https://community.checkpoint.com/t5/Cloud-Firewall/Cloudguard-AWS-endpoint-security-remote-access-vpn-address-pool/m-p/273483#M6182 <P>We have deployed a <STRONG>CloudGuard cluster across multiple AWS Availability Zones in HA mode</STRONG> and are planning to enable <STRONG>Endpoint Remote Access VPN</STRONG>. The CloudGuard gateway will assign DHCP IP addresses to VPN clients.</P><P>1. The DHCP pool does <STRONG>not belong to any AWS VPC CIDR range</STRONG>. It is a local subnet in the cloudguard gateway. Is it correct ?</P><P>&nbsp;</P><P><SPAN>2. Other VPCs will route traffic destined for the VPN client pool &nbsp;to the </SPAN><STRONG>CloudGuard VPC</STRONG><SPAN>, and then the CloudGuard VPC route table set up to route traffic destined for the </SPAN><STRONG>VPN client IP pool</STRONG><SPAN> to the </SPAN><STRONG>active member ENI</STRONG><SPAN>. Is it correct ?&nbsp;<BR /><BR /></SPAN></P><P><SPAN>Thanks in advance for any response&nbsp;</SPAN></P> Mon, 16 Mar 2026 06:03:39 GMT Cathy_Cheng 2026-03-16T06:03:39Z https://community.checkpoint.com/t5/Cloud-Firewall/Cloudguard-AWS-endpoint-security-remote-access-vpn-address-pool/m-p/273483#M6182 <P>We have deployed a <STRONG>CloudGuard cluster across multiple AWS Availability Zones in HA mode</STRONG> and are planning to enable <STRONG>Endpoint Remote Access VPN</STRONG>. The CloudGuard gateway will assign DHCP IP addresses to VPN clients.</P><P>1. The DHCP pool does <STRONG>not belong to any AWS VPC CIDR range</STRONG>. It is a local subnet in the cloudguard gateway. Is it correct ?</P><P>&nbsp;</P><P><SPAN>2. Other VPCs will route traffic destined for the VPN client pool &nbsp;to the </SPAN><STRONG>CloudGuard VPC</STRONG><SPAN>, and then the CloudGuard VPC route table set up to route traffic destined for the </SPAN><STRONG>VPN client IP pool</STRONG><SPAN> to the </SPAN><STRONG>active member ENI</STRONG><SPAN>. Is it correct ?&nbsp;<BR /><BR /></SPAN></P><P><SPAN>Thanks in advance for any response&nbsp;</SPAN></P> Mon, 16 Mar 2026 06:03:39 GMT https://community.checkpoint.com/t5/Cloud-Firewall/Cloudguard-AWS-endpoint-security-remote-access-vpn-address-pool/m-p/273483#M6182 Cathy_Cheng 2026-03-16T06:03:39Z https://community.checkpoint.com/t5/Cloud-Firewall/Cloudguard-AWS-endpoint-security-remote-access-vpn-address-pool/m-p/273487#M6183 <P>when you say "DHCP IP addresses" you mean the local office mode ip addresses or are you actually using a DHCP Server to assign IP addresses ?</P> <P>the local office mode ip addresses pool are ip addresses assigned by the GW to the clients and it is local to the GW's.</P> <P>Regarding the route you are correct, you need to return the traffic toward the remote access clients towards the GW, unless you are hiding them behind the GW using NAT.</P> Mon, 16 Mar 2026 07:47:00 GMT https://community.checkpoint.com/t5/Cloud-Firewall/Cloudguard-AWS-endpoint-security-remote-access-vpn-address-pool/m-p/273487#M6183 Nir_Shamir 2026-03-16T07:47:00Z