https://community.checkpoint.com/t5/Cloud-Firewall/Azure-R81-20-Cloudguard-Cluster-Deployment-Backend-Routing/m-p/185265#M126 <P>No. Per the documentation, the 3 required routes are as follows.</P> <P>default_route 0.0.0.0/0&nbsp;<SPAN>VirtualAppliance&nbsp;</SPAN><SPAN>172.18.0.69 (backend-lb)</SPAN></P> <P>vm-01-vnet-local&nbsp;172.19.0.0/24 VNetLocal</P> <P>vm-01-vnet-other-subnets&nbsp;<SPAN>172.18.0.0/26&nbsp;VirtualAppliance&nbsp;172.18.0.69 (backend-lb)</SPAN></P> <P>&nbsp;</P> Fri, 30 Jun 2023 07:03:35 GMT Simon_Macpherso 2023-06-30T07:03:35Z https://community.checkpoint.com/t5/Cloud-Firewall/Azure-R81-20-Cloudguard-Cluster-Deployment-Backend-Routing/m-p/185262#M124 <P>Hello,</P> <P>I have deployed an R81.20 cloudguard cluster using the following IAC.</P> <P><A href="https://github.com/CheckPointSW/CloudGuardIaaS/tree/master/terraform/azure/high-availability-existing-vnet" target="_blank" rel="nofollow noopener noreferrer">https://github.com/CheckPointSW/CloudGuardIaaS/tree/master/terraform/azure/high-availability-existin...</A></P> <P>I have a backend routing issue where whereby</P> <UL> <LI>I have provisioned a test VM in another VNET to test egress connectivity</LI> <LI>The VM VNET and FW backend VNETs have been associated with the internal routable&nbsp;</LI> <LI>The required routes have been added to the internal routable- default route is 0.0.0.0/0 with next hop IP the&nbsp;<SPAN>backend lb</SPAN></LI> <LI>VNET peering has been setup between the VM VNET and the connectivity VNET (VNET FW subnets reside in).</LI> <LI>Static route to internal subnet has been configured on each gateway i.e.&nbsp;<BR />set static-route &lt;Virtual-Network-IP-address/Prefix&gt; nexthop gateway address &lt;eth1-router-IP-address&gt; on</LI> <LI>Anti-spoofing has been disabled on both eth0 and eth1 interfaces</LI> <LI>In Smart Console, a test VM object has been created and allowed access in policy, outbound NAT has been configured translating source to frontend eth0 external private IP.&nbsp;</LI> </UL> <P>I can see traffic hitting the active member including the a reply. But the on the VM the ICMP requests are timing out.&nbsp;&nbsp;</P> <P>[Expert@checkpoint-cloudguard-ha1:0]# tcpdump -nnnei any host 172.19.0.4 and host 1.1.1.1<BR />tcpdump: verbose output suppressed, use -v or -vv for full protocol decode<BR />listening on any, link-type LINUX_SLL (Linux cooked), capture size 262144 bytes<BR />06:14:29.364296 In fc:bd:67:89:19:6e ethertype IPv4 (0x0800), length 76: 172.19.0.4 &gt; 1.1.1.1: ICMP echo request, id 1, seq 352, length 40<BR />06:14:29.366766 Out 00:0d:3a:66:8a:a3 ethertype IPv4 (0x0800), length 76: 1.1.1.1 &gt; 172.19.0.4: ICMP echo reply, id 1, seq 352, length 40<BR />06:14:29.366785 Out 00:0d:3a:66:8a:a3 ethertype IPv4 (0x0800), length 76: 1.1.1.1 &gt; 172.19.0.4: ICMP echo reply, id 1, seq 352, length 40<BR />06:14:34.107158 In fc:bd:67:89:19:6e ethertype IPv4 (0x0800), length 76: 172.19.0.4 &gt; 1.1.1.1: ICMP echo request, id 1, seq 353, length 40<BR />06:14:34.109671 Out 00:0d:3a:66:8a:a3 ethertype IPv4 (0x0800), length 76: 1.1.1.1 &gt; 172.19.0.4: ICMP echo reply, id 1, seq 353, length 40<BR />06:14:34.109692 Out 00:0d:3a:66:8a:a3 ethertype IPv4 (0x0800), length 76: 1.1.1.1 &gt; 172.19.0.4: ICMP echo reply, id 1, seq 353, length 40</P> <P><SPAN class="cf0">fw monitor -w -F &lt;172.19.0.4&gt;,0,&lt;1.1.1.1&gt;,0,0 -F &lt;1.1.1.1&gt;,0,&lt;172.19.0.4&gt;,0,0</SPAN></P> <P>[vs_0][ppak_0] eth1:i[60]: 172.19.0.4 -&gt; 1.1.1.1 (ICMP) len=60 id=44093<BR />ICMP: type=8 code=0 echo request id=1 seq=356<BR />[vs_0][fw_2] eth1:i[60]: 172.19.0.4 -&gt; 1.1.1.1 (ICMP) len=60 id=44093<BR />ICMP: type=8 code=0 echo request id=1 seq=356<BR />[vs_0][fw_2] eth1:I[60]: 172.19.0.4 -&gt; 1.1.1.1 (ICMP) len=60 id=44093<BR />ICMP: type=8 code=0 echo request id=1 seq=356<BR />[vs_0][fw_2] eth0:o[60]: 172.19.0.4 -&gt; 1.1.1.1 (ICMP) len=60 id=44093<BR />ICMP: type=8 code=0 echo request id=1 seq=356<BR />[vs_0][fw_2] eth0:I[60]: 1.1.1.1 -&gt; 172.19.0.4 (ICMP) len=60 id=55497<BR />ICMP: type=0 code=0 echo reply id=1 seq=356<BR />[vs_0][fw_2] eth1:o[60]: 1.1.1.1 -&gt; 172.19.0.4 (ICMP) len=60 id=55497<BR />ICMP: type=0 code=0 echo reply id=1 seq=356<BR />[vs_0][fw_2] eth1:O[60]: 1.1.1.1 -&gt; 172.19.0.4 (ICMP) len=60 id=55497<BR />ICMP: type=0 code=0 echo reply id=1 seq=356</P> Fri, 30 Jun 2023 06:27:12 GMT https://community.checkpoint.com/t5/Cloud-Firewall/Azure-R81-20-Cloudguard-Cluster-Deployment-Backend-Routing/m-p/185262#M124 Simon_Macpherso 2023-06-30T06:27:12Z https://community.checkpoint.com/t5/Cloud-Firewall/Azure-R81-20-Cloudguard-Cluster-Deployment-Backend-Routing/m-p/185264#M125 <P>Have you set a route in the backend network to the lowest IP address of the VNET on the Check Point FW?</P> <P>For example <BR />Backend network&nbsp;&nbsp; 10.70.22.64/26<BR />Gateway IP&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 10.70.22<STRONG>.65&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </STRONG>for Azure internal networks.</P> Fri, 30 Jun 2023 06:47:56 GMT https://community.checkpoint.com/t5/Cloud-Firewall/Azure-R81-20-Cloudguard-Cluster-Deployment-Backend-Routing/m-p/185264#M125 HeikoAnkenbrand 2023-06-30T06:47:56Z https://community.checkpoint.com/t5/Cloud-Firewall/Azure-R81-20-Cloudguard-Cluster-Deployment-Backend-Routing/m-p/185265#M126 <P>No. Per the documentation, the 3 required routes are as follows.</P> <P>default_route 0.0.0.0/0&nbsp;<SPAN>VirtualAppliance&nbsp;</SPAN><SPAN>172.18.0.69 (backend-lb)</SPAN></P> <P>vm-01-vnet-local&nbsp;172.19.0.0/24 VNetLocal</P> <P>vm-01-vnet-other-subnets&nbsp;<SPAN>172.18.0.0/26&nbsp;VirtualAppliance&nbsp;172.18.0.69 (backend-lb)</SPAN></P> <P>&nbsp;</P> Fri, 30 Jun 2023 07:03:35 GMT https://community.checkpoint.com/t5/Cloud-Firewall/Azure-R81-20-Cloudguard-Cluster-Deployment-Backend-Routing/m-p/185265#M126 Simon_Macpherso 2023-06-30T07:03:35Z