHash: default: Password hash GatewayMaintenancePasswordHash: - default: Gateway Maintenance Password hash + default: Gateways Maintenance Password hash GatewaySICKey: - default: SIC key + default: Gateways SIC key MemberAToken: default: Smart-1 Cloud Token for member A MemberBToken: @@ -107,7 +101,7 @@ Metadata: ResourcesTagName: default: Resources prefix tag GatewayHostname: - default: Gateway Hostname + default: Gateways Hostname AllowUploadDownload: default: Allow upload & download CloudWatch: @@ -385,7 +379,6 @@ Parameters: - r7iz.32xlarge - r7iz.metal-16xl - r7iz.metal-32xl - ConstraintDescription: must be a valid EC2 instance type. KeyName: Description: The EC2 Key Pair to allow SSH access to the Security Gateways. @@ -442,17 +435,11 @@ Parameters: GatewayVersion: Description: The license to install on the Security Gateways. Type: String - Default: R82-BYOL + Default: R81.10-BYOL AllowedValues: - R81.10-BYOL - R81.10-PAYG-NGTP - R81.10-PAYG-NGTX - - R82-BYOL - - R82-PAYG-NGTP - - R82-PAYG-NGTX - - R82.10-BYOL - - R82.10-PAYG-NGTP - - R82.10-PAYG-NGTX Shell: Description: Change the admin shell to enable advanced command line configuration. Type: String