Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Abhishek_Kumar1
Collaborator

Static NAT configuration with Load balacer in Azure Vsec

HI All 

we have R80.20 deployed on Azure Cloud, we have to configure Staic NAT with multiple server.

Where request coming with 443 and SSH, we have approx 100 servers which needs to configure Static NAT.

Can we configure same as AWS where we can add secondary IP on both firewall and attched public IP with firewall external subnet through the load balacer and configure static NAT.

Or if we have anu other option?

Please provide me solution for the same.

 

Regards

Abhishek

0 Kudos
11 Replies
ChristianCastil
Employee
Employee

You can add secondary interfaces, but this limits your capability to use some of the templates (VMSS for example), also adds complexity, the best option is to create a Basic LB since this can have 200 frontend IP, then use the Load Balancing Rule if you will use several GW or the NAT Rule if you will only use 1 and don't care for a Probe, using the front port with 443 and 22 but the backend ports with one high per Server, for example 10443 and 10022 for "Server 1", in the configuration of the GW or GWs use NAT rules to take the XX443 and XXX22 port request and send to the proper server with the original request port 443 and 22.

 

This don't require a lot of IP addresses on the GW and let you use VMSS to have autoscalable performance.

0 Kudos
Abhishek_Kumar1
Collaborator

Do we have any document for configuration Static NAT with LB in Azure, where mention strp by step configuration.

0 Kudos
mdjmcnally
Advisor

The Load Balancer needs to be a Standard LB in Azure.

The Basic  Load Balancer doesn't do the Health Probe properly with the Cloudguard boxes.  A colleague of mine found out this the hard way!

 

As stated yes all you do is

 

1.) Add a Public IP to the Load Balancer, will have to be Standard to Attach to the Standard Load Balacer

2.) Determine the Servers that IP listen on and determine a Service Port to Translate each one to and then use the Health Probe to Load Balance the Inbound Traffic to the External Interface and a specific port

3.) On the Firewall take the specific port and translate through to the Internal IP of the Azure Machine/Load Balancer and the origional Service Port.

https://sc1.checkpoint.com/documents/IaaS/WebAdminGuides/EN/CP_CloudGuard_IaaS_HighAvailability_for_...

Covers how to do the work.

 

 

 

 

 

0 Kudos
PhoneBoy
Admin
Admin

The general configuration looks something like this:
Internet > External Load Balancer > CloudGuard IaaS Gateways > Internal Load Balancer > Servers
This allows both your gateways and your servers to autoscale as needed.
See: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

I assume the Load Balancing is primarily for HTTPS.
If you need to reach each server individually with SSH (assuming for maintenance purposes), you're probably better off creating a jumphost (using a nano instance) with a single NAT and appropriate Security Groups/ACLs in place.
0 Kudos
Abhishek_Kumar1
Collaborator

We add the public IP in External Load Balancer, where my Frontend IP is New Elastic IP (port 443) backend IP is Firewall external IPs (Port 8081)

Load Balace Policy Pics is Attached.

 
 

and also create Rule Base and NAT 

Firewall Rule

src(ANY) --> DST (Fw External Interface IPs) --> servoces (All) --->Allow

 

NAT Rule 

Original SRC(ANY) --> ORG DST(Firewall EXTERNAL IPs -->ORG SERVICE(8081) --> TRANSLATE DST (Server IP) --> Trans PORT (443)

But while trying to initiate traffic from from internet and try to reach with 443 port, traffic is not reaching to firewall.

please suggest how we can resolve the same.

 

0 Kudos
mdjmcnally
Advisor

From the Admin Guide

By default, the template you deploy creates an External Load Balancer, with the name frontend-lb, which faces the Internet.

The External Load Balancer sends health probes to TCP port 8117 to determine the health of the CloudGuard IaaS Security Gateways.

Under Notes then

Do not change the health probe port.

Your HealthProbe Port is on 8081 not the defaut one of 8117.   So your Health Probe is wrong.   Is not like a regular load balancer where need to check against the service port.

In this case there is a Single Health Probe on port 8117 that is used for ALL of the FrontEnd IP that you configure no matter what port want to send the traffic on.

For every IP then send to the same IP ie the two Cluster Members but ONLY the Active Box in the Cluster will respond

sk110194 is unfortunately a bit out of date and you need to refer to 

https://sc1.checkpoint.com/documents/IaaS/WebAdminGuides/EN/CP_CloudGuard_IaaS_HighAvailability_for_...

Also Step 8 in the Guide is creating the Dynamic Object named LocalGatewayExternal

This is used instead of defining hosts that represent the External Private Interface IP addresses

 

 

 

0 Kudos
Abhishek_Kumar1
Collaborator

We did not change Health Prob Port, we create a new rule for new Elastic IP to traslate 443 traffic 8081 and create a STATIC NAT rule to translate external IP and PORT.

we have multiple firewall (with diffrent zone) with same policy package. can we  use dynamic object if we have to configure NAT for all ZONE?

 

Regards

Abhishek 

0 Kudos
mdjmcnally
Advisor

The Dynamic Object translates on the Gateway that the Rule is on to be the ExternalInterface IP.   This is done on the Gateways/Cluster Members themselves.

 

If you are configuring NAT Rules on your Load Balancer then definitely configuring wrong!

Your Screenshot shows a Load Balancing Rule so presume you meanth Load Balancing Rule

Under Health probe then has

health_prob_port_(TCP:8081) 

 

Every IP that publish should be using the same health probe setting and should be on the port specified in the guide.   TCP port 8117.

 

At the moment then based on your screenshot then probing on 8081 which is NOT the port that should be probing on,   That is the port that you forwarding the traffic too.

 

0 Kudos
Matthias_Haas
Advisor

you have floating IP enabled which means you should see the public IP on the Firewall, the LB is doing no NAT in this case

0 Kudos
yunier88
Participant

Hi there,

 

In my case I recently configured a LB in Azure to be able to obtain more public IP addresses in our FW CloudGuard.

I have followed the stages of a video in a UDEMY course.

In the video the example that shows the object that represents the FW is configured with its public IP address. In my case it is different, my object that represents the FW is configured with a private address. Hence my doubt when it comes to guiding me in all stages.

In the video they create a host that will represent the private IP address of the FW. And it is the object that they use later when creating the rules. But in my case only the object that represents my FW (Interoperable devices) has the private ip address. My question would be, can I use my FW object to create the rules as in the example that I share here?

 

Thanks

0 Kudos
yunier88
Participant

Hello there,

What configuration would I need to do for Outound traffic. I need each server behind our FW to go to the internet with a different public ip. But do not receive traffic from the internet

 

Thx

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.