https://community.checkpoint.com/t5/Cloud-Firewall/Cloudguard-HA-with-Loadbalancer/m-p/200630#M4471 <P>Hi All,&nbsp;</P><P>I am having issues with my test lab, same config was working previously.&nbsp;</P><P>Cloudguard deployed in HA with Frontend and backend Loadbalancer.</P><P>&nbsp;</P><P>Version R81.20 for both Mgmt and Cluster</P><P>Frontend subnet: 10.0.0.0/24</P><P>FW-1 10.0.0.4&nbsp;&nbsp;FW-2 10.0.0.5&nbsp;&nbsp;Frontend VIP: 10.0.0.6</P><P>Backend subnet: 10.0.1.0/24</P><P>FW-1 10.0.1.5&nbsp; &nbsp; &nbsp;FW-2 10.0.1.6&nbsp; &nbsp;Backend LB: 10.0.1.4</P><P>Prod Subnet: 10.1.0.0/24</P><P>Webserver IP 10.1.0.4</P><P>NO Public IP attached.</P><P>Prod Route : Picture attached&nbsp;&nbsp;</P><P>NAT rules attached</P><P>Access Rules attached</P><P>AntiSpoofing off on both internal and external interface</P><P>FLB Load balancing rules configured and enable with Floating IP&nbsp; (attached)</P><P>VNET peering setup and firewall can ping backend host and also able to ssh from firewall to backend host.&nbsp;</P><P>Issue:&nbsp;</P><P>same deployment previously worked traffic coming on FrontLB public IP natted to internal (backend server 10.1.0.4).&nbsp;</P><P>something has recently changed on Azure Level and its to do with routing dont know what. but traffic from outside to internal/backend host is not reachable.</P><P>&nbsp;</P><P>TCPDUMP:</P><P>Traffic coming from home Public IP going to FLB public IP can be seen on Eth0 and on Eth1, no traffic arrive on Backend host.&nbsp;</P><P>TCPDUMP on Backend host:&nbsp;</P><P>traffic going out from Host to internet can be seen on firewall logs and Firewall Eth1</P><P>backend can access Internet and tracroute shows going via active firewall.&nbsp;</P><P>&nbsp;</P><P>have tried everything can be possible and here to ask help, best would be someone to do the lab and can see the behaviour.&nbsp;</P><P>&nbsp;</P><P>Thanks&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P> Thu, 14 Dec 2023 15:59:51 GMT kamaladmire1 2023-12-14T15:59:51Z https://community.checkpoint.com/t5/Cloud-Firewall/Cloudguard-HA-with-Loadbalancer/m-p/200630#M4471 <P>Hi All,&nbsp;</P><P>I am having issues with my test lab, same config was working previously.&nbsp;</P><P>Cloudguard deployed in HA with Frontend and backend Loadbalancer.</P><P>&nbsp;</P><P>Version R81.20 for both Mgmt and Cluster</P><P>Frontend subnet: 10.0.0.0/24</P><P>FW-1 10.0.0.4&nbsp;&nbsp;FW-2 10.0.0.5&nbsp;&nbsp;Frontend VIP: 10.0.0.6</P><P>Backend subnet: 10.0.1.0/24</P><P>FW-1 10.0.1.5&nbsp; &nbsp; &nbsp;FW-2 10.0.1.6&nbsp; &nbsp;Backend LB: 10.0.1.4</P><P>Prod Subnet: 10.1.0.0/24</P><P>Webserver IP 10.1.0.4</P><P>NO Public IP attached.</P><P>Prod Route : Picture attached&nbsp;&nbsp;</P><P>NAT rules attached</P><P>Access Rules attached</P><P>AntiSpoofing off on both internal and external interface</P><P>FLB Load balancing rules configured and enable with Floating IP&nbsp; (attached)</P><P>VNET peering setup and firewall can ping backend host and also able to ssh from firewall to backend host.&nbsp;</P><P>Issue:&nbsp;</P><P>same deployment previously worked traffic coming on FrontLB public IP natted to internal (backend server 10.1.0.4).&nbsp;</P><P>something has recently changed on Azure Level and its to do with routing dont know what. but traffic from outside to internal/backend host is not reachable.</P><P>&nbsp;</P><P>TCPDUMP:</P><P>Traffic coming from home Public IP going to FLB public IP can be seen on Eth0 and on Eth1, no traffic arrive on Backend host.&nbsp;</P><P>TCPDUMP on Backend host:&nbsp;</P><P>traffic going out from Host to internet can be seen on firewall logs and Firewall Eth1</P><P>backend can access Internet and tracroute shows going via active firewall.&nbsp;</P><P>&nbsp;</P><P>have tried everything can be possible and here to ask help, best would be someone to do the lab and can see the behaviour.&nbsp;</P><P>&nbsp;</P><P>Thanks&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P> Thu, 14 Dec 2023 15:59:51 GMT https://community.checkpoint.com/t5/Cloud-Firewall/Cloudguard-HA-with-Loadbalancer/m-p/200630#M4471 kamaladmire1 2023-12-14T15:59:51Z https://community.checkpoint.com/t5/Cloud-Firewall/Cloudguard-HA-with-Loadbalancer/m-p/200707#M4472 <P>any thoughts?</P> Fri, 15 Dec 2023 10:08:07 GMT https://community.checkpoint.com/t5/Cloud-Firewall/Cloudguard-HA-with-Loadbalancer/m-p/200707#M4472 kamaladmire1 2023-12-15T10:08:07Z https://community.checkpoint.com/t5/Cloud-Firewall/Cloudguard-HA-with-Loadbalancer/m-p/200713#M4473 <P>Have you checked if any applicable Azure NSG has changed and verified that it allows the traffic flow?</P> <P>Might otherwise be faster to consult TAC via a remote session if you suspect the actual firewall...</P> Fri, 15 Dec 2023 11:03:48 GMT https://community.checkpoint.com/t5/Cloud-Firewall/Cloudguard-HA-with-Loadbalancer/m-p/200713#M4473 Chris_Atkinson 2023-12-15T11:03:48Z https://community.checkpoint.com/t5/Cloud-Firewall/Cloudguard-HA-with-Loadbalancer/m-p/200715#M4474 <P>Hi Chris,&nbsp;</P><P>NSG allow traffic, I have also created an Any Any rule for both direction.</P><P>&nbsp;</P> Fri, 15 Dec 2023 11:14:38 GMT https://community.checkpoint.com/t5/Cloud-Firewall/Cloudguard-HA-with-Loadbalancer/m-p/200715#M4474 kamaladmire1 2023-12-15T11:14:38Z