https://community.checkpoint.com/t5/Cloud-Firewall/Stealth-Rule-In-Azure-VSec-Policy/m-p/7425#M3991 <HTML><HEAD></HEAD><BODY><P>Thanks Dameon</P><P></P><P>I had had a look at these articles prior to posting here, but didn't find a satisfactory answer. Correct me if I'm wrong, but it seems to me that to allow HTTPS traffic to a web app protected by the firewall you need to do the following</P><P></P><OL><LI>Publish a public IP in Azure (say 52.51.50.49) which accepts traffic on port 443</LI><LI>Setup a UDR which forwards traffic received at 52.51.50.49 on port 443 to the external IP of the CP Instance (say 10.50.1.10) on a different port say 8081</LI><LI>On the CP Instance you must then have a rule that allows any traffic to 10.50.1.10 on port 8081</LI><LI>Then have a NAT rule which translates the packet to HTTPS</LI></OL><P></P><P>Am I correct with the above steps?</P><P></P><P>If so, is it safe to have an "any" rule like this to the external IP of your gateway?</P><P></P><P>Best regards</P><P></P><P>John</P></BODY></HTML> Fri, 13 Oct 2017 07:36:22 GMT John_Colfer 2017-10-13T07:36:22Z https://community.checkpoint.com/t5/Cloud-Firewall/Stealth-Rule-In-Azure-VSec-Policy/m-p/7423#M3989 <HTML><HEAD></HEAD><BODY><P>Hi Gang</P><P>I deployed an Azure Vsec Cluster and followed the SKs etc and it's and running fine. I'm starting to build out the policy and have run up against a problem.</P><P></P><P>Normally I would have the stealth rule as the 2nd or third rule, but when I try to allow nated traffic through to resources on the inside, it is getting dropped by the stealth rule</P><P></P><P><STRONG>For Example:</STRONG></P><P>Number: 2774078<BR />Date: 12Oct2017<BR />Time: 13:10:55<BR />Interface: eth0<BR />Origin: 52.169.50.242<BR />Type: Log<BR />Action: Drop<BR />Service: TCP-8088 (8088)<BR />Source Port: 54326<BR />Source: ext_host_95.44.141.143 (95.44.141.143)<BR />Destination: azure-external-int-fw1 (10.10.50.10)<BR />Protocol: tcp<BR />Rule: 3<BR />Rule UID: {4DC1865D-5CF9-4D2A-8B84-7CF435A7BAAE}<BR />Rule Name: Stealth<BR />Current Rule Number: 4-wr-dub-azure1-pol<BR />Information: inzone: External<BR /> outzone: External<BR />Product: Security Gateway/Management<BR />Product Family: Network<BR />Policy Info: Policy Name: wr-dub-azure1-pol<BR /> Created at: Tue Oct 10 10:43:16 2017<BR /> Installed from: irb-dub-mgmt1</P><P></P><P>Do I need to put the rule which allows this traffic above the Stealth Rule?&nbsp;</P><P></P><P>Will this mean, that when I publish an App for the internet will I have an any rule above the Stealth Rule?</P><P></P><P>I had a look for best practices regarding building out policies in Azure, but could find very little.</P><P></P><P>Could somebody please inform me of the best way to build out a fw policy in CP Azure cluster.</P><P></P><P>Best regards</P><P></P><P>John</P></BODY></HTML> Thu, 12 Oct 2017 13:04:23 GMT https://community.checkpoint.com/t5/Cloud-Firewall/Stealth-Rule-In-Azure-VSec-Policy/m-p/7423#M3989 John_Colfer 2017-10-12T13:04:23Z https://community.checkpoint.com/t5/Cloud-Firewall/Stealth-Rule-In-Azure-VSec-Policy/m-p/7424#M3990 <HTML><HEAD></HEAD><BODY><P>When you're protecting public websites in Azure, traffic isn't being routed through the vSEC gateway, but is being "proxied" in a way.</P><P>This means traffic must terminate on the vSEC instance--traffic a regular stealth rule will block.</P><P>You have to account for this.</P><P></P><P>In general, you might want to look at the reference architecture articles linked here: <A href="https://community.checkpoint.com/message/6026-reference-architecture-for-vsec-public-cloud?sr=search&amp;searchId=fb7ed289-2812-4a76-86b7-54113d75d9fc&amp;searchIndex=1" target="_blank">https://community.checkpoint.com/message/6026-reference-architecture-for-vsec-public-cloud?sr=search&amp;searchId=fb7ed289-2812-4a76-86b7-54113d75d9fc&amp;searchIndex=1</A>‌</P></BODY></HTML> Fri, 21 Jun 2019 08:58:48 GMT https://community.checkpoint.com/t5/Cloud-Firewall/Stealth-Rule-In-Azure-VSec-Policy/m-p/7424#M3990 PhoneBoy 2019-06-21T08:58:48Z https://community.checkpoint.com/t5/Cloud-Firewall/Stealth-Rule-In-Azure-VSec-Policy/m-p/7425#M3991 <HTML><HEAD></HEAD><BODY><P>Thanks Dameon</P><P></P><P>I had had a look at these articles prior to posting here, but didn't find a satisfactory answer. Correct me if I'm wrong, but it seems to me that to allow HTTPS traffic to a web app protected by the firewall you need to do the following</P><P></P><OL><LI>Publish a public IP in Azure (say 52.51.50.49) which accepts traffic on port 443</LI><LI>Setup a UDR which forwards traffic received at 52.51.50.49 on port 443 to the external IP of the CP Instance (say 10.50.1.10) on a different port say 8081</LI><LI>On the CP Instance you must then have a rule that allows any traffic to 10.50.1.10 on port 8081</LI><LI>Then have a NAT rule which translates the packet to HTTPS</LI></OL><P></P><P>Am I correct with the above steps?</P><P></P><P>If so, is it safe to have an "any" rule like this to the external IP of your gateway?</P><P></P><P>Best regards</P><P></P><P>John</P></BODY></HTML> Fri, 13 Oct 2017 07:36:22 GMT https://community.checkpoint.com/t5/Cloud-Firewall/Stealth-Rule-In-Azure-VSec-Policy/m-p/7425#M3991 John_Colfer 2017-10-13T07:36:22Z https://community.checkpoint.com/t5/Cloud-Firewall/Stealth-Rule-In-Azure-VSec-Policy/m-p/7426#M3992 <HTML><HEAD></HEAD><BODY><P>That all&nbsp;looks correct.</P><P>"Any" is fine in this case.</P></BODY></HTML> Fri, 13 Oct 2017 17:04:15 GMT https://community.checkpoint.com/t5/Cloud-Firewall/Stealth-Rule-In-Azure-VSec-Policy/m-p/7426#M3992 PhoneBoy 2017-10-13T17:04:15Z