To verify that all egress traffic is routed through the firewall

[bruce-wh-li]

Describe the Issue As a security analyst, we want to verify that all egress traffic is routed through the firewall

Additional Context

• To do this in forge
• use smart consoles to view the logs

Acceptance Criteria

• Create manual test cases which will do the following From an EC2 instance in a workload account, verify that egress traffic is routed though the firewall. Provide screenshot of firewall log

[crochcunill]

Test case:

• Log in to m9tvhw-dev account
• Go to EC2 instances and open ssp-finer-mutt
• Click the Connect button
• Select Session Manager tab
• Click the Connect button
• In the terminal like screen create some egress traffic, for example

curl 98.137.11.164

Note: This is the IP for yahoo.com. You may use another address. This one has the advantage that it is not often used, so less noise in the firewall logs.

• Still in the terminal screen, find the ip for the instance (use ifconfing command, in this test the value was 10.12.18.42

• Now, log into the Perimeter account for Forge

• Open a AWS console for the perimeter account for the zone (Forge)

• Open the EC2 console

• There are several instances, check the Checkpoint Smart Config Windows 2022 instance

• Click the Connect button

• Select the RDP tab

• Click on Connect using Fleet Manager

• Click on Key pair

• Click on Paste key pair content

• Paste the Private key value

  • Getting the Private Key value
  • In another window, open Secrets Manager (for this Perimeter account)
    • Click on the secret named PBMMAccel/keypair/PBMMAccel-Appliance
    • In the new window, click on button to retrieve the secret
  • In this case, the secret is a private key string. Copy everything, including the start -----BEGIN RSA PRIVATE KEY----- and end -----END RSA PRIVATE KEY-----**

• Once the value has been pasted click the Connect button

• The desktop for the VM hosting Checkpoint will appear.

• Search for SmartConsole (Note: this VM is a windows machine, so usually the seach feature is in the bottom left of the screen)

• A pop up window will request login/pwd credentials to log into SmartConsole

  • To get the login credentials
  • Return to Secrets Manager (for the Perimeter account)
  • Click on the _CheckPoint_Firewall_ManagerCredentials secret
  • In the new window click on button to retrieve the secret
  • You will find the Admin login and pwd values. Use them to log into the Cloudguard VM

• Enter the credentials and click Login button. Click on the Read Only checkbox to prevent any mistake

• In the new interface, click on the fw.log tab

• In the new tab, in the search area, type dst:98.137.11.164

• Check the result has 10.12.18.42 as source

[crochcunill]

Test case successful. The egress traffic from EC2 instance is routed through the firewall