Hi @Nir_Shamir okay, i want make sure again. so if we deployment centralized security vpc ( without subnet tagging and without transit gateway? Thats posible to inspect north south traffic? 

If possible, any guidance to help us. 

Yes.

it will inspect any traffic you push through the GWLB endpoints.

just make sure to take care of routing in and out.

check this GWLB infrastructure SK which has all the architecture options:

https://support.checkpoint.com/results/sk/sk174447

Hi @Nir_Shamir I have been deploy centralized security vpc. But i have problem in spoke VPC which is using nat gateway infrastructure. If applied the concept gwlbe with nat gateway (spoke vpc), for private ip under the nat gateway , the ip instance cannot reach internet ? the routing table like this in attachment.

any solution ?

This is how is should be:

To Internet:

VM > GWLBe > Cloudguard instances > GWLBe > NAT GW > Internet.

Back from Internet:

Internet > NAT GW > GWLBe > CloudGuard instances > GWLBe > VM

can you send a topology of the network you created so I can understand the flow of it ?

Hi @Nir_Shamir Thank you very much for your respond

So I need add new subnet for allocation NAT subnetright ?

VM > GWLBe > Cloudguard instances > GWLBe > NAT GW > Internet. ==> for this, its mean topology flow in spoke VPC right.

Here is attachment for the topology . Please advice 

Thank you

Yes,

you will need to build the NAT GW's in different subnets to allow different route table back to the GWLBe for the return traffic.

Hi @Nir_Shamir I have been deploy like that. Add new subnet NAT and config routing table in-out via GWLBe but doesn't work for inspection and the log traffic not hit in checkpoint. For the topology that is correct support inspection egress traffic via NAT gateway in spoke VPC ? because if i read many guidance, not any guide deployment inspection if in the spoke VPC using NAT gateway for egress traffic.

This what needs to be in the Instances VPC:

1) Instances Subnet - Route to Internet Via GWLBe

2) GWLBe subnet - route to Internet via NAT GW

3) NAT GW Subnet - route to Internet via IGW.

If you don't even see any logs in the GW's then could be something with the GWLBe or routes.

also try to login to the GW's and run "fw monitor" on the traffic to see if you see anything.

Hi  @Nir_Shamir I have been deploying centralized security VPC. But I got some issues in spoke VPC using Nat gateway infrastructure. If using nat gateway, for private IP under nat gateway can't reach internet and can't inspect to the security vpc ( checkpoint ). Overall scheme from spoke VPC using nat gateway connect to the security vpc just using gwlbe to gwlbe via vpc endpoint (without any transit gateway) . For routing table already correct configuration  like this  ==> routing table private subnet destination 0.0.0.0/0 to vpc endpoint , and then routing table gwlbe for the 0.0.0.0/0 to the nat gateway.
 
Any solution for this case? Please help us.

Hi @Nir_Shamir thank you very much. Your solution already done and success we try in our RND infrastructure.

But i want to ask question again, possible or not if we inspect between vpc which is communication using vpc peering ?  if possible, how the schema does work ? 

Thank you very much, please help and advice.

I guess you will need to do the same routing , with GWLBe  on each VPC.