https://community.checkpoint.com/t5/Cloud-Firewall/AWS-LB-sandwich-does-not-come-up-healthy-in-some-cases/m-p/89434#M2582 <P>So this was a bug we faced in r80.20. the only way to solve was turn off fwaccel on r80.20 IAAS.&nbsp;</P> Mon, 22 Jun 2020 13:45:59 GMT rohan_savant 2020-06-22T13:45:59Z https://community.checkpoint.com/t5/Cloud-Firewall/AWS-LB-sandwich-does-not-come-up-healthy-in-some-cases/m-p/65838#M2579 <P>we have an AWS ingress gateway auto scale group deployed. We have all routing setup between accounts using tgw.</P><P>&nbsp;</P><P>However, and this is random, some of our External load balancers with targets as gateways do not come up healthy. this is completely random but once comes up as unhealthy it never turns healthy for that particular lb.&nbsp;</P><P>&nbsp;</P><P>i am able to curl from the gateway to the internal LB and the internal LB is healthy and can be hit directly and shows the webpage.</P><P>&nbsp;</P><P>Setup:</P><P>External lb:</P><P>Listen port 443</P><P>Target port: 9500 (doesnt come up healthy but autoprov and provisioned the rules)</P><P>&nbsp;</P><P>Internal LB:</P><P>Listen port 443</P><P>Target port 443</P><P>TAG-: x-chkp-forwarding-&nbsp; https-9500-443</P><P>&nbsp;</P><P>any idea what could be happening here? we are not doing https inspection, just passing from https traffic.</P><P>&nbsp;</P><P>thanks</P><P>Rohan</P><P>&nbsp;</P> Thu, 24 Oct 2019 17:59:05 GMT https://community.checkpoint.com/t5/Cloud-Firewall/AWS-LB-sandwich-does-not-come-up-healthy-in-some-cases/m-p/65838#M2579 rohan_savant 2019-10-24T17:59:05Z https://community.checkpoint.com/t5/Cloud-Firewall/AWS-LB-sandwich-does-not-come-up-healthy-in-some-cases/m-p/65863#M2580 Can you see traffic coming from the external load balanced at all?<BR />Maybe they need to be killed and restarted? Fri, 25 Oct 2019 04:08:29 GMT https://community.checkpoint.com/t5/Cloud-Firewall/AWS-LB-sandwich-does-not-come-up-healthy-in-some-cases/m-p/65863#M2580 PhoneBoy 2019-10-25T04:08:29Z https://community.checkpoint.com/t5/Cloud-Firewall/AWS-LB-sandwich-does-not-come-up-healthy-in-some-cases/m-p/89432#M2581 <P>Hi Rohan,</P><P>Try the below setting on the Target groups of Firewall- Health Checks:</P><P class="lia-indent-padding-left-30px">Protocol: HTTPS</P><P class="lia-indent-padding-left-30px">Path: /</P><P class="lia-indent-padding-left-30px">Port: traffic port</P><P class="lia-indent-padding-left-30px">Healthy Threshold:2</P><P class="lia-indent-padding-left-30px">UnHealthy Threshold:2</P><P class="lia-indent-padding-left-30px">Timeout: 4</P><P class="lia-indent-padding-left-30px">Internal:10</P><P class="lia-indent-padding-left-30px">Success Codes: 200-499</P><P class="lia-align-left">This should give Firewall health check fine.</P><P class="lia-align-left">&nbsp;</P><P class="lia-align-left">Regards, Prabu</P> Mon, 22 Jun 2020 13:43:53 GMT https://community.checkpoint.com/t5/Cloud-Firewall/AWS-LB-sandwich-does-not-come-up-healthy-in-some-cases/m-p/89432#M2581 Prabulingam_N1 2020-06-22T13:43:53Z https://community.checkpoint.com/t5/Cloud-Firewall/AWS-LB-sandwich-does-not-come-up-healthy-in-some-cases/m-p/89434#M2582 <P>So this was a bug we faced in r80.20. the only way to solve was turn off fwaccel on r80.20 IAAS.&nbsp;</P> Mon, 22 Jun 2020 13:45:59 GMT https://community.checkpoint.com/t5/Cloud-Firewall/AWS-LB-sandwich-does-not-come-up-healthy-in-some-cases/m-p/89434#M2582 rohan_savant 2020-06-22T13:45:59Z https://community.checkpoint.com/t5/Cloud-Firewall/AWS-LB-sandwich-does-not-come-up-healthy-in-some-cases/m-p/89435#M2583 <P>Not tested in R80.20.</P><P>But for my customer in R80.30 have "fwaccel on" and that setting on Health Check did work.</P><P>&nbsp;</P><P>Regards, Prabu</P> Mon, 22 Jun 2020 13:49:09 GMT https://community.checkpoint.com/t5/Cloud-Firewall/AWS-LB-sandwich-does-not-come-up-healthy-in-some-cases/m-p/89435#M2583 Prabulingam_N1 2020-06-22T13:49:09Z