This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
RayP
Contributor
‎2022-03-09 07:12 AM
Jump to solution

Cloudguard Implementation without a Public loadbalancer / public IP's

Hi all,

Where can i find information about a Cloud Guard Implementation without a public loadbalancer or without a loadbalancer without Public IP's.

Situation (See the screenshot)

-2x Check Point Applicance ClusterXL (On-Premise) with a connection to Azure by ExpressRoute

-1x Check Point Management (On-Premise)

-Microsoft Azure Environment with multiple VNET's.

 

The Azure environment is only accessible by the ExpressRoute connection.

I want to use the Check Point Cloud Guard between VNET's and the ExpressRoute within Azure without a Internet Connection or the use of Public IP's.

So traffic from On-Premise must go to the FrontEnd Loadbalancer -Check Point CloudGuard -> BackEnd Loadbalancers -> Different kind of azure virtual machines and vice versa.

When we create a CloudGuard Network Security environment within Azure, we choose not to use "Use Public IP Prefix", but it still does.

How can we achieve this, or is this even possible?

 

 

Labels
0 Kudos
1 Solution

Accepted Solutions
Nir_Shamir
Employee Employee
Employee
‎2022-03-09 10:52 PM
Jump to solution

Hi,

I have done this several times. this is what you need to do:

1) you can't use the Frontend LB because it only has Public IPs. you can even delete it if you don't need to use it.

2) All your UDRs need to go to the Internal LB private IP and on the CloudGuard GWs make sure the default route in changed to the Azure Router on eth1 subnet.

This way all the traffic goes in and out from the same interface of the Check Point GWs (eth1) .

This way you have like a Firewall on a stick.

you can also detach the Public IPs from the CloudGuard GWs interface eth0 . the only thing you can't remove is the Public IP on the Cluster's VIP.

View solution in original post

2 Replies
Nir_Shamir
Employee Employee
Employee
‎2022-03-09 10:52 PM
Jump to solution

Hi,

I have done this several times. this is what you need to do:

1) you can't use the Frontend LB because it only has Public IPs. you can even delete it if you don't need to use it.

2) All your UDRs need to go to the Internal LB private IP and on the CloudGuard GWs make sure the default route in changed to the Azure Router on eth1 subnet.

This way all the traffic goes in and out from the same interface of the Check Point GWs (eth1) .

This way you have like a Firewall on a stick.

you can also detach the Public IPs from the CloudGuard GWs interface eth0 . the only thing you can't remove is the Public IP on the Cluster's VIP.

RayP
Contributor
‎2022-03-11 02:37 PM
In response to Nir_Shamir
Jump to solution

Thnx for the information Nir_Shamir, that helped us.👍

 

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Trending Discussions
AWS Cluster in-place upgrade
Upcoming Events

    Sort by:
    CheckMates Events