https://community.checkpoint.com/t5/Cloud-Firewall/CloudGuard-Network-for-Azure-VMSS-Gateway-Load-Balancer-Public/m-p/133404#M1312 <P>Hi all,</P> <P>Microsoft just announced&nbsp;Azure Gateway Load Balancer to be in Public Preview.<BR />Check Point published the following article about this:</P> <P><A href="https://blog-checkpoint-com.cdn.ampproject.org/c/s/blog.checkpoint.com/2021/11/02/check-point-cloudguard-is-a-launch-partner-of-azure-gateway-load-balancer/amp/" target="_blank" rel="noopener">https://blog-checkpoint-com.cdn.ampproject.org/c/s/blog.checkpoint.com/2021/11/02/check-point-cloudguard-is-a-launch-partner-of-azure-gateway-load-balancer/amp/</A></P> <P>Configuration steps can be found at:&nbsp;</P> <P><A href="https://sc1.checkpoint.com/documents/IaaS/WebAdminGuides/EN/CP_Azure_VMSS_GWLB/Content/Topics-Azure-VMSS-GWLB/Configurations-steps.htm#Step_6__Automatic_Rule_Placement_(Optional)" target="_blank" rel="noopener">https://sc1.checkpoint.com/documents/IaaS/WebAdminGuides/EN/CP_Azure_VMSS_GWLB/Content/Topics-Azure-VMSS-GWLB/Configurations-steps.htm#Step_6__Automatic_Rule_Placement_(Optional)</A></P> <P>This weekend I've tried to set this up. Basically the setup is almost identical to a normal CoudGuard Scale Set. The only difference is the fact that you need to forward traffic from a Azure Standard Load Balancer (ASLB) using a VXLAN tunnel to the Azure Gateway Load Balancer (AGLB). The AGLB forwards the traffic to one of your CloudGuard instances using VXLAN as well. The problem I am facing is the fact that no VXLAN interfaces are deployed in my CloudGuard instance. Documentation doesn't mention configuring these interfaces yourself.</P> <P>Troubleshooting steps I took:</P> <UL> <LI>tcpdump on eth0 shows UDP port 2001 coming from the AGLB. This is the VXLAN tunnel port.</LI> <LI>Created the external VXLAN tunnel interface using:&nbsp;add vxlan id 801 dev eth0 remote &lt;AGLB_IP&gt; dstport 2001<BR />after this a tcpdump on interface vxlan801 immediately show my actual test traffic arriving</LI> <LI>Created the internal VXLAN tunnel interface using:&nbsp;add vxlan id 800 dev eth0 remote &lt;AGLB_IP&gt; dstport 2000</LI> <LI>The Known Limitations describe that the solution uses bridge mode. I did create a bridge group containing both the vxlan800 and vxlan801 interfaces but without any difference.</LI> </UL> <P>I am not sure if I am missing some steps in the deployment or if there is an issue with the Azure template.</P> <P>Hopefully other CheckMates members can share their experience!</P> <P>Leon</P> <P>&nbsp;</P> Sun, 19 Dec 2021 13:04:43 GMT leonfranken 2021-12-19T13:04:43Z https://community.checkpoint.com/t5/Cloud-Firewall/CloudGuard-Network-for-Azure-VMSS-Gateway-Load-Balancer-Public/m-p/133404#M1312 <P>Hi all,</P> <P>Microsoft just announced&nbsp;Azure Gateway Load Balancer to be in Public Preview.<BR />Check Point published the following article about this:</P> <P><A href="https://blog-checkpoint-com.cdn.ampproject.org/c/s/blog.checkpoint.com/2021/11/02/check-point-cloudguard-is-a-launch-partner-of-azure-gateway-load-balancer/amp/" target="_blank" rel="noopener">https://blog-checkpoint-com.cdn.ampproject.org/c/s/blog.checkpoint.com/2021/11/02/check-point-cloudguard-is-a-launch-partner-of-azure-gateway-load-balancer/amp/</A></P> <P>Configuration steps can be found at:&nbsp;</P> <P><A href="https://sc1.checkpoint.com/documents/IaaS/WebAdminGuides/EN/CP_Azure_VMSS_GWLB/Content/Topics-Azure-VMSS-GWLB/Configurations-steps.htm#Step_6__Automatic_Rule_Placement_(Optional)" target="_blank" rel="noopener">https://sc1.checkpoint.com/documents/IaaS/WebAdminGuides/EN/CP_Azure_VMSS_GWLB/Content/Topics-Azure-VMSS-GWLB/Configurations-steps.htm#Step_6__Automatic_Rule_Placement_(Optional)</A></P> <P>This weekend I've tried to set this up. Basically the setup is almost identical to a normal CoudGuard Scale Set. The only difference is the fact that you need to forward traffic from a Azure Standard Load Balancer (ASLB) using a VXLAN tunnel to the Azure Gateway Load Balancer (AGLB). The AGLB forwards the traffic to one of your CloudGuard instances using VXLAN as well. The problem I am facing is the fact that no VXLAN interfaces are deployed in my CloudGuard instance. Documentation doesn't mention configuring these interfaces yourself.</P> <P>Troubleshooting steps I took:</P> <UL> <LI>tcpdump on eth0 shows UDP port 2001 coming from the AGLB. This is the VXLAN tunnel port.</LI> <LI>Created the external VXLAN tunnel interface using:&nbsp;add vxlan id 801 dev eth0 remote &lt;AGLB_IP&gt; dstport 2001<BR />after this a tcpdump on interface vxlan801 immediately show my actual test traffic arriving</LI> <LI>Created the internal VXLAN tunnel interface using:&nbsp;add vxlan id 800 dev eth0 remote &lt;AGLB_IP&gt; dstport 2000</LI> <LI>The Known Limitations describe that the solution uses bridge mode. I did create a bridge group containing both the vxlan800 and vxlan801 interfaces but without any difference.</LI> </UL> <P>I am not sure if I am missing some steps in the deployment or if there is an issue with the Azure template.</P> <P>Hopefully other CheckMates members can share their experience!</P> <P>Leon</P> <P>&nbsp;</P> Sun, 19 Dec 2021 13:04:43 GMT https://community.checkpoint.com/t5/Cloud-Firewall/CloudGuard-Network-for-Azure-VMSS-Gateway-Load-Balancer-Public/m-p/133404#M1312 leonfranken 2021-12-19T13:04:43Z https://community.checkpoint.com/t5/Cloud-Firewall/CloudGuard-Network-for-Azure-VMSS-Gateway-Load-Balancer-Public/m-p/133432#M1313 <P>Hi Leon,&nbsp;</P> <P>The VXLAN tunnels don't require user configuration as they are configured automatically by the Cloud Management Extension (CME).</P> <P>After completing step 3 in the admin guide, each GW will establish a VXLAN tunnel to Azure Gateway Load Balancer automatically.</P> <P>Thanks,</P> <P>Ariel</P> Mon, 08 Nov 2021 06:48:48 GMT https://community.checkpoint.com/t5/Cloud-Firewall/CloudGuard-Network-for-Azure-VMSS-Gateway-Load-Balancer-Public/m-p/133432#M1313 arielto 2021-11-08T06:48:48Z https://community.checkpoint.com/t5/Cloud-Firewall/CloudGuard-Network-for-Azure-VMSS-Gateway-Load-Balancer-Public/m-p/133434#M1314 <P>Hi Ariel,</P><P>Thanks for your reply!</P><P>Should I see actual vxlan interfaces in the Gaia config?<BR />Only interfaces I have are eth0 and&nbsp;enP37229p0s2 (Hyper-V VF nic).</P><P>Thanks,<BR />Leon</P> Mon, 08 Nov 2021 07:24:48 GMT https://community.checkpoint.com/t5/Cloud-Firewall/CloudGuard-Network-for-Azure-VMSS-Gateway-Load-Balancer-Public/m-p/133434#M1314 leonfranken 2021-11-08T07:24:48Z https://community.checkpoint.com/t5/Cloud-Firewall/CloudGuard-Network-for-Azure-VMSS-Gateway-Load-Balancer-Public/m-p/133449#M1315 <P>Hi Leon,</P> <P>In order for the CME to configures the VXLAN tunnel, the Security Management server must be R81.10 and the CME needs to be from take 168 or above (autoprov_cfg -v).</P> <P>Can you verify these prerequisites?</P> <P>&nbsp;</P> <P>The VXLAN interfaces should appear when running 'ifconfig' command from expert mode and their names are: vxlan800 and vxlan801.</P> <P>Regards,</P> <P>Roy</P> Mon, 08 Nov 2021 09:07:36 GMT https://community.checkpoint.com/t5/Cloud-Firewall/CloudGuard-Network-for-Azure-VMSS-Gateway-Load-Balancer-Public/m-p/133449#M1315 roye 2021-11-08T09:07:36Z https://community.checkpoint.com/t5/Cloud-Firewall/CloudGuard-Network-for-Azure-VMSS-Gateway-Load-Balancer-Public/m-p/133450#M1316 <P>Thanks for your reply Roy!</P><P>That's the problem&nbsp;<span class="lia-unicode-emoji" title=":angry_face:">😠</span><BR />I am running CME Version: Build: 991592117 Take: 164</P><P>I used the&nbsp;cme_installation.sh from sk157492 and made the assumption it would install the latest version, which it didn't.<BR />Just performed the offline installation of take 168 and will test again. Keep you posted!</P><P>Thanks</P><P>Leon<BR />&nbsp;</P> Mon, 08 Nov 2021 09:32:29 GMT https://community.checkpoint.com/t5/Cloud-Firewall/CloudGuard-Network-for-Azure-VMSS-Gateway-Load-Balancer-Public/m-p/133450#M1316 leonfranken 2021-11-08T09:32:29Z https://community.checkpoint.com/t5/Cloud-Firewall/CloudGuard-Network-for-Azure-VMSS-Gateway-Load-Balancer-Public/m-p/133552#M1317 <P>Hi all,</P><P>So using the correct CME version solved 99% of my issues&nbsp;<span class="lia-unicode-emoji" title=":winking_face:">😉</span></P><P>The final 1%:</P><P>As described in the documentation:</P><P><EM>As a part of each CloudGuard IaaS Security Gateway provisioning process, the Security Management Server creates automatic Access rules <STRONG>to allow tunnel traffic between the Gateway Load Balancer and the CloudGuard IaaS Security Gateway</STRONG>. By default the automatic Access rules are created at the top of the rulebase.Sometimes it is recommended to add the rules in a specific place in the policy rather than at the top.</EM></P><P>The only rule CME creates is from the Azure Gateway Loadbalancer IP to the CloudGuard gateway(s) for both port 2000 (internal VXLAN tunnel)&nbsp; and 2001 (external VXLAN tunnel).</P><P>I noticed that the CloudGuard gateway was dropping traffic initiated by itself towards the Azure Gateway Loadbalancer IP on both port 2000 and port 2001. This resulted in the VXLAN tunnels not being established and therefore traffic did not arrive on my VM's.<BR /><BR />Manually adding a rule allowing 2000 and 2001 from my CloudGuard gateway(s) to the&nbsp;Azure Gateway Loadbalancer IP resolved it.</P><P>Anyone experienced the same?</P><P>Thanks</P><P>Leon</P> Mon, 08 Nov 2021 20:53:34 GMT https://community.checkpoint.com/t5/Cloud-Firewall/CloudGuard-Network-for-Azure-VMSS-Gateway-Load-Balancer-Public/m-p/133552#M1317 leonfranken 2021-11-08T20:53:34Z https://community.checkpoint.com/t5/Cloud-Firewall/CloudGuard-Network-for-Azure-VMSS-Gateway-Load-Balancer-Public/m-p/133619#M1318 <P>Hi Leon,</P> <P>&nbsp;</P> <P>We are investigating the issue you described and will update this thread when we will know more.</P> <P>It seems that these rules are required when the following Implied Rule is disabled: "Accept outgoing packets originating from Gateway".</P> <P>Regards,</P> <P>Roy</P> Tue, 09 Nov 2021 12:18:03 GMT https://community.checkpoint.com/t5/Cloud-Firewall/CloudGuard-Network-for-Azure-VMSS-Gateway-Load-Balancer-Public/m-p/133619#M1318 roye 2021-11-09T12:18:03Z https://community.checkpoint.com/t5/Cloud-Firewall/CloudGuard-Network-for-Azure-VMSS-Gateway-Load-Balancer-Public/m-p/133621#M1319 <P>Hi Roy,</P><P>Implied rule&nbsp;<SPAN>"Accept outgoing packets originating from Gateway" is indeed disabled in my environment.</SPAN></P><P>Thanks,</P><P>Leon</P> Tue, 09 Nov 2021 12:30:59 GMT https://community.checkpoint.com/t5/Cloud-Firewall/CloudGuard-Network-for-Azure-VMSS-Gateway-Load-Balancer-Public/m-p/133621#M1319 leonfranken 2021-11-09T12:30:59Z https://community.checkpoint.com/t5/Cloud-Firewall/CloudGuard-Network-for-Azure-VMSS-Gateway-Load-Balancer-Public/m-p/133701#M1320 <P>Hi Leon,&nbsp;</P> <P>We will add this support in a future release of CME.</P> <P>Meanwhile, you can create another access rule with LocalGatewayExteral as the source, and it will work for all the newly created instances.</P> <P>Thanks,</P> <P>Ariel</P> Wed, 10 Nov 2021 08:15:37 GMT https://community.checkpoint.com/t5/Cloud-Firewall/CloudGuard-Network-for-Azure-VMSS-Gateway-Load-Balancer-Public/m-p/133701#M1320 arielto 2021-11-10T08:15:37Z https://community.checkpoint.com/t5/Cloud-Firewall/CloudGuard-Network-for-Azure-VMSS-Gateway-Load-Balancer-Public/m-p/137669#M1321 <P>Hi Leon,</P> <P>The issue with the automatic rules was fixed in CME take 175.</P> <P>Regards,</P> <P>Roy</P> Tue, 04 Jan 2022 14:31:14 GMT https://community.checkpoint.com/t5/Cloud-Firewall/CloudGuard-Network-for-Azure-VMSS-Gateway-Load-Balancer-Public/m-p/137669#M1321 roye 2022-01-04T14:31:14Z https://community.checkpoint.com/t5/Cloud-Firewall/CloudGuard-Network-for-Azure-VMSS-Gateway-Load-Balancer-Public/m-p/137698#M1322 <P>Hi&nbsp;<a href="https://community.checkpoint.com/t5/user/viewprofilepage/user-id/54501">@roye</a>&nbsp;</P><P>That is great! Thanks for the update!</P><P>BR,</P><P>Leon</P> Tue, 04 Jan 2022 21:44:47 GMT https://community.checkpoint.com/t5/Cloud-Firewall/CloudGuard-Network-for-Azure-VMSS-Gateway-Load-Balancer-Public/m-p/137698#M1322 leonfranken 2022-01-04T21:44:47Z