topic Re: Control which azure cloudguard instance receives traffic in Cloud Firewall

Control which azure cloudguard instance receives traffic

Michael_Thompso — Sat, 21 Mar 2020 13:57:18 GMT

Hello all,

I have r80.30 cloudguard in azure scaleset fronted by standard lb. How can I control which instance in the scaleset receives traffic from the lb? Is the best way to block the health probes on port 8117 on the specific instance? If yes, what is the best way to do that?

thanks

Re: Control which azure cloudguard instance receives traffic

HeikoAnkenbrand — Sat, 21 Mar 2020 14:54:10 GMT

Why do you want to control traffic to a gateway?

Solutions:

1) You can change the order in the ClusterXL object like in a real ClusterXl. So you can control the direction. <<< Best way:-)

2) For maintenance work you can also start a "clusterXL_admin down" on a gateway.

3) The monitoring of port 8117 is included in the implied rules. So you may have to change the implied rules in the global properties and add a drop rule. I don't think that's a good idea!

Re: Control which azure cloudguard instance receives traffic

Michael_Thompso — Sat, 21 Mar 2020 22:28:41 GMT

thanks for your reply.

To answer your question, I want to be able perform maintenance on the instances in the scaleset. In this case apply the latest hotfix. Reading the Microsoft documentation on standard load balancers, if the health probe fails for a particular instance it will redirect new traffic to another instance. It will also let the current sessions terminate on their own. This is what I want so that there is no disruption of traffic. AWS makes this easy by just deregistering the instance from the target group.

My azure cloudguard is in a scaleset so it is not configured to use clusterXL. there isn’t a cluster object defined in smart console. The cme service creates only gateway objects. In this case I don’t think option 1 or 2 will work. Unless I am missing something

Re: Control which azure cloudguard instance receives traffic

Matthias_Haas — Tue, 24 Mar 2020 08:07:17 GMT

the Health Check Port is controlled by the kernel parameter "cloud_balancer_port":

[Expert@gw]# fw ctl get int cloud_balancer_port

cloud_balancer_port = 8117

this is also defined in /var/opt/fw.boot/modules/fwkern.conf

so you could try to modify the parameter on the fly like

fw ctl set int cloud_balancer_port 8119

at least on my instance, the healt check was answered by a "RST" after the modification but not sure what the LB is doing

Re: Control which azure cloudguard instance receives traffic

Michael_Thompso — Thu, 26 Mar 2020 00:07:02 GMT

I will test this in my lab. Thanks!