https://community.checkpoint.com/t5/Cloud-Firewall/Cloudguard-Network-FW-egress-NAT/m-p/152612#M1071 <P>I did not have a chance to try this myself, (use of public IPs on firewall interfaces in AWS), but it should work just fine, as this is basic functionality of CheckPoint gateways.</P> <P>Last time I was working with CloudGuard in AWS, I was using NAT between private and public segments, but I had to associate AWS public EIP to the external interface, so there was one more NAT step being performed by AWS Internet Gateway.</P> <P>&nbsp;</P> Fri, 08 Jul 2022 21:48:02 GMT Vladimir 2022-07-08T21:48:02Z https://community.checkpoint.com/t5/Cloud-Firewall/Cloudguard-Network-FW-egress-NAT/m-p/152594#M1070 <P>Hello,</P> <P>Before I reach out to TAC for an official answer, maybe someone already knows the answer</P> <P>&nbsp;</P> <P>Is this supported? Cloudguard Network Firewall used via Gateway Load Balancer in transit GW setup</P> <P>&nbsp;</P> <P><EM>Two-arm mode: As shown in figure 5b below, the firewall is deployed in two-arm mode and performs both inspection as well as NAT. Some AWS partners provide firewall with NAT functionality. GWLB integrates seamlessly in such deployment mode. You don’t need to do any additional configuration changes in the GWLB. However, the firewall networking differs – one network interface is on the private subnet and the other is on public subnet. This mode requires software support from the firewall partner. Some of the GWLB partners (Palo Alto Networks, Valtix) support this feature, however consult with an AWS partner of your choice before using this mode.</EM></P> <P>&nbsp;</P> <P>source:</P> <P><A href="https://aws.amazon.com/blogs/networking-and-content-delivery/best-practices-for-deploying-gateway-load-balancer/" target="_blank">https://aws.amazon.com/blogs/networking-and-content-delivery/best-practices-for-deploying-gateway-load-balancer/</A></P> Fri, 08 Jul 2022 15:22:33 GMT https://community.checkpoint.com/t5/Cloud-Firewall/Cloudguard-Network-FW-egress-NAT/m-p/152594#M1070 abihsot__ 2022-07-08T15:22:33Z https://community.checkpoint.com/t5/Cloud-Firewall/Cloudguard-Network-FW-egress-NAT/m-p/152612#M1071 <P>I did not have a chance to try this myself, (use of public IPs on firewall interfaces in AWS), but it should work just fine, as this is basic functionality of CheckPoint gateways.</P> <P>Last time I was working with CloudGuard in AWS, I was using NAT between private and public segments, but I had to associate AWS public EIP to the external interface, so there was one more NAT step being performed by AWS Internet Gateway.</P> <P>&nbsp;</P> Fri, 08 Jul 2022 21:48:02 GMT https://community.checkpoint.com/t5/Cloud-Firewall/Cloudguard-Network-FW-egress-NAT/m-p/152612#M1071 Vladimir 2022-07-08T21:48:02Z https://community.checkpoint.com/t5/Cloud-Firewall/Cloudguard-Network-FW-egress-NAT/m-p/152623#M1072 <P>Hi,</P> <P>From what I know this should work , although the GWLB in TGW template we usually use have NAT Gateways for outbound NAT do deal with all the routing .</P> Sun, 10 Jul 2022 05:15:39 GMT https://community.checkpoint.com/t5/Cloud-Firewall/Cloudguard-Network-FW-egress-NAT/m-p/152623#M1072 Nir_Shamir 2022-07-10T05:15:39Z https://community.checkpoint.com/t5/Cloud-Firewall/Cloudguard-Network-FW-egress-NAT/m-p/152630#M1073 <P>Hi abihsot__<BR />In addition to Nir's reply<BR />Architectures references can be found in the GWLB admin guide and sk:</P> <P><A href="https://sc1.checkpoint.com/documents/IaaS/WebAdminGuides/EN/CP_CloudGuard_Network_for_AWS_Gateway_Load_Balancer_Security_VPC_for_Transit_Gateway/Default.htm" target="_blank">CloudGuard Network for AWS Gateway Load Balancer Security VPC for Transit Gateway R80.40 Deployment Guide</A></P> <P><A href="https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&amp;solutionid=sk174447" target="_blank">https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&amp;solutionid=sk174447</A>&nbsp;</P> Sun, 10 Jul 2022 09:21:55 GMT https://community.checkpoint.com/t5/Cloud-Firewall/Cloudguard-Network-FW-egress-NAT/m-p/152630#M1073 Roman_Kats 2022-07-10T09:21:55Z https://community.checkpoint.com/t5/Cloud-Firewall/Cloudguard-Network-FW-egress-NAT/m-p/152652#M1074 <P>Yes, I know, template deploys AWS NAT gateways automatically, however I was thinking if I already have checkpoint gateways, why not use them to NAT outgoing traffic. This might be interesting to try. Thank you for replies!</P> Mon, 11 Jul 2022 06:52:41 GMT https://community.checkpoint.com/t5/Cloud-Firewall/Cloudguard-Network-FW-egress-NAT/m-p/152652#M1074 abihsot__ 2022-07-11T06:52:41Z https://community.checkpoint.com/t5/Cloud-Firewall/Cloudguard-Network-FW-egress-NAT/m-p/152659#M1075 <P>Hi <a href="https://community.checkpoint.com/t5/user/viewprofilepage/user-id/23615">@abihsot__</a><BR />Unfortunately NAT is not supported on Check Point Gateways behind Gateway Load balancer&nbsp;<BR />You have to use NAT Gateway<BR />&nbsp;</P> Mon, 11 Jul 2022 07:39:37 GMT https://community.checkpoint.com/t5/Cloud-Firewall/Cloudguard-Network-FW-egress-NAT/m-p/152659#M1075 Roman_Kats 2022-07-11T07:39:37Z https://community.checkpoint.com/t5/Cloud-Firewall/Cloudguard-Network-FW-egress-NAT/m-p/152780#M1076 <P>Thank you for confirmation. Any idea if this limitation could be changed in the future?</P> Tue, 12 Jul 2022 11:21:24 GMT https://community.checkpoint.com/t5/Cloud-Firewall/Cloudguard-Network-FW-egress-NAT/m-p/152780#M1076 abihsot__ 2022-07-12T11:21:24Z