topic Re: do you need to add the external IP of the cluster to the LoadBalancerFrontend IP configuration? in Cloud Firewall https://community.checkpoint.com/t5/Cloud-Firewall/do-you-need-to-add-the-external-IP-of-the-cluster-to-the/m-p/76859#M2375 <P>So. The IP for cluster was assigned but to the standby member. We've been able to fix that with <A href="https://community.checkpoint.com/t5/CloudGuard-IaaS/Vsec-Cluster-in-Azure-anyone-know-how-to/m-p/7962#M328" target="_blank">https://community.checkpoint.com/t5/CloudGuard-IaaS/Vsec-Cluster-in-Azure-anyone-know-how-to/m-p/7962#M328</A></P><P>So now we can ping the vip and see it's being directed to the proper active member. We still can't establish a VPN tunnel but that might need another post...</P> Mon, 02 Mar 2020 14:17:25 GMT flachance 2020-03-02T14:17:25Z do you need to add the external IP of the cluster to the LoadBalancerFrontend IP configuration? https://community.checkpoint.com/t5/Cloud-Firewall/do-you-need-to-add-the-external-IP-of-the-cluster-to-the/m-p/76611#M2370 <P>Hi</P><P>we're setting up CloudGuard Iaas High Availability in Azure (R80.30)<BR />I can access the two firewall members when using their respective external IPs. But connectivity using the cluster-vip external IP doesn't seem to work. Trying to establish a VPN tunnel or just pinging doesn't work. I'm not seeing anything on the Active firewall with fw monitor<BR />do you need to add the cluster-vip external IP&nbsp;to the LoadBalancerFrontend IP configuration?</P><P>thanks</P> Thu, 27 Feb 2020 16:12:31 GMT https://community.checkpoint.com/t5/Cloud-Firewall/do-you-need-to-add-the-external-IP-of-the-cluster-to-the/m-p/76611#M2370 flachance 2020-02-27T16:12:31Z Re: do you need to add the external IP of the cluster to the LoadBalancerFrontend IP configuration? https://community.checkpoint.com/t5/Cloud-Firewall/do-you-need-to-add-the-external-IP-of-the-cluster-to-the/m-p/76688#M2371 <P>Hi,</P><P>you should have a NSG attached to the external subnet ?</P><P>If so, please check if the access to the&nbsp; VIP is allowed</P><P>Matthias</P><P>&nbsp;</P> Fri, 28 Feb 2020 12:55:08 GMT https://community.checkpoint.com/t5/Cloud-Firewall/do-you-need-to-add-the-external-IP-of-the-cluster-to-the/m-p/76688#M2371 Matthias_Haas 2020-02-28T12:55:08Z Re: do you need to add the external IP of the cluster to the LoadBalancerFrontend IP configuration? https://community.checkpoint.com/t5/Cloud-Firewall/do-you-need-to-add-the-external-IP-of-the-cluster-to-the/m-p/76702#M2372 <P>Mathias,</P><P>&nbsp;</P><P>This is the NSG attached to the frontend subnet</P><P>Inbound</P><P>AllowAllInbound Any Any Any Any Allow</P><P>AllowVnetInbound Any Any VirtualNetwork VirtualNetwork Allow</P><P>AllowAzureLBInbound Any Any AzureLoadBalancer Any Allow</P><P>DenyAllInbound Any Any Any Any Deny</P><P>&nbsp;</P><P>Outbound</P><P>AllowVnetOutbound Any any VirtualNetwork VirtualNetwork Allow</P><P>AllowInternetOutbound Any Any Any Internet Allow</P><P>DenyAllOutbound Any Any Any Any Deny</P> Fri, 28 Feb 2020 14:21:30 GMT https://community.checkpoint.com/t5/Cloud-Firewall/do-you-need-to-add-the-external-IP-of-the-cluster-to-the/m-p/76702#M2372 flachance 2020-02-28T14:21:30Z Re: do you need to add the external IP of the cluster to the LoadBalancerFrontend IP configuration? https://community.checkpoint.com/t5/Cloud-Firewall/do-you-need-to-add-the-external-IP-of-the-cluster-to-the/m-p/76704#M2373 <P>ok, and your VIP is attached to the external interface of the master&nbsp; I guess ?</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Unbenannt.png" style="width: 670px;"><img src="https://community.checkpoint.com/t5/image/serverpage/image-id/4624iD069B49658404D0D/image-dimensions/670x231?v=v2" width="670" height="231" role="button" title="Unbenannt.png" alt="Unbenannt.png" /></span></P><P>&nbsp;</P><P>&nbsp;</P> Fri, 28 Feb 2020 14:37:01 GMT https://community.checkpoint.com/t5/Cloud-Firewall/do-you-need-to-add-the-external-IP-of-the-cluster-to-the/m-p/76704#M2373 Matthias_Haas 2020-02-28T14:37:01Z Re: do you need to add the external IP of the cluster to the LoadBalancerFrontend IP configuration? https://community.checkpoint.com/t5/Cloud-Firewall/do-you-need-to-add-the-external-IP-of-the-cluster-to-the/m-p/76740#M2374 <P>to your specific question, no, you don't need it, the VIP for VPN purposes on the CG IaaS HA Template is a "floating IP" attached as secondary to the NIC of the active member, this job is done by a service principal deployed by the template if selected (this is by default); attached image.</P> <P>If you selected "NO" that can cause the no modification of this IP to the active member also.</P> <DIV id="tinyMceEditorChristianCastil_0" class="mceNonEditable lia-copypaste-placeholder">&nbsp;</DIV> <P>&nbsp;</P> Fri, 28 Feb 2020 17:11:06 GMT https://community.checkpoint.com/t5/Cloud-Firewall/do-you-need-to-add-the-external-IP-of-the-cluster-to-the/m-p/76740#M2374 ChristianCastil 2020-02-28T17:11:06Z Re: do you need to add the external IP of the cluster to the LoadBalancerFrontend IP configuration? https://community.checkpoint.com/t5/Cloud-Firewall/do-you-need-to-add-the-external-IP-of-the-cluster-to-the/m-p/76859#M2375 <P>So. The IP for cluster was assigned but to the standby member. We've been able to fix that with <A href="https://community.checkpoint.com/t5/CloudGuard-IaaS/Vsec-Cluster-in-Azure-anyone-know-how-to/m-p/7962#M328" target="_blank">https://community.checkpoint.com/t5/CloudGuard-IaaS/Vsec-Cluster-in-Azure-anyone-know-how-to/m-p/7962#M328</A></P><P>So now we can ping the vip and see it's being directed to the proper active member. We still can't establish a VPN tunnel but that might need another post...</P> Mon, 02 Mar 2020 14:17:25 GMT https://community.checkpoint.com/t5/Cloud-Firewall/do-you-need-to-add-the-external-IP-of-the-cluster-to-the/m-p/76859#M2375 flachance 2020-03-02T14:17:25Z