Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Contributor

Service exposed in multiple AWS region

Jump to solution

Hi

I've deployed Cloudguard IaaS instances in front of the Internet and published an RDP service through an NLB in AWS US region.
I'll plan to publish the service also in AWS APAC region and protected with the same way as the first NLB+CloudGuard.

I'd like to use the same firewall policy and NAT rules for both regions. I create the policy and NAT rule manually:

src: Internet   ---   dst: LocalGateway  --- Xlate Src: LocalGateway (Hide)  --- Xlate Dst: RDP_Service_US (s)

I'd like to know how I can add the NAT rule by using the 'LocalGateway' dynamic object. I don't if I can create the rule below when my 2nd AWS region will ready.

src: Internet   ---   dst: LocalGateway  --- Xlate Src: LocalGateway (Hide)  --- Xlate Dst: RDP_Service_APAC (s)

Regards

Ay

0 Kudos
Reply
1 Solution

Accepted Solutions
Admin
Admin

LocalGateway is a dynamic object, which is effectively a "placeholder" object.
It has no definition in Security Management and resolves on the security gateway itself. 

A handful of dynamic objects (LocalGateway being one) are managed by the gateway itself.
You can create other dynamic objects as well, and their definition is defined using the dynamic_objects CLI command on the gateway.

View solution in original post

3 Replies
Admin
Admin

You can use the LocalGateway object in NAT rules, yes, and it resolves on the local gateway itself.
One comment on the source, you can't really use "Internet" or "Any" for a source, but you can use the "All_Internet" object, which is basically the same thing.

0 Kudos
Reply
Contributor

Thanks for your feedback.

But I don't understand how both rules will match the correct gateway (US and APAC one) with the same LogalGateway object with a unique NAT rule? agree @PhoneBoy ?

0 Kudos
Reply
Admin
Admin

LocalGateway is a dynamic object, which is effectively a "placeholder" object.
It has no definition in Security Management and resolves on the security gateway itself. 

A handful of dynamic objects (LocalGateway being one) are managed by the gateway itself.
You can create other dynamic objects as well, and their definition is defined using the dynamic_objects CLI command on the gateway.

View solution in original post