https://community.checkpoint.com/t5/Cloud-Firewall/info-about-exposing-services-using-AWS-multi-AZ-and-Checkpoint/m-p/177107#M312 <P>Hi<BR /><BR />this is our situation:<BR /><BR />we AWS account with two AZ ; in these zone there is a Geo Cluster L3 Active Active that is facing internet.<BR /><BR />With the actual configuration each firewall has its own public ip ,and for testing purpose I used dynamic object ( configuring them using CLI on each FW ) to public a service over Internet and this is working fine.<BR />But i don't know how to manage the dns registration...</P><P>for example when AZ1 is managing the traffic for&nbsp;&nbsp;<A href="http://www.pippo.it" target="_blank">www.pippo.it</A>&nbsp;has the public ip of the checkpoint in AZ1<BR />when I force the traffic to switch in AZ2 the traffic is managed by the checkpoint in AZ2 ,but <A href="http://www.pippo.it" target="_blank">www.pippo.it</A>&nbsp;obviously point to ip of AZ1</P><P>Is there any other solution ?<BR /><BR />In normal situations usually I use a routed network for managing nat ,but on aws it seems impossible</P> Mon, 03 Apr 2023 08:31:36 GMT AleLovaz82 2023-04-03T08:31:36Z https://community.checkpoint.com/t5/Cloud-Firewall/info-about-exposing-services-using-AWS-multi-AZ-and-Checkpoint/m-p/177107#M312 <P>Hi<BR /><BR />this is our situation:<BR /><BR />we AWS account with two AZ ; in these zone there is a Geo Cluster L3 Active Active that is facing internet.<BR /><BR />With the actual configuration each firewall has its own public ip ,and for testing purpose I used dynamic object ( configuring them using CLI on each FW ) to public a service over Internet and this is working fine.<BR />But i don't know how to manage the dns registration...</P><P>for example when AZ1 is managing the traffic for&nbsp;&nbsp;<A href="http://www.pippo.it" target="_blank">www.pippo.it</A>&nbsp;has the public ip of the checkpoint in AZ1<BR />when I force the traffic to switch in AZ2 the traffic is managed by the checkpoint in AZ2 ,but <A href="http://www.pippo.it" target="_blank">www.pippo.it</A>&nbsp;obviously point to ip of AZ1</P><P>Is there any other solution ?<BR /><BR />In normal situations usually I use a routed network for managing nat ,but on aws it seems impossible</P> Mon, 03 Apr 2023 08:31:36 GMT https://community.checkpoint.com/t5/Cloud-Firewall/info-about-exposing-services-using-AWS-multi-AZ-and-Checkpoint/m-p/177107#M312 AleLovaz82 2023-04-03T08:31:36Z https://community.checkpoint.com/t5/Cloud-Firewall/info-about-exposing-services-using-AWS-multi-AZ-and-Checkpoint/m-p/177182#M313 <P>If this is truly Active-Active, wouldn't you configure the DNS to use both IPs?<BR />Also, I believe Amazon can assist with maintaining the DNS in the situation using Route53.</P> Mon, 03 Apr 2023 22:54:18 GMT https://community.checkpoint.com/t5/Cloud-Firewall/info-about-exposing-services-using-AWS-multi-AZ-and-Checkpoint/m-p/177182#M313 PhoneBoy 2023-04-03T22:54:18Z https://community.checkpoint.com/t5/Cloud-Firewall/info-about-exposing-services-using-AWS-multi-AZ-and-Checkpoint/m-p/177220#M314 <P>is a fake active active, all the routing table in aws are attached only at a single AZ at once,basically only one AZ manage the traffic,both external and internal.<BR />When we configured everything the only allowed CP configuration was the L3 Geo Cluster because the two AZ are like two different datacenter with two different provider,to make an example with "not cloud" technology.<BR /><BR />We are thinking about converting our cluster into a GWLB that *should* works across different zones</P> Tue, 04 Apr 2023 07:26:25 GMT https://community.checkpoint.com/t5/Cloud-Firewall/info-about-exposing-services-using-AWS-multi-AZ-and-Checkpoint/m-p/177220#M314 AleLovaz82 2023-04-04T07:26:25Z