https://community.checkpoint.com/t5/Cloud-Firewall/Solved-Servers-behind-Azure-Cloudguard-HA-do-not-have-internet/m-p/157880#M804 <P><span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="cloudguard.png" style="width: 550px;"><img src="https://community.checkpoint.com/t5/image/serverpage/image-id/17869i31192A1399859D60/image-size/large?v=v2&amp;px=999" role="button" title="cloudguard.png" alt="cloudguard.png" /></span></P><P>&nbsp;</P><P>Basic network diagram as shown in image. Cluster configuration below:</P><OL><LI>In network management, eth1 (backend) leads to server subnet.</LI><LI>In firewall policy, server subnet has internet access.</LI><LI>In NAT policy, server subnet is SNAT'd to frontend private cluster IP address for internet traffic.</LI><LI>In Gaia OS, static route to server subnet via backend subnet (azure default gateway IP address).</LI></OL><P>The firewall cluster itself has internet access - I can ping and curl public IP addresses and websites. The logs also show that server traffic is hitting the firewall and being accepted and NAT'd.</P><P>Edit: This is version R81.10 template and tcpdump on eth0 shows SNAT'd traffic leaving the interface but no return traffic.</P><P><STRONG>Solved:</STRONG> This was actually a HA issue. Firewall2 was the active when the internet was not working. I booted up only Firewall1 this morning (I shutdown all VMs overnight) and the internet was working for the servers.&nbsp;</P><P>I gave contributor permissions to the automatically created managed identities on the VNET where the firewalls are located and also on the resource group for my IP prefixes (<SPAN>$FWDIR/scripts/azure_ha_test.py complained about this).</SPAN></P> Fri, 23 Sep 2022 16:27:01 GMT RickyDan 2022-09-23T16:27:01Z https://community.checkpoint.com/t5/Cloud-Firewall/Solved-Servers-behind-Azure-Cloudguard-HA-do-not-have-internet/m-p/157880#M804 <P><span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="cloudguard.png" style="width: 550px;"><img src="https://community.checkpoint.com/t5/image/serverpage/image-id/17869i31192A1399859D60/image-size/large?v=v2&amp;px=999" role="button" title="cloudguard.png" alt="cloudguard.png" /></span></P><P>&nbsp;</P><P>Basic network diagram as shown in image. Cluster configuration below:</P><OL><LI>In network management, eth1 (backend) leads to server subnet.</LI><LI>In firewall policy, server subnet has internet access.</LI><LI>In NAT policy, server subnet is SNAT'd to frontend private cluster IP address for internet traffic.</LI><LI>In Gaia OS, static route to server subnet via backend subnet (azure default gateway IP address).</LI></OL><P>The firewall cluster itself has internet access - I can ping and curl public IP addresses and websites. The logs also show that server traffic is hitting the firewall and being accepted and NAT'd.</P><P>Edit: This is version R81.10 template and tcpdump on eth0 shows SNAT'd traffic leaving the interface but no return traffic.</P><P><STRONG>Solved:</STRONG> This was actually a HA issue. Firewall2 was the active when the internet was not working. I booted up only Firewall1 this morning (I shutdown all VMs overnight) and the internet was working for the servers.&nbsp;</P><P>I gave contributor permissions to the automatically created managed identities on the VNET where the firewalls are located and also on the resource group for my IP prefixes (<SPAN>$FWDIR/scripts/azure_ha_test.py complained about this).</SPAN></P> Fri, 23 Sep 2022 16:27:01 GMT https://community.checkpoint.com/t5/Cloud-Firewall/Solved-Servers-behind-Azure-Cloudguard-HA-do-not-have-internet/m-p/157880#M804 RickyDan 2022-09-23T16:27:01Z https://community.checkpoint.com/t5/Cloud-Firewall/Solved-Servers-behind-Azure-Cloudguard-HA-do-not-have-internet/m-p/157882#M805 <P>Version/JHF?<BR />What do you see in logs?<BR />What do you see in tcpdump or fw monitor?</P> Thu, 22 Sep 2022 22:40:46 GMT https://community.checkpoint.com/t5/Cloud-Firewall/Solved-Servers-behind-Azure-Cloudguard-HA-do-not-have-internet/m-p/157882#M805 PhoneBoy 2022-09-22T22:40:46Z https://community.checkpoint.com/t5/Cloud-Firewall/Solved-Servers-behind-Azure-Cloudguard-HA-do-not-have-internet/m-p/157889#M806 <P>This is the R81.10 template and&nbsp;<SPAN>The logs also show that server traffic is hitting the firewall and being accepted and NAT'd. When I did a tcpdump on eth0, I saw SNAT'd traffic going towards the internet but no return traffic. I did not do a fw monitor.</SPAN></P> Fri, 23 Sep 2022 02:01:40 GMT https://community.checkpoint.com/t5/Cloud-Firewall/Solved-Servers-behind-Azure-Cloudguard-HA-do-not-have-internet/m-p/157889#M806 RickyDan 2022-09-23T02:01:40Z