Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
PhoneBoy
Admin
Admin
Jump to solution

R80.10 CloudGuard IaaS High Availability for Microsoft Azure

1 Solution

Accepted Solutions
Ave_Joe
Contributor

It was not a routing issue and the cause has finally been sorted.

After validating everything in the document and the setup in Azure the issue was discovered to be Anti-Spoofing.

The documentation states that Anti-Spoofing should be disabled on the frontend cluster interfaces (eth0).    It does not however mention anything about disabling Anti-Spoofing on the backend cluster interfaces (eth1).

After going through the document again this morning I set a log filter for a source of the backend-lb, 168.63.129.16.Screen Shot 2019-03-14 at 10.35.33 AM.png

After a couple of iterations while working with support we finally came to the conclusion that Anti-Spoofing needed to be disabled on cluster internal interfaces also.

Policy was pushed after disabling Anti-Spoofing and everything started working as expected.

The documentation needs to be updated to also include disabling Anti-Spoofing on eth1.

View solution in original post

0 Kudos
4 Replies
Ave_Joe
Contributor

Anyone know if there is an updated CloudGuard IaaS High Availability for Microsoft Azure guide for R80.20 release?  I deployed a R80.20 IAAS Cluster and traffic to VM hosts behind the Azure gateway is not working  Using a test VM host I started a tcpdump looking for traffic.  The VM host responds to packets but the CP security gateway never sees the return packet.

I have been through this document several times trying to see what I may have missed but everything seems to  be configured per the document.

I think the issue is somewhere between the load balancer and the CP security gateway but have figured that maybe an updated version may help me figure it out.

Any one else having this issue?

Thanks!

0 Kudos
Martin_Valenta
Advisor

That sounds like more a routing issue only..

0 Kudos
Ave_Joe
Contributor

It was not a routing issue and the cause has finally been sorted.

After validating everything in the document and the setup in Azure the issue was discovered to be Anti-Spoofing.

The documentation states that Anti-Spoofing should be disabled on the frontend cluster interfaces (eth0).    It does not however mention anything about disabling Anti-Spoofing on the backend cluster interfaces (eth1).

After going through the document again this morning I set a log filter for a source of the backend-lb, 168.63.129.16.Screen Shot 2019-03-14 at 10.35.33 AM.png

After a couple of iterations while working with support we finally came to the conclusion that Anti-Spoofing needed to be disabled on cluster internal interfaces also.

Policy was pushed after disabling Anti-Spoofing and everything started working as expected.

The documentation needs to be updated to also include disabling Anti-Spoofing on eth1.

0 Kudos
_Daniel_
Contributor
Hi Dameon,

The above link looks like broken
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.