https://community.checkpoint.com/t5/Cloud-Firewall/Both-Active-and-Standby-AWS-Cloudguard-reply-to-HTTPS-probes/m-p/263760#M5584 <P>Hello CheckMates,<BR /><BR /><BR />I am trying to understand, why Checkpoint CloudGuard standby gateway in AWS is replying to my 443 health probes?&nbsp;</P><P>My management portal has been moved from the default port to 9443,&nbsp;<BR /><BR />I have tried to configure&nbsp;$FWDIR/boot/modules/fwkern.conf with a&nbsp;cloud_balancer_port=8117 as per&nbsp;<A href="https://support.checkpoint.com/results/sk/sk181836" target="_blank">https://support.checkpoint.com/results/sk/sk181836</A>&nbsp;but it seems like the behavior is different than in Azure. It will actually forward the probes to the endpoint server, and as a regular webserver - it does listen to 443, not 8117.&nbsp;<BR /><BR /><BR /></P> Thu, 27 Nov 2025 12:10:47 GMT reybanger 2025-11-27T12:10:47Z https://community.checkpoint.com/t5/Cloud-Firewall/Both-Active-and-Standby-AWS-Cloudguard-reply-to-HTTPS-probes/m-p/263760#M5584 <P>Hello CheckMates,<BR /><BR /><BR />I am trying to understand, why Checkpoint CloudGuard standby gateway in AWS is replying to my 443 health probes?&nbsp;</P><P>My management portal has been moved from the default port to 9443,&nbsp;<BR /><BR />I have tried to configure&nbsp;$FWDIR/boot/modules/fwkern.conf with a&nbsp;cloud_balancer_port=8117 as per&nbsp;<A href="https://support.checkpoint.com/results/sk/sk181836" target="_blank">https://support.checkpoint.com/results/sk/sk181836</A>&nbsp;but it seems like the behavior is different than in Azure. It will actually forward the probes to the endpoint server, and as a regular webserver - it does listen to 443, not 8117.&nbsp;<BR /><BR /><BR /></P> Thu, 27 Nov 2025 12:10:47 GMT https://community.checkpoint.com/t5/Cloud-Firewall/Both-Active-and-Standby-AWS-Cloudguard-reply-to-HTTPS-probes/m-p/263760#M5584 reybanger 2025-11-27T12:10:47Z https://community.checkpoint.com/t5/Cloud-Firewall/Both-Active-and-Standby-AWS-Cloudguard-reply-to-HTTPS-probes/m-p/263763#M5585 <P>HTTPS port on a standby GW answering probes is a normal situation. HTTPS is open in one of many scenarios, when specific blades, such as RAS VPN, Mobile access, Identity Awareness, and more, are enabled.<BR /><BR />Why does it cause an issue for you?</P> Thu, 27 Nov 2025 12:44:19 GMT https://community.checkpoint.com/t5/Cloud-Firewall/Both-Active-and-Standby-AWS-Cloudguard-reply-to-HTTPS-probes/m-p/263763#M5585 _Val_ 2025-11-27T12:44:19Z https://community.checkpoint.com/t5/Cloud-Firewall/Both-Active-and-Standby-AWS-Cloudguard-reply-to-HTTPS-probes/m-p/263765#M5586 <P>Thank you for replying. This is basically to avoid session issues or asymmetric traffic. IT would be nice if Checkpoint would work in a similar way like in Azure - where the traffic from LB is forwarded only to active member.&nbsp;</P><P>I am looking for some options here to point traffic to my backend servers listening on 443 using load balancer in front.&nbsp;<BR /><BR /><BR /><BR /></P> Thu, 27 Nov 2025 13:47:50 GMT https://community.checkpoint.com/t5/Cloud-Firewall/Both-Active-and-Standby-AWS-Cloudguard-reply-to-HTTPS-probes/m-p/263765#M5586 reybanger 2025-11-27T13:47:50Z https://community.checkpoint.com/t5/Cloud-Firewall/Both-Active-and-Standby-AWS-Cloudguard-reply-to-HTTPS-probes/m-p/263870#M5587 <P>What kind of deployment do you exactly have ?</P> <P>from what you wrote it looks like a Cluster HA and with Clusters in AWS we use the “virtual IP” &nbsp;as the destination because it forwards the traffic to the ACTIVE member.&nbsp;<BR />in AWS we use LB’s only with Autoscale deployments.&nbsp;</P> Sat, 29 Nov 2025 06:07:37 GMT https://community.checkpoint.com/t5/Cloud-Firewall/Both-Active-and-Standby-AWS-Cloudguard-reply-to-HTTPS-probes/m-p/263870#M5587 Nir_Shamir 2025-11-29T06:07:37Z