topic Re: Can i import an Internal ELB from aws and use it in the NAT and security policy in Cloud Firewall

Can i import an Internal ELB from aws and use it in the NAT and security policy

rohan_savant — Fri, 09 Aug 2019 13:31:57 GMT

we are trying to setup an internal ALB and nat to the Public IP of the On-prem firewall so any inbound connections go from the public ip get NAT'ed and go to the internal ALB via VPN and VGW, i do not see any load balancers when i import objects using cloudguard controller

Re: Can i import an Internal ELB from aws and use it in the NAT and security policy

PhoneBoy — Fri, 09 Aug 2019 18:33:32 GMT

While I can't speak to whether the CloudGuard Controller can import them or not, I do know in general we handle ELB objects using Logical Server objects.
This is required because ELBs are load balanced with DNS.
Using the Logical Server object as described in SK handles this and performs the necessary NAT.
See: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk104249

Re: Can i import an Internal ELB from aws and use it in the NAT and security policy

Boris_Karnaukh — Sun, 03 Nov 2019 12:52:45 GMT

sk104249 deals with scenario when CheckPoint vSEC runs in AWS VPC.

When CheckPoint gateway sits on-premises and has VPN tunnel to Amazon VPC this solution fails to match ELB traffic. One can try using domain objects, but it is still not the best solution.

Re: Can i import an Internal ELB from aws and use it in the NAT and security policy

PhoneBoy — Mon, 04 Nov 2019 09:31:30 GMT

Domain objects don't work with NAT.
Even if the ELB could be imported with CloudGuard Connector, you wouldn't be able to use it in the NAT policy anyway.
But you could use a Dynamic Object and update it based on a DNS record.
See: https://community.checkpoint.com/t5/API-CLI-Discussion-and-Samples/Pre-R80-10-dynamic-objects-from-DNS-A-record-lists-one-liner/m-p/11566