https://community.checkpoint.com/t5/Cloud-Firewall/Ideas-needed-in-CheckPointCG-VMSS/m-p/101367#M1838 <P>Dear CheckMates,</P><P>I need some idea on attached Topology to achieve. Anyone can help me on this please.</P><P>1) Had spinned CheckPoint-CG VMSS in Azure.<BR />2) Placed WebServer in Backend and Outgoing Internet traffic thru VMSS works fine.<BR />3) Inbound traffic to Webserver thru VMSS also works fine with FrontendLB configured.<BR />4) Since VMSS cannot support Site-to-Site VPN, we used Azure VirtualNetworkGW placed in VMSS VNet (New GatewaySubnet for AzureVPN)<BR />5) Site Connection between Azure NativeVPNGW &amp; 3rd Party got created fine &amp; Connected Status<BR />6) Used VPN Route based in Azure (not BGP) in "Connections" in Azure Portal</P><P><BR />7) Requirement is:<BR />&nbsp; &nbsp; &nbsp; &nbsp; a) Traffic from Peer-side to reach AzureVPNGW thru S2S-Tunnel.<BR />&nbsp; &nbsp; &nbsp; &nbsp; b) Then AzureVPNGW should forward this traffic to VMSS for Inspection.<BR />&nbsp; &nbsp; &nbsp; &nbsp; c) After Inspection, VMSS should in-turn route the traffic to Internal WebServer.</P><P><BR />&nbsp; &nbsp; &nbsp; &nbsp; d) Inbound is&nbsp; &nbsp; (Traffic from PeerSide =&gt;&gt;&gt; S2S =&gt;&gt;&gt; AzureVPNGW =&gt;&gt;&gt; VMSS =&gt;&gt;&gt; WebServer)<BR />&nbsp; &nbsp; &nbsp; &nbsp; e) Outbound is (Traffic From WebServer =&gt;&gt;&gt; VMSS =&gt;&gt;&gt; AzureVPNGW =&gt;&gt;&gt; S2S =&gt;&gt;&gt; PeerSide)</P><P><BR />&nbsp; &nbsp; &nbsp; &nbsp; f) When packet from PeerServer leaves their localGW, it got encrypted<BR />&nbsp; &nbsp; &nbsp; &nbsp; g) But don't see this packet in VMSS (Unable to check in AzureVPNGW)<BR />&nbsp; &nbsp; &nbsp; &nbsp; h) But Webserver sends reply packets towards VMSS for this Inbounded traffic.<BR />&nbsp; &nbsp; &nbsp; &nbsp; i) Looks like AzureVPNGW routes the Inbound traffic directly to WebServer and not to VMSS for inspection.</P><P>I unable to configure any separate routes in AzureVPNGW towards VMSS as both are part of same VNet</P><P>Either way traffic not reaching each other.</P><P>Any ideas on how can I achieve this.</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="CG-VMSS" style="width: 668px;"><img src="https://community.checkpoint.com/t5/image/serverpage/image-id/8803iECAEC513E14C0698/image-size/large?v=v2&amp;px=999" role="button" title="VMSS.PNG" alt="CG-VMSS" /><span class="lia-inline-image-caption" onclick="event.preventDefault();">CG-VMSS</span></span></P><P>&nbsp;</P><P><BR />Regards, Prabu</P> Sat, 07 Nov 2020 13:53:52 GMT Prabulingam_N1 2020-11-07T13:53:52Z https://community.checkpoint.com/t5/Cloud-Firewall/Ideas-needed-in-CheckPointCG-VMSS/m-p/101367#M1838 <P>Dear CheckMates,</P><P>I need some idea on attached Topology to achieve. Anyone can help me on this please.</P><P>1) Had spinned CheckPoint-CG VMSS in Azure.<BR />2) Placed WebServer in Backend and Outgoing Internet traffic thru VMSS works fine.<BR />3) Inbound traffic to Webserver thru VMSS also works fine with FrontendLB configured.<BR />4) Since VMSS cannot support Site-to-Site VPN, we used Azure VirtualNetworkGW placed in VMSS VNet (New GatewaySubnet for AzureVPN)<BR />5) Site Connection between Azure NativeVPNGW &amp; 3rd Party got created fine &amp; Connected Status<BR />6) Used VPN Route based in Azure (not BGP) in "Connections" in Azure Portal</P><P><BR />7) Requirement is:<BR />&nbsp; &nbsp; &nbsp; &nbsp; a) Traffic from Peer-side to reach AzureVPNGW thru S2S-Tunnel.<BR />&nbsp; &nbsp; &nbsp; &nbsp; b) Then AzureVPNGW should forward this traffic to VMSS for Inspection.<BR />&nbsp; &nbsp; &nbsp; &nbsp; c) After Inspection, VMSS should in-turn route the traffic to Internal WebServer.</P><P><BR />&nbsp; &nbsp; &nbsp; &nbsp; d) Inbound is&nbsp; &nbsp; (Traffic from PeerSide =&gt;&gt;&gt; S2S =&gt;&gt;&gt; AzureVPNGW =&gt;&gt;&gt; VMSS =&gt;&gt;&gt; WebServer)<BR />&nbsp; &nbsp; &nbsp; &nbsp; e) Outbound is (Traffic From WebServer =&gt;&gt;&gt; VMSS =&gt;&gt;&gt; AzureVPNGW =&gt;&gt;&gt; S2S =&gt;&gt;&gt; PeerSide)</P><P><BR />&nbsp; &nbsp; &nbsp; &nbsp; f) When packet from PeerServer leaves their localGW, it got encrypted<BR />&nbsp; &nbsp; &nbsp; &nbsp; g) But don't see this packet in VMSS (Unable to check in AzureVPNGW)<BR />&nbsp; &nbsp; &nbsp; &nbsp; h) But Webserver sends reply packets towards VMSS for this Inbounded traffic.<BR />&nbsp; &nbsp; &nbsp; &nbsp; i) Looks like AzureVPNGW routes the Inbound traffic directly to WebServer and not to VMSS for inspection.</P><P>I unable to configure any separate routes in AzureVPNGW towards VMSS as both are part of same VNet</P><P>Either way traffic not reaching each other.</P><P>Any ideas on how can I achieve this.</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="CG-VMSS" style="width: 668px;"><img src="https://community.checkpoint.com/t5/image/serverpage/image-id/8803iECAEC513E14C0698/image-size/large?v=v2&amp;px=999" role="button" title="VMSS.PNG" alt="CG-VMSS" /><span class="lia-inline-image-caption" onclick="event.preventDefault();">CG-VMSS</span></span></P><P>&nbsp;</P><P><BR />Regards, Prabu</P> Sat, 07 Nov 2020 13:53:52 GMT https://community.checkpoint.com/t5/Cloud-Firewall/Ideas-needed-in-CheckPointCG-VMSS/m-p/101367#M1838 Prabulingam_N1 2020-11-07T13:53:52Z https://community.checkpoint.com/t5/Cloud-Firewall/Ideas-needed-in-CheckPointCG-VMSS/m-p/110711#M1839 <P>Hi Prabu,</P><P>did you try to define a UDR (User Defined Route) attached to your Azure VPN Gateway subnet, to route traffic for your WebServer to your VMSS ?</P><P>something like name=To_WebServer_via_VMSS, address prefix = 192.168.40.100/32, next hop = CG-VMSS</P><P>Regards,</P><P>Raphael</P> Sat, 13 Feb 2021 03:59:14 GMT https://community.checkpoint.com/t5/Cloud-Firewall/Ideas-needed-in-CheckPointCG-VMSS/m-p/110711#M1839 Raphael_Precigo 2021-02-13T03:59:14Z https://community.checkpoint.com/t5/Cloud-Firewall/Ideas-needed-in-CheckPointCG-VMSS/m-p/110715#M1840 <P>Hi Prabu,</P><P>We can use UDR apply to the Azure Gateway subnet to route traffic to the VMSS for inspection, but pay attention, you should have:</P><P>To_WebServer, address prefix = 192.168.40.100/32, next hop: ILB of the VMSS as mentioned by Raphael</P><P>Hope help you</P><P>Kiet</P> Sat, 13 Feb 2021 06:50:05 GMT https://community.checkpoint.com/t5/Cloud-Firewall/Ideas-needed-in-CheckPointCG-VMSS/m-p/110715#M1840 kietnguyen1011 2021-02-13T06:50:05Z