topic Health Check Fails on AWS External Application Load Balancer for a Security Gateway in Cloud Firewall

Health Check Fails on AWS External Application Load Balancer for a Security Gateway

mehtasiddha — Tue, 20 Jun 2023 09:15:15 GMT

I have attached an external application load balancer to my security gateway in AWS. The health check on port 80 is always failing even after changing the health settings according to https://community.checkpoint.com/t5/Cloud-Network-Security/AWS-LB-sandwich-does-not-come-up-healthy-in-some-cases/m-p/65838/highlight/true#M949. I am using R81.10 version of gateway. Is there any solution to this problem?

Re: Health Check Fails on AWS External Application Load Balancer for a Security Gateway

Nir_Shamir — Wed, 21 Jun 2023 12:26:37 GMT

make sure you have all the right Access and NAT rules to access the application from the Load Balancers.

they need to health check the application.

Re: Health Check Fails on AWS External Application Load Balancer for a Security Gateway

mehtasiddha — Wed, 21 Jun 2023 17:21:23 GMT

The application load balancer is in front of the gateway listening on port 80 and forwarding the traffic to the gateway. But the health checks at the gateway are failing.

Re: Health Check Fails on AWS External Application Load Balancer for a Security Gateway

Nir_Shamir — Thu, 22 Jun 2023 04:35:12 GMT

the GW needs to forward the port 80 health checks to the Application . the GW is not listening on port 80.

Re: Health Check Fails on AWS External Application Load Balancer for a Security Gateway

mehtasiddha — Sat, 24 Jun 2023 06:20:53 GMT

But now I am facing a new issue, the http traffic is not being replied back, I am receiving connection timeout error while trying to the reach the internal servers running on port 80 via the external lb dns attached to the gateway. What could be causing the connection timeout error?

Re: Health Check Fails on AWS External Application Load Balancer for a Security Gateway

Nir_Shamir — Sun, 25 Jun 2023 04:33:14 GMT

first check access to the web server by login in one of the FW instances and curl or telnet the WEB server. if it works run fw monitor / cppcap on the GW and check if the traffic is coming in and out of the GW , doing NAT etc.

Re: Health Check Fails on AWS External Application Load Balancer for a Security Gateway

JoSec — Sun, 25 Jun 2023 05:51:37 GMT

If you have an ALB as a frontend to one firewall in each AZ...then read further.

Did you create a source NAT rule for the ALB subnet so it comes from a IP not in your VPC CIDR? A different IP for each AZ subnet which you would then have a route on the app subnet that routes the traffic to each firewalls ENI in each AZ. Also, your firewall rule will have to allow the inbound traffic.

Also...

1. Check the firewalls SG and subnet NACL attached to the subnet of the ALB...Need a SG rule to allow for the health check

2. Check the SG, subnet NACL and Subnet route table attached to the firewalls second interface in the routing subnet.

3. Check the SG, subnet NACL and Subnet Route Table where the application is located. Also, you need to route return traffic to the firewalls internal ENI.

4. You have to add static routes to the firewalls as well to route to the backend subnets since the firewalls do not know about the AWS routes. Example, to get to 192.168.2.0/25 GW 192.168.2.1 and obviously different GW for a firewall on another subnet.