topic Re: CloudGuard Network for AWS Security Cluster R81.20 in Cloud Firewall

CloudGuard Network for AWS Security Cluster R81.20

Simon_Macpherso — Fri, 12 May 2023 06:06:54 GMT

I have deployed a Check Point CloudGuard Network Security Cluster into an existing VPC on AWS using terraform at https://github.com/CheckPointSW/CloudGuardIaaS/tree/master/terraform/aws/cluster and added to Smart Console using the following guide.

https://sc1.checkpoint.com/documents/IaaS/WebAdminGuides/EN/CloudGuard_Network_for_AWS_Cluster_DeploymentGuide/Content/Topics-AWS-Cluster-DG/Deploying-a-Check-Point-Cluster-in-AWS.htm?tocpath=Deployment%20Steps%7CStep%203%253A%20Deploying%20the%20Check%20Point%20Security%20Cluster%7C_____0#Step_3__Deploying_the_Check_Point_Security_Cluster

The active gateway does not have an internet access.

$FWDIR/scripts/aws_ha_test.py script is failing when attempting to connect to ec2.us-west-1.amazonaws.com:443.

Testing cluster interface configuration...
Cluster interface configuration tested successfully

Testing connection to ec2.us-west-1.amazonaws.com:443...
Traceback (most recent call last):
File "/opt/CPsuite-R81.20/fw1/scripts/aws_ha_test.py", line 155, in test
subprocess.check_call(cmd)
File "/opt/CPsuite-R81.20/fw1/Python/lib/python3.7/subprocess.py", line 363, in check_call
raise CalledProcessError(retcode, cmd)
subprocess.CalledProcessError: Command '['nc', '-w', '5', '-z', 'ec2.us-west-1.amazonaws.com', '443']' returned non-zero exit status 1.
Error:
Failed to connect to the AWS API endpoint
Please verify that outgoing connections over TCP port 443 (HTTPS) to the AWS
endpoint are allowed by the firewall security policy.
See:
http://docs.aws.amazon.com/general/latest/gr/rande.html#vpc_region

Regards,
Simon

Re: CloudGuard Network for AWS Security Cluster R81.20

G_W_Albrecht — Fri, 12 May 2023 08:49:03 GMT

You wrote: $FWDIR/scripts/aws_ha_test.py script is failing when attempting to connect to ec2.us-west-1.amazonaws.com:443.

You know that the connection should be possible, but the script is failing ? These outgoing connections over TCP port 443 (HTTPS) to the AWS endpoint are allowed by the firewall security policy ?

Re: CloudGuard Network for AWS Security Cluster R81.20

Nir_Shamir — Sun, 14 May 2023 07:49:44 GMT

does the VM has any access to that URL ?

can you run "curl_cli -v -k "https://ec2.us-west-1.amazonaws.com" and see that it can connect ?

Re: CloudGuard Network for AWS Security Cluster R81.20

Simon_Macpherso — Sun, 14 May 2023 23:30:02 GMT

curl_cli -v -k "https://ec2.us-west-1.amazonaws.com" fails to connect

Re: CloudGuard Network for AWS Security Cluster R81.20

Simon_Macpherso — Mon, 15 May 2023 00:08:04 GMT

There is a hide NAT at the bottom of the NAT policy for the public facing subnet to translate all egress traffic from all internal networks to the external private IP allocated as cluster virtual IP for public subnet - interface-0 (external). You can see it in one of the screenshot attached but I have included the details below.

Original Source: All_Internet_Net (10.0.0.0/8)

Original Destination: Any

Original Services: Any

Translated Source: AZR_USW1_VMC_NAT (IP allocated as cluster virtual IP for public subnet - interface-0 (external))

Translated Destination: Original

Translated Services: Original

When I disable the NAT, connectivity to ec2.us-west-1-amazonaws.com from both active and standby members succeeds i.e. curl_cli -v -k "https://ec2.us-west-1-amazonaws.com".

Re: CloudGuard Network for AWS Security Cluster R81.20

Simon_Macpherso — Mon, 15 May 2023 04:07:00 GMT

I incorrectly configured the virtual cluster IP and has since been modified to the correct IP allocated from the public subnet by AWS. Re the hide NAT rule, the object used in the translated source field has been updated use the correct virtual cluster IP and the rule has been reenabled. Egress traffic is now working and being translated as configured.

However, during failing over to the standby member, the route target for 0.0.0.0/0 in the private subnet is not updated to point to the new active member ENI.

The route is only updated when the hide NAT rule is disabled.

Re: CloudGuard Network for AWS Security Cluster R81.20

Simon_Macpherso — Mon, 15 May 2023 02:21:38 GMT

I have an unrelated question, is a cluster virtual IP required for the private subnet interface? Or is it sufficient to configure the interface strictly as a Sync interface?

Re: CloudGuard Network for AWS Security Cluster R81.20

Simon_Macpherso — Mon, 15 May 2023 05:54:01 GMT

After adding the following NAT rules for each member where the original source is the external private IP, egress works after failover.

Original Source: member A eth0 IP

Original Destination: Any

Original Services: Any

Translated Source: Original

Translated Destination: Original

Translated Services: Original

Original Source: member B eth0 IP

Original Destination: Any

Original Services: Any

Translated Source: Original

Translated Destination: Original

Translated Services: Original

Regards.

Simon