This website uses cookies. By clicking OK, you consent to the use of cookies. Click Here to learn more about how we use cookies.
OK
ABOUT CHECKMATES & FAQ
Create a Post
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Help
AyGit
Contributor
‎2020-11-05 06:43 PM

Service exposed in multiple AWS region

Jump to solution

Hi

I've deployed Cloudguard IaaS instances in front of the Internet and published an RDP service through an NLB in AWS US region.
I'll plan to publish the service also in AWS APAC region and protected with the same way as the first NLB+CloudGuard.

I'd like to use the same firewall policy and NAT rules for both regions. I create the policy and NAT rule manually:

src: Internet   ---   dst: LocalGateway  --- Xlate Src: LocalGateway (Hide)  --- Xlate Dst: RDP_Service_US (s)

I'd like to know how I can add the NAT rule by using the 'LocalGateway' dynamic object. I don't if I can create the rule below when my 2nd AWS region will ready.

src: Internet   ---   dst: LocalGateway  --- Xlate Src: LocalGateway (Hide)  --- Xlate Dst: RDP_Service_APAC (s)

Regards

Ay

0 Kudos
Reply
1 Solution

Accepted Solutions
PhoneBoy
Admin
Admin
‎2020-11-09 02:17 PM
In response to AyGit

Jump to solution

LocalGateway is a dynamic object, which is effectively a "placeholder" object.
It has no definition in Security Management and resolves on the security gateway itself. 

A handful of dynamic objects (LocalGateway being one) are managed by the gateway itself.
You can create other dynamic objects as well, and their definition is defined using the dynamic_objects CLI command on the gateway.

View solution in original post

Reply
3 Replies
PhoneBoy
Admin
Admin
‎2020-11-05 08:54 PM

Jump to solution

You can use the LocalGateway object in NAT rules, yes, and it resolves on the local gateway itself.
One comment on the source, you can't really use "Internet" or "Any" for a source, but you can use the "All_Internet" object, which is basically the same thing.

0 Kudos
Reply
AyGit
Contributor
‎2020-11-06 02:02 AM
In response to PhoneBoy

Jump to solution

Thanks for your feedback.

But I don't understand how both rules will match the correct gateway (US and APAC one) with the same LogalGateway object with a unique NAT rule? agree @PhoneBoy ?

0 Kudos
Reply
PhoneBoy
Admin
Admin
‎2020-11-09 02:17 PM
In response to AyGit

Jump to solution

LocalGateway is a dynamic object, which is effectively a "placeholder" object.
It has no definition in Security Management and resolves on the security gateway itself. 

A handful of dynamic objects (LocalGateway being one) are managed by the gateway itself.
You can create other dynamic objects as well, and their definition is defined using the dynamic_objects CLI command on the gateway.

View solution in original post

Reply