https://community.checkpoint.com/t5/Cloud-Firewall/Communicating-AWS-vSEC-with-On-Prem-SMS-and-GW/m-p/29061#M3459 <HTML><HEAD></HEAD><BODY><P><A class="link-titled" href="https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&amp;solutionid=sk100583" title="https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&amp;solutionid=sk100583">Troubleshooting "SmartCenter behind NAT" issues</A>&nbsp;</P></BODY></HTML> Mon, 24 Sep 2018 23:48:49 GMT PhoneBoy 2018-09-24T23:48:49Z https://community.checkpoint.com/t5/Cloud-Firewall/Communicating-AWS-vSEC-with-On-Prem-SMS-and-GW/m-p/29058#M3456 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P>I have some queries regarding AWS vsec and on prem communication</P><P></P><P>1. I have added AWS cloudguard (CG) instance on our on-premise SMS through CG public IP address. This has been successfully added and SIC established. Is this the best way to add CG.</P><P></P><P>2. I have configured VPN between on-prem GW and CG. This is not being established due to certificate error as also mentioned in previous update. On further checking the logs of CG, i saw it could not retrieve CRL.</P><P></P><P>3. One VPN is being negotiated, does communication to CG Public IP including retrieving CRL go through VPN</P><P></P><P>4. We have seen this that communication to external GW Public IP (which is also peer IP address for VPN) stops working. Is there anyway to exclude this so CG can keep communicating with on prem servers</P><P></P><P>5. We are unable to see logs from this CG. The reason could be that log servers have local IP address on their object which is not recognised by CG.</P><P></P><P>I would appreciate if&nbsp;somone can advise on what are the best practices around the above queries.</P><P>Sajid</P></BODY></HTML> Mon, 24 Sep 2018 06:00:31 GMT https://community.checkpoint.com/t5/Cloud-Firewall/Communicating-AWS-vSEC-with-On-Prem-SMS-and-GW/m-p/29058#M3456 Sajid_Abbas 2018-09-24T06:00:31Z https://community.checkpoint.com/t5/Cloud-Firewall/Communicating-AWS-vSEC-with-On-Prem-SMS-and-GW/m-p/29059#M3457 <HTML><HEAD></HEAD><BODY><P>I don't have any experience with AWS CloudGuard but I do with Azure CloudGuard and your questions are identical to the "fun" I had with that setup.</P><P>Can you explain how your on-prem SMS is reacheable from the internet? Is it NAT'ed behind your on-premise gateway?</P><P>We also encountered SMS NAT issues and you might need to follow sk66381 and NAT control connections and specify your on-prem gateway as installation target. If you are lucky and have another Check Point gateway managed by this SMS it should be easy.</P><P>If not, welcome to the world of dummy management objects to manipulate the conf masters file... let me know if you need more info on that.</P></BODY></HTML> Mon, 24 Sep 2018 08:53:33 GMT https://community.checkpoint.com/t5/Cloud-Firewall/Communicating-AWS-vSEC-with-On-Prem-SMS-and-GW/m-p/29059#M3457 Jeroen_Demets 2018-09-24T08:53:33Z https://community.checkpoint.com/t5/Cloud-Firewall/Communicating-AWS-vSEC-with-On-Prem-SMS-and-GW/m-p/29060#M3458 <HTML><HEAD></HEAD><BODY><P>Hi Jeroen,</P><P></P><P>Thanks for your reply.</P><P></P><P>Our on-prem SMS is like you described NAT'd to a single IP behind our on-prem gateway with our on-prem gateway the target.&nbsp;</P><P></P><P>I'm seeing that the Cloud GW is sending request to SMS Private IP. So i guess i would have to create a dummy MGMT Object. How does it actually take effect on this particular gateway.</P><P></P><P>Sajid</P></BODY></HTML> Mon, 24 Sep 2018 22:47:31 GMT https://community.checkpoint.com/t5/Cloud-Firewall/Communicating-AWS-vSEC-with-On-Prem-SMS-and-GW/m-p/29060#M3458 Sajid_Abbas 2018-09-24T22:47:31Z https://community.checkpoint.com/t5/Cloud-Firewall/Communicating-AWS-vSEC-with-On-Prem-SMS-and-GW/m-p/29061#M3459 <HTML><HEAD></HEAD><BODY><P><A class="link-titled" href="https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&amp;solutionid=sk100583" title="https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&amp;solutionid=sk100583">Troubleshooting "SmartCenter behind NAT" issues</A>&nbsp;</P></BODY></HTML> Mon, 24 Sep 2018 23:48:49 GMT https://community.checkpoint.com/t5/Cloud-Firewall/Communicating-AWS-vSEC-with-On-Prem-SMS-and-GW/m-p/29061#M3459 PhoneBoy 2018-09-24T23:48:49Z https://community.checkpoint.com/t5/Cloud-Firewall/Communicating-AWS-vSEC-with-On-Prem-SMS-and-GW/m-p/29062#M3460 <HTML><HEAD></HEAD><BODY><P>Hi Jeroen and Dameon,</P><P></P><P>Thanks for the assistance. I got that bit working with dummy Management IP addresses and Static NAT configs.</P><P></P><P>The VPN seems to be coming up from one end i.e. on Smartview Monitor vsec GW shows tunnel up however on-prem shows down. On checking tcpdumps and fw monitor outputs, the vsec gateway shows the local ip address of on-prem for vpn peer and sends back tunnel management.test traffic encrypted through the tunnel.</P><P></P><P>Don't think it should be this complex in getting VPNs up. Something configured wrong here.</P><P></P><P>I checked link selection addresses on both GW and it showed public IP addresses</P><P></P><P>Sajid</P></BODY></HTML> Thu, 27 Sep 2018 02:58:39 GMT https://community.checkpoint.com/t5/Cloud-Firewall/Communicating-AWS-vSEC-with-On-Prem-SMS-and-GW/m-p/29062#M3460 Sajid_Abbas 2018-09-27T02:58:39Z https://community.checkpoint.com/t5/Cloud-Firewall/Communicating-AWS-vSEC-with-On-Prem-SMS-and-GW/m-p/29063#M3461 <HTML><HEAD></HEAD><BODY><P>Hi,&nbsp;</P><P>I was hoping someone with AWS experience would have replied by now. I only have experience with Azure and there Link Selection on the vSEC gateway has to be set to its local external IP (a private IP). Azure then NATs this to a public routable IP. The reference architecture guide (<SPAN style="color: #000000; background-color: #ffffff; font-size: 14px;">sk109360) </SPAN><SPAN style="color: #000000; background-color: #ffffff; font-size: 14px;">mentions this. So maybe for AWS you need to change it from public IP to private IP and have AWS do some NAT magic.</SPAN></P><P></P><P><SPAN style="color: #000000; background-color: #ffffff; font-size: 14px;">You say the vsec gw shows the local ip of on-prem. Is your on-prem gateway nat'ed then? It doesn't have an internet routable IP on its WAN interface?</SPAN></P><P><SPAN style="color: #000000; background-color: #ffffff; font-size: 14px;">Jeroen</SPAN></P></BODY></HTML> Fri, 28 Sep 2018 14:15:20 GMT https://community.checkpoint.com/t5/Cloud-Firewall/Communicating-AWS-vSEC-with-On-Prem-SMS-and-GW/m-p/29063#M3461 Jeroen_Demets 2018-09-28T14:15:20Z https://community.checkpoint.com/t5/Cloud-Firewall/Communicating-AWS-vSEC-with-On-Prem-SMS-and-GW/m-p/29064#M3462 <HTML><HEAD></HEAD><BODY><P>Hi Jeroen,</P><P></P><P>I tried changing Link selection IP address to the Private as well as public IP address provided by AWS.</P><P></P><P>Our on-prem gateway has a direct Public IP address on its interface which is the address used to form VPN peering. However, this IP address does not show up on vsec GW as peer.&nbsp;</P><P></P><P>Sajid</P></BODY></HTML> Mon, 01 Oct 2018 21:24:36 GMT https://community.checkpoint.com/t5/Cloud-Firewall/Communicating-AWS-vSEC-with-On-Prem-SMS-and-GW/m-p/29064#M3462 Sajid_Abbas 2018-10-01T21:24:36Z https://community.checkpoint.com/t5/Cloud-Firewall/Communicating-AWS-vSEC-with-On-Prem-SMS-and-GW/m-p/29065#M3463 <HTML><HEAD></HEAD><BODY><P>Got this sorted. There was conflict in tunnel test method which didnt bring the VPN up.</P><P>Also changed some anti-spoofing setting.</P><P></P><P>Thanks for all your help.</P></BODY></HTML> Tue, 09 Oct 2018 00:17:33 GMT https://community.checkpoint.com/t5/Cloud-Firewall/Communicating-AWS-vSEC-with-On-Prem-SMS-and-GW/m-p/29065#M3463 Sajid_Abbas 2018-10-09T00:17:33Z https://community.checkpoint.com/t5/Cloud-Firewall/Communicating-AWS-vSEC-with-On-Prem-SMS-and-GW/m-p/29066#M3464 <HTML><HEAD></HEAD><BODY><P>Tnx for your feedback, glad you got it working.</P></BODY></HTML> Fri, 12 Oct 2018 12:52:09 GMT https://community.checkpoint.com/t5/Cloud-Firewall/Communicating-AWS-vSEC-with-On-Prem-SMS-and-GW/m-p/29066#M3464 Jeroen_Demets 2018-10-12T12:52:09Z