topic Re: Please suggest if this is a recommended way? in Cloud Firewall

Please suggest if this is a recommended way?

Blason_R — Fri, 19 Sep 2025 06:57:21 GMT

Hi Team,

I have a situation as described below where a customer is transitioning to the SAP S4 RISE platform, which is a SaaS-based solution from SAP. This platform is hosted on Azure, and we have CGNS implemented within our tenant. Peering has been established between the two tenants to facilitate communication. According to SAP, they do not permit NONRFC1918 addresses, which are public IP addresses; therefore, we have been instructed to perform source NAT for all incoming traffic on the CheckPoint Firewall.

Given that in Azure CGNS we have both FLB and BLB, it is necessary to configure port forwarding rules on the FLB, followed by NAT on the firewall. In this scenario, our objective is to achieve the following:

OS : INTERNET OD : LocalGatewayExternal OP: 5678 (Forwarded by LB) XS : 10.10.20.6 XD : 10.10.10.100 XP: 443

Currently, I identify two issues.

First, I must implement inbound HTTPS interception; otherwise, we will be unable to capture any attacks.

Secondly, since the Azure backend interface does not possess any VIP (AFAIK), I believe we will need to NAT the traffic behind a physical IP. Alternatively, is there another option? Or can I use any other IP which will failover as well in case of firewall failover?

In the event of a failover, I am curious about how the connection would function if I am NATing it behind a physical IP. Furthermore, since SAP does not permit non-RFC1918 subnets, I am uncertain about how outbound traffic will be transmitted initiated from S4 RISE hosts. I am quite confident that it cannot.

Please suggest

Re: Please suggest if this is a recommended way?

the_rock — Fri, 19 Sep 2025 16:02:15 GMT

Excellent query...also curious to see what best way is.

Andy

Re: Please suggest if this is a recommended way?

Blason_R — Tue, 23 Sep 2025 07:41:07 GMT

No one replied so definitely this is not a ideal way - i believe routing it through ALB or WAF seems to be a ideal way or at least to have a reverse proxy

Re: Please suggest if this is a recommended way?

the_rock — Tue, 23 Sep 2025 10:51:55 GMT

Not sure if TAC could assist with that question?

Re: Please suggest if this is a recommended way?

G_W_Albrecht — Tue, 23 Sep 2025 11:43:42 GMT

SAP and CGNS are high level topics not many people have to cope with. Informative SR# with TAC is suggested, maybe CP Professional Services could help here ?

Re: Please suggest if this is a recommended way?

the_rock — Tue, 23 Sep 2025 11:51:46 GMT

Yes sir, very good advice!

Re: Please suggest if this is a recommended way?

Blason_R — Mon, 29 Sep 2025 17:17:19 GMT

Well I achieved it using DynamicObject. Just like LocalGateway External I created LocalGatewayInternal with Primary firewall Internal IP on primary firewall and secondary LAN ip on seconday firewall. Then used that object in NAT rule base and that resolved the issue.