Multi Domain Management environment including all features and functionalities can now be deployed on AWS with the below limitations.
You can read more on Multi Domain here:
- Multi Domain Management Server IPs must be private static. (not AWS Elastic IPs).
- The user must ensure connectivity between all Check Point objects across the Multi Domain environment, for example:
- Multi Domain Servers and Multi Domain Log Servers.
- Domain Management Servers and Domain Log Servers.
- Security Gateways and more.
All the above must be installed in the same VPC, or be connected over VPN, or VPC Peering, or AWS Direct connect, etc.
Lack of connectivity between the different objects might result in functional issues and failures.
- For on-premise objects and Windows machine (for Smart Console usage), it is up to the user to establish connectivity with the Multi Domain environment which is deployed in AWS.
- The number of Domains is limited by the number of IP's AWS supports per interface (changes based on the type/size of the server). The exact number can be found here: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-eni.html#AvailableIpPerENI
- Policy Installation from the MDS Domain level is not supported.
Minimum Instance size requirements
m4.4xlarge and up for r80.10 or m5.4xlarge and up for r80.20
To deploy a Multi Domain Management Server in AWS, select and subscribe to one of the following licensing options:
To purchase BYOL (bring your own licenses), contact your local Check Point Partner.
Use the following CloudFormation template to deploy the Multi-Domain Management Server:
Or directly launch the template from the Cloud Formation portal by clicking here:
Note: When the management instance is started, it will automatically execute its own First Time Configuration Wizard. It can take up to 45 minutes for this step to complete.
To check the Management Server's readiness, log in to the Expert mode and run the following command:
When the Multi Management Server is ready, the output of the command shows that all processes are up.
Note: The Automatic Provisioning Service will be enabled only on Primary Multi-Domain Server
See also sk130372 - Security Management Server with CloudGuard for AWS
This solution has been verified for the specific scenario, described by the combination of Product, Version and Symptoms. It may not work in other scenarios.