This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Gusa2727
Contributor
‎2022-09-15 04:15 AM
Jump to solution

Azure Scale Set - CloudGuard - Is source NAT necessary?

Hi, we are thinking on deploying a multiple Gateways in a Scale Set solution in Azure. How is assymetric routing avoided with this solution? I know that some time ago, we had to use source NAT, but we would not like to apply this solution for our network. 

On the other hand, as far I know, in Azure we have not something similar to AWS Gateway Load Balancer which uses geneve to ensure that the replay goes using the same firewall instance.

Fortinet has the FGSP protocol which syncs sessions within all firewall instances in the cluster, so it is not a problem if the traffic goes through one intance, and the replay goes through a different one. Is there something similar for Check Point? Thanks.

0 Kudos
1 Solution

Accepted Solutions
Dmitry_Gorn
Employee
Employee
‎2022-09-18 11:07 PM
In response to Gusa2727
Jump to solution

You are correct. The SNAT for N-S traffic is mentioned in the traffic flow "animated GIFs". Perhaps we can make it more clear in the admin guide - will put it on the list.

You are also correct that you will need two separate deployments - one with GWLB and one regular VMSS. A regular VMSS cannot work with GWLB (GWLB required VXLAN tunnels and in general operates differently).

One more option to consider is to use XFF header feature on the VMSS for N-S traffic. Traffic will still be NATed but you will have XFF headers.

 

Thanks,

Dmitry

View solution in original post

7 Replies
G_W_Albrecht
MVP Silver
MVP Silver
‎2022-09-15 04:19 AM
Jump to solution

Why do you think this is a General Topic ?

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
Chris_Atkinson
MVP Platinum CHKP MVP Platinum CHKP
MVP Platinum CHKP
‎2022-09-15 05:50 AM
Jump to solution

Azure GWLB via VXLAN:

https://sc1.checkpoint.com/documents/IaaS/WebAdminGuides/EN/CP_Azure_VMSS_GWLB/Content/Topics-Azure-...

CCSM R77/R80/ELITE
0 Kudos
Gusa2727
Contributor
‎2022-09-15 06:46 AM
In response to Chris_Atkinson
Jump to solution

Thanks, I missed that Azure has released a GWLB similar to AWS GWLB.

After checking the below video, it looks like it is still a preview solution, and it does not work for inspecting the east-west traffic, right? In case we want to inspect east-west traffic through Gateways in a scale set, and without having to deploy an External LB, is there a way to achieve this keeping aside from using source nat?

https://www.youtube.com/watch?v=gN74syBIJio

Thanks.

0 Kudos
Dmitry_Gorn
Employee
Employee
‎2022-09-17 11:11 PM
In response to Gusa2727
Jump to solution

Hi,

Sure. You can deploy a VMSS solution without an External Load Balancer and only use it for East West traffic inspection. 

The Load Balancer combination can be selected as part of the deployment template.

For East-West traffic, as long as the request and reply go via the Internal Load Balancer (as documented) you will not have to S-NAT the traffic.

Refer to the "East West" and "East West Reply" sections in the traffic flows page:

https://sc1.checkpoint.com/documents/IaaS/WebAdminGuides/EN/CP_VMSS_for_Azure/Content/Topics-Azure-V...

 

Thanks,

Dmitry

Gusa2727
Contributor
‎2022-09-18 03:38 AM
In response to Dmitry_Gorn
Jump to solution

Hi @Dmitry_Gorn,

Thank you very much for the helpful information. 

So, if I have understood everything correctly:

  • You have shared information about two different deployments Plans.
    • Public Preview CloudGuard Gateway Load Balancer
      • This Plan only requires one subnet (FrontEnd subnet)
      • This Plan does not require SNAT for external traffic. We have to chain a Public LB or Standar IP of our applications to our GWLB deployed in this Plan.
      • This deployment only works for North/South traffic.
    • CloudGuard Scale Set 
      • This Plan requires two subnets (FrontEnd and BackEnd subnets)
      • This Plan DOES NOT require SNAT for East/West traffic, because the Azure Internal LB is aware of the replay traffic, and sends the replays to the right Gateway to avoid asymmetric routing issues.
      • This Plan DOES requiere SNAT for North/South traffic. It is not especifically pointed in the document, but jugding for the Traffic Flows section, it is likely that SNAT is required for sure. 

 

Now, the thing is that we would like to find a solution able to inspect both, N/S and E/W traffic, without using SNAT for any of these traffic flows. Assuming that it is not possible for E/W Traffic to point to the GWLB and it just works if you link a Public LB or Standard IP to it, in order to be able to inspect N/S and E/W traffic flows, we would need to different deployments Plans, right? Thanks!  

0 Kudos
Dmitry_Gorn
Employee
Employee
‎2022-09-18 11:07 PM
In response to Gusa2727
Jump to solution

You are correct. The SNAT for N-S traffic is mentioned in the traffic flow "animated GIFs". Perhaps we can make it more clear in the admin guide - will put it on the list.

You are also correct that you will need two separate deployments - one with GWLB and one regular VMSS. A regular VMSS cannot work with GWLB (GWLB required VXLAN tunnels and in general operates differently).

One more option to consider is to use XFF header feature on the VMSS for N-S traffic. Traffic will still be NATed but you will have XFF headers.

 

Thanks,

Dmitry

Gusa2727
Contributor
‎2022-09-19 03:52 AM
In response to Dmitry_Gorn
Jump to solution

Thank you very much!

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Trending Discussions
AWS Cluster in-place upgrade
Upcoming Events

    CheckMates Events