topic Re: Service exposed in multiple AWS region in Cloud Firewall

Service exposed in multiple AWS region

AyGit — Fri, 06 Nov 2020 02:43:08 GMT

I've deployed Cloudguard IaaS instances in front of the Internet and published an RDP service through an NLB in AWS US region.
I'll plan to publish the service also in AWS APAC region and protected with the same way as the first NLB+CloudGuard.

I'd like to use the same firewall policy and NAT rules for both regions. I create the policy and NAT rule manually:

src: Internet --- dst: LocalGateway --- Xlate Src: LocalGateway (Hide) --- Xlate Dst: RDP_Service_US (s)

I'd like to know how I can add the NAT rule by using the 'LocalGateway' dynamic object. I don't if I can create the rule below when my 2nd AWS region will ready.

src: Internet --- dst: LocalGateway --- Xlate Src: LocalGateway (Hide) --- Xlate Dst: RDP_Service_APAC (s)

Regards

Re: Service exposed in multiple AWS region

PhoneBoy — Fri, 06 Nov 2020 04:54:41 GMT

You can use the LocalGateway object in NAT rules, yes, and it resolves on the local gateway itself.
One comment on the source, you can't really use "Internet" or "Any" for a source, but you can use the "All_Internet" object, which is basically the same thing.

Re: Service exposed in multiple AWS region

AyGit — Mon, 09 Nov 2020 21:59:00 GMT

Thanks for your feedback.

But I don't understand how both rules will match the correct gateway (US and APAC one) with the same LogalGateway object with a unique NAT rule? agree @PhoneBoy ?

Re: Service exposed in multiple AWS region

PhoneBoy — Mon, 09 Nov 2020 22:17:45 GMT

LocalGateway is a dynamic object, which is effectively a "placeholder" object.
It has no definition in Security Management and resolves on the security gateway itself.

A handful of dynamic objects (LocalGateway being one) are managed by the gateway itself.
You can create other dynamic objects as well, and their definition is defined using the dynamic_objects CLI command on the gateway.