Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
John_Colfer
Contributor

Stealth Rule In Azure VSec Policy

Hi Gang

I deployed an Azure Vsec Cluster and followed the SKs etc and it's and running fine. I'm starting to build out the policy and have run up against a problem.

Normally I would have the stealth rule as the 2nd or third rule, but when I try to allow nated traffic through to resources on the inside, it is getting dropped by the stealth rule

For Example:

Number: 2774078
Date: 12Oct2017
Time: 13:10:55
Interface: eth0
Origin: 52.169.50.242
Type: Log
Action: Drop
Service: TCP-8088 (8088)
Source Port: 54326
Source: ext_host_95.44.141.143 (95.44.141.143)
Destination: azure-external-int-fw1 (10.10.50.10)
Protocol: tcp
Rule: 3
Rule UID: {4DC1865D-5CF9-4D2A-8B84-7CF435A7BAAE}
Rule Name: Stealth
Current Rule Number: 4-wr-dub-azure1-pol
Information: inzone: External
outzone: External
Product: Security Gateway/Management
Product Family: Network
Policy Info: Policy Name: wr-dub-azure1-pol
Created at: Tue Oct 10 10:43:16 2017
Installed from: irb-dub-mgmt1

Do I need to put the rule which allows this traffic above the Stealth Rule? 

Will this mean, that when I publish an App for the internet will I have an any rule above the Stealth Rule?

I had a look for best practices regarding building out policies in Azure, but could find very little.

Could somebody please inform me of the best way to build out a fw policy in CP Azure cluster.

Best regards

John

0 Kudos
3 Replies
PhoneBoy
Admin
Admin

When you're protecting public websites in Azure, traffic isn't being routed through the vSEC gateway, but is being "proxied" in a way.

This means traffic must terminate on the vSEC instance--traffic a regular stealth rule will block.

You have to account for this.

In general, you might want to look at the reference architecture articles linked here: https://community.checkpoint.com/message/6026-reference-architecture-for-vsec-public-cloud?sr=search...

0 Kudos
John_Colfer
Contributor

Thanks Dameon

I had had a look at these articles prior to posting here, but didn't find a satisfactory answer. Correct me if I'm wrong, but it seems to me that to allow HTTPS traffic to a web app protected by the firewall you need to do the following

  1. Publish a public IP in Azure (say 52.51.50.49) which accepts traffic on port 443
  2. Setup a UDR which forwards traffic received at 52.51.50.49 on port 443 to the external IP of the CP Instance (say 10.50.1.10) on a different port say 8081
  3. On the CP Instance you must then have a rule that allows any traffic to 10.50.1.10 on port 8081
  4. Then have a NAT rule which translates the packet to HTTPS

Am I correct with the above steps?

If so, is it safe to have an "any" rule like this to the external IP of your gateway?

Best regards

John

0 Kudos
PhoneBoy
Admin
Admin

That all looks correct.

"Any" is fine in this case.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.