https://community.checkpoint.com/t5/Cloud-Firewall/R80-10-CloudGuard-IaaS-High-Availability-for-Microsoft-Azure/m-p/46949#M3468 <P>It was not a routing issue and the cause has finally been sorted.</P><P>After validating everything in the document and the setup in Azure the issue was discovered to be Anti-Spoofing.</P><P>The <A href="https://sc1.checkpoint.com/documents/IaaS/WebAdminGuides/EN/CP_CloudGuard_IaaS_HighAvailability_for_Azure/html_frameset.htm" target="_blank">documentation</A> states that Anti-Spoofing should be disabled on the frontend cluster interfaces (eth0).&nbsp; &nbsp;&nbsp;It does not however mention anything about disabling Anti-Spoofing on the backend cluster interfaces (eth1).</P><P>After going through the document again this morning I set a log filter for a source of the backend-lb,&nbsp;<SPAN>168.63.129.16.<span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="Screen Shot 2019-03-14 at 10.35.33 AM.png" style="width: 999px;"><img src="https://community.checkpoint.com/t5/image/serverpage/image-id/63i0BD81129D0A4B6CC/image-size/large?v=v2&amp;px=999" role="button" title="Screen Shot 2019-03-14 at 10.35.33 AM.png" alt="Screen Shot 2019-03-14 at 10.35.33 AM.png" /></span></SPAN></P><P>After a couple of iterations while working with support we finally came to the conclusion that Anti-Spoofing needed to be disabled on cluster internal interfaces also.</P><P>Policy was pushed after disabling Anti-Spoofing and everything started working as expected.</P><P>The documentation needs to be updated to also include disabling Anti-Spoofing on eth1.</P> Thu, 14 Mar 2019 16:12:31 GMT Ave_Joe 2019-03-14T16:12:31Z https://community.checkpoint.com/t5/Cloud-Firewall/R80-10-CloudGuard-IaaS-High-Availability-for-Microsoft-Azure/m-p/40519#M3465 <HTML><HEAD></HEAD><BODY><P>Most current version of this document will be here:&nbsp;<A class="link-titled" href="https://sc1.checkpoint.com/documents/R80.10/WebAdminGuides/EN/CP_R80.10_CloudGuard_IaaS_HighAvailability_for_Azure/html_frameset.htm" title="https://sc1.checkpoint.com/documents/R80.10/WebAdminGuides/EN/CP_R80.10_CloudGuard_IaaS_HighAvailability_for_Azure/html_frameset.htm">Check Point CloudGuard IaaS High Availability for Microsoft Azure R80.10 Deployment Guide</A>&nbsp;</P></BODY></HTML> Sat, 29 Sep 2018 18:10:31 GMT https://community.checkpoint.com/t5/Cloud-Firewall/R80-10-CloudGuard-IaaS-High-Availability-for-Microsoft-Azure/m-p/40519#M3465 PhoneBoy 2018-09-29T18:10:31Z https://community.checkpoint.com/t5/Cloud-Firewall/R80-10-CloudGuard-IaaS-High-Availability-for-Microsoft-Azure/m-p/46842#M3466 <P>Anyone know if there is an updated CloudGuard IaaS High Availability for Microsoft Azure guide for R80.20 release? &nbsp;I deployed a R80.20 IAAS Cluster and traffic to VM hosts behind the Azure gateway is not working &nbsp;Using a test VM host I started a tcpdump looking for traffic. &nbsp;The VM host responds to packets but the CP security gateway never sees the return packet.</P><P>I have been through this document several times trying to see what I may have missed but everything seems to &nbsp;be configured per the document.</P><P>I think the issue is somewhere between the load balancer and the CP security gateway but have figured that maybe an updated version may help me figure it out.</P><P>Any one else having this issue?</P><P>Thanks!</P> Thu, 14 Mar 2019 00:38:00 GMT https://community.checkpoint.com/t5/Cloud-Firewall/R80-10-CloudGuard-IaaS-High-Availability-for-Microsoft-Azure/m-p/46842#M3466 Ave_Joe 2019-03-14T00:38:00Z https://community.checkpoint.com/t5/Cloud-Firewall/R80-10-CloudGuard-IaaS-High-Availability-for-Microsoft-Azure/m-p/46859#M3467 <P>That sounds like more a routing issue only..</P> Thu, 14 Mar 2019 06:41:03 GMT https://community.checkpoint.com/t5/Cloud-Firewall/R80-10-CloudGuard-IaaS-High-Availability-for-Microsoft-Azure/m-p/46859#M3467 Martin_Valenta 2019-03-14T06:41:03Z https://community.checkpoint.com/t5/Cloud-Firewall/R80-10-CloudGuard-IaaS-High-Availability-for-Microsoft-Azure/m-p/46949#M3468 <P>It was not a routing issue and the cause has finally been sorted.</P><P>After validating everything in the document and the setup in Azure the issue was discovered to be Anti-Spoofing.</P><P>The <A href="https://sc1.checkpoint.com/documents/IaaS/WebAdminGuides/EN/CP_CloudGuard_IaaS_HighAvailability_for_Azure/html_frameset.htm" target="_blank">documentation</A> states that Anti-Spoofing should be disabled on the frontend cluster interfaces (eth0).&nbsp; &nbsp;&nbsp;It does not however mention anything about disabling Anti-Spoofing on the backend cluster interfaces (eth1).</P><P>After going through the document again this morning I set a log filter for a source of the backend-lb,&nbsp;<SPAN>168.63.129.16.<span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="Screen Shot 2019-03-14 at 10.35.33 AM.png" style="width: 999px;"><img src="https://community.checkpoint.com/t5/image/serverpage/image-id/63i0BD81129D0A4B6CC/image-size/large?v=v2&amp;px=999" role="button" title="Screen Shot 2019-03-14 at 10.35.33 AM.png" alt="Screen Shot 2019-03-14 at 10.35.33 AM.png" /></span></SPAN></P><P>After a couple of iterations while working with support we finally came to the conclusion that Anti-Spoofing needed to be disabled on cluster internal interfaces also.</P><P>Policy was pushed after disabling Anti-Spoofing and everything started working as expected.</P><P>The documentation needs to be updated to also include disabling Anti-Spoofing on eth1.</P> Thu, 14 Mar 2019 16:12:31 GMT https://community.checkpoint.com/t5/Cloud-Firewall/R80-10-CloudGuard-IaaS-High-Availability-for-Microsoft-Azure/m-p/46949#M3468 Ave_Joe 2019-03-14T16:12:31Z https://community.checkpoint.com/t5/Cloud-Firewall/R80-10-CloudGuard-IaaS-High-Availability-for-Microsoft-Azure/m-p/66731#M3469 Hi Dameon,<BR /><BR />The above link looks like broken Thu, 07 Nov 2019 01:29:13 GMT https://community.checkpoint.com/t5/Cloud-Firewall/R80-10-CloudGuard-IaaS-High-Availability-for-Microsoft-Azure/m-p/66731#M3469 _Daniel_ 2019-11-07T01:29:13Z