topic Re: Policy not matching AWS Data Center Objects in Cloud Firewall

Policy not matching AWS Data Center Objects

cdav — Wed, 03 Apr 2024 10:52:32 GMT

Hi CheckMates,

I am experiencing an issue where one set of gateways is not matching access rules where AWS DataCenter objects are used but another set of gateways with a separate policy are matching traffic and permitting against AWS DataCenter objects.

I have a AWS deployment where an Cross AZ Cluster, Auto Scaled Gateways and EC2 Manager all reside in separate VPCs and are peered via transit gateway. Identity Awareness is configured as per admin guide yet only one set of gateways (autoscaled) are matching traffic for the objects. The clustered gateways fail to permit traffic where AWS DC objects are used - if i replace the AWS object with a standard address object the traffic is permitted.

Can anyone advise on how I can troubleshoot/debug this?

Re: Policy not matching AWS Data Center Objects

Gil_Sudai — Wed, 03 Apr 2024 12:21:16 GMT

Look in $FWDIR/log/cloud_proxy.elg on the mgmt server - do you see updates being sent to the cluster gw?

Re: Policy not matching AWS Data Center Objects

cdav — Wed, 03 Apr 2024 14:21:34 GMT

Hi @Gil_Sudai

Yes i can see that it is failing to send the updates to the clusters EIP. Is it possible for these updates to go to the private addresses of the Cross AZ cluster and not the EIP? I do not wish for the communication between manager and gateways to go via the internet.

Thanks

Chris

Re: Policy not matching AWS Data Center Objects

Nir_Shamir — Wed, 03 Apr 2024 15:42:23 GMT

what IP address is configured on the Cluster object ? is it the Cluster EIP ?

updates are send to the GW/Cluster object IP address.

you can change it , check sk60701

Re: Policy not matching AWS Data Center Objects

cdav — Thu, 04 Apr 2024 07:19:32 GMT

Yes the IP in the cluster object is the public EIP. Am i able to change it in the database for one or both of the cross-az gateways? I would like this communication to happen privately not via public internet.

Re: Policy not matching AWS Data Center Objects

Nir_Shamir — Thu, 04 Apr 2024 09:09:30 GMT

Yes, check :

https://sc1.checkpoint.com/documents/R81.20/WebAdminGuides/EN/CP_R81.20_CloudGuard_Controller_AdminGuide/Content/Topics-CGRDG/Configuration-Parameters.htm?Highlight=updateClusterMemberAndNotVip

# In version R81.20 with Jumbo HFA Take 26 and higher:
# Send Data Center updates from the CloudGuard Controller to the main IP address of Active member
# on the Management Plane instead of the cluster VIP address on the Data Plane
updateClusterMemberAndNotVip=true
            
I think this can help you here

Re: Policy not matching AWS Data Center Objects

Gil_Sudai — Thu, 04 Apr 2024 09:01:19 GMT

Which version is your mgmt server?

If R81.20 , look for PRJ-43926 in https://sc1.checkpoint.com/documents/Jumbo_HFA/R81.20/R81.20/R81.20-List-of-all-Resolved-Issues.htm?tocpath=_____4 .

From take 26 you can update the CloudGuard Controller config option to push the updated to the cluster member and not to the VIP.

Re: Policy not matching AWS Data Center Objects

cdav — Thu, 04 Apr 2024 09:30:48 GMT

Hi @Nir_Shamir @Gil_Sudai

Thank you both for you input. I am running R81.20 for management. I will check the above inline with what you've mentioned/referenced and see if I can resolve.

Thanks

Re: Policy not matching AWS Data Center Objects

cdav — Thu, 04 Apr 2024 11:28:09 GMT

@Nir_Shamir @Gil_Sudai

Its working for me now. Added the config line to vsec.conf and upgraded to the jumbo 53 anyway.

Thank you again!