topic Re: Inspecting and detecting original source address of TCP NLB inbound traffic in Cloud Firewall

Inspecting and detecting original source address of TCP NLB inbound traffic

Alejandro_Ferna — Fri, 07 Jun 2019 09:00:39 GMT

Hello,

I have a AWS TCP Network Load Balancer with proxy protocol v2 enabled. This LB routes the traffic to a logical server IP with a group of internal web servers. The ports it use are 30080 and 30443, configured as TCP service with HTTP/S protocol but it seems that IPS are not inspecting this traffic.

Futhermore, I can see the real client IP address in the web server's log, so it seems proxy protocol are working, but in the Checkpoint log I only see the internal LB addresses so I can not differentiate between real traffic and LB health check traffic.

I appreciate any kind of suggestion or hint.

Thank you, regards!

Re: Inspecting and detecting original source address of TCP NLB inbound traffic

Vladimir — Sat, 08 Jun 2019 23:42:00 GMT

For HTTPS, you may have to add server cert to the Check Point:

and for HTTP, it should work by default, but just in case it is different in AWS, check the "Non-standard ports" setting here:

and in App Control URLF Advanced Settings.

Also, take a look at this thread, perhaps it could be helpful for pinning down the real traffic:

https://community.checkpoint.com/t5/CloudGuard-IaaS/X-Forwarded-Headers-for-Logical-Server-in-vSEC-for-AWS/m-p/7118#M290

Re: Inspecting and detecting original source address of TCP NLB inbound traffic

PhoneBoy — Sat, 08 Jun 2019 23:30:13 GMT

Your post is missing the link to the relevant thread.

Re: Inspecting and detecting original source address of TCP NLB inbound traffic

Vladimir — Sat, 08 Jun 2019 23:43:34 GMT

@PhoneBoy , thanks for pointing it out: got one of those errors when pasting into the post, but it allowed the process to complete sans the URL.

Re: Inspecting and detecting original source address of TCP NLB inbound traffic

PhoneBoy — Sun, 09 Jun 2019 02:36:27 GMT

The errors you're talking about seem to be transient in nature. Haven't been able to see it consistently enough to report it...

Re: Inspecting and detecting original source address of TCP NLB inbound traffic

Alejandro_Ferna — Mon, 10 Jun 2019 09:33:52 GMT

Hi Vladimir, thank you for your help.

I ve checked the "non-standard port" setting and it is enabled in both blades.

I'm checking the IPS with this URL that triggers the "web server exposed git repository..." protection:

http://{public-ip}/.git/config

When I put a web server public IP address the IPS works, prevent the connection and creates a log.

When I put the LB public IP address nothing is detected. I can see it in the checkpoint log with the LB internal IP address as a source and the connection reaches the web server.

I have read the thread as well and confirmed that the proxy protocol are enabled in the LB. The real source IP appears correctly in the web servers behind the logical servers, but in Checkpoint log:

Currently, the 10.89.240.23 is a logical server. I will change it for a host object and check if it affects in some way.

I will uptade this thread with the results.

Regards!

Re: Inspecting and detecting original source address of TCP NLB inbound traffic

Alejandro_Ferna — Tue, 11 Jun 2019 14:35:35 GMT

Checked with host object instead of logical server but nothing changes. The IPS does not apply the protections and still appears the LB internal address as a source address in the tracker.