topic Re: Cloudguard IAAS Routing doubt and S2S VPN in Cloud Firewall

Cloudguard IAAS Routing doubt and S2S VPN

Blason_R — Mon, 04 Oct 2021 07:25:41 GMT

Hi Team,

Just a confusion about routing in Azure and would really appreicate if someone can help me on the doubt

I am going to setup Check Point cluster in Azure which will have

VNET - 10.1.0.0/16
FE Subnet - 10.1.1.0/24
BE Subnet- 10.1.2.0/24
FE-FW1 - 10.1.1.4/24
FE-FW2 - 10.1.1.5/24
FE Cluster - 10.1.1.7/24
BE-FW1 - 10.1.2.4/24
BE-FW2 - 10.1.2.5/24
BE Cluster - 10.1.2.7/24
DB Subnet - 10.1.3.0/24
App Subnet - 10.1.4.0/24
BE LB - 10.1.2.6/24
FE LB - 10.1.1.6/24

In this case for DB & App Subnet UDRs will be

0.0.0.0/0 NH 10.1.2.4 or 10.1.2.6?

for 10.1.0.0/16 NH 10.1.2.4 or 10.1.2.6?

Plus I have received two public IP addresses for both the VMs. Since I wanted to configure VPN which Public IP should be configured on VPN Link selection page?

TIA

Blason R

Re: Cloudguard IAAS Routing doubt and S2S VPN

Nir_Shamir — Mon, 04 Oct 2021 07:40:10 GMT

Hi,

first thing, CP cluster in Azure has these Private IPs:

Frontend - 1 per GW + VIP

Backend - 1 per GW (no VIP).

also you get two LBs:

1 Frontend (external) - has Public IPs only.

1 backend (internal) - has internal private IPs only.

when you route traffic from your peered vNets , you route the default GW to the internal LB Private IP.

Now regarding the VPN , both GWs get Public IPs that are attached to their frontend IPs interfaces. these are usually used to manage the GWs from a Management Server located outside their environment (On-Premise or other Cloud Vendor).

The VIP IP address is attached to the Primary Member Frontend Interface. it also has a Public IP attached to it. you use this IP for VPN configuration.

Re: Cloudguard IAAS Routing doubt and S2S VPN

Blason_R — Mon, 04 Oct 2021 09:31:04 GMT

Hi Nir,

Thanks for the reply; now regarding public IP do we get VIP as well for public IP adress? and those needs to be defined in Topology as well?

Re: Cloudguard IAAS Routing doubt and S2S VPN

Nir_Shamir — Mon, 04 Oct 2021 09:40:07 GMT

you have 3 Public IPs:

1) 1 per GW - to manage the GWs from remote location.

2) 1 on the VIP - used usually for VPN.

check the Azure High-Availability admin guide for the configuration:

https://sc1.checkpoint.com/documents/IaaS/WebAdminGuides/EN/CP_CloudGuard_IaaS_HighAvailability_for_Azure/Default.htm

anyway , you don't define the Public IPs on the Topology of the Cluster , only the Private IPs.

https://sc1.checkpoint.com/documents/IaaS/WebAdminGuides/EN/CP_CloudGuard_IaaS_HighAvailability_for_Azure/Default.htm

Re: Cloudguard IAAS Routing doubt and S2S VPN

Blason_R — Thu, 07 Oct 2021 04:18:06 GMT

Hey Guys,

I am still confused on Inbound NAT rule by disassociating public IP from one vm to External LB. I have setup whose outbound flow is working fine however I am having issues with Inbound NAT. This is cluster deployment

My vnet is 10.2.0.0/16

Web Subnet is 10.2.2.0/24 and web server IP is 10.2.2.4

Public IP associated was 20.30.40.50; now I have disassociated the public IP and then as per SKU I could not attach to LB hence I decided to go with new public IP.

Now while adding Inbound NAT rule in Azure portal

Front End new Public IP is 13.82.65.188

Service : HTTP

Port: 80

What will be my Target virtual machine? cpcluster1 or cpcluster2?

What will be my member-ip ? cluster VIP or member-ip1 or member-ip2

Target port I am sending at 9944 [ This would go to Check Point]

***********

Then on Check Point

Osource = Any

Odst =? [Its not accepting cluster object] [

OService = 9944

Xsource = original

xlate Dst = 10.2.2.4 [web server IP]

xlate port = 80

This is what error I am getting on portal

Gateway: cpazurecluster
Policy: Standard
Status: Failed
- Invalid Object 'cpazurecluster' in Original Dst of Address Translation Rule 2. The valid objects are: host, gateway, network, address range and router.
- Policy verification failed.
--------------------------------------------------------------------------------

Re: Cloudguard IAAS Routing doubt and S2S VPN

Nir_Shamir — Thu, 07 Oct 2021 06:22:01 GMT

Hi,

Check the admin guide from " Configure NAT Rules"

https://sc1.checkpoint.com/documents/IaaS/WebAdminGuides/EN/CP_CloudGuard_IaaS_HighAvailability_for_Azure/Content/Topics-Azure-HA/Workflow-for-Setting-Up-a-High-Availability-Cluster-in-Azure.htm?tocpath=Workflow%20for%20Setting%20Up%20a%20High%20Availability%20Cluster%20in%20Azure%7C_____6#Step_6__Configure_NAT_Rules

this will explain the NAT and the load balancer configuration.

Re: Cloudguard IAAS Routing doubt and S2S VPN

Matthias_Haas — Thu, 07 Oct 2021 13:17:45 GMT

Hi, Blason,

I would use Load Balancing Rules (instead of a Inbound NAT Rule). If you enable "Floating IP (direct server return)", which is disabled per default, the LB will not NAT the Destination IP. In this case you will see the Public IP on the Firewall and you can do the NAT accordingly. That´s more straightforward in my opinion.

If using a Standard LB, please make sure to have a Network Security Group which has to allow the traffic (this is not necessary if you use a Basic LB which is sufficient and allows the traffic per default).

Re: Cloudguard IAAS Routing doubt and S2S VPN

Prabulingam_N1 — Tue, 26 Oct 2021 06:42:04 GMT

Hi Blason,

in cpnat.jpg - for NAT Rule - use attached NAT rule (Create Dynamic Object)
in webnet.jpg - for Network IP Configuration - use cluster-vip (not member IP) - attached & LoadBalancing Rule

Regards, Prabu