Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted

do you need to add the external IP of the cluster to the LoadBalancerFrontend IP configuration?

Hi

we're setting up CloudGuard Iaas High Availability in Azure (R80.30)
I can access the two firewall members when using their respective external IPs. But connectivity using the cluster-vip external IP doesn't seem to work. Trying to establish a VPN tunnel or just pinging doesn't work. I'm not seeing anything on the Active firewall with fw monitor
do you need to add the cluster-vip external IP to the LoadBalancerFrontend IP configuration?

thanks

0 Kudos
5 Replies
Highlighted

Hi,

you should have a NSG attached to the external subnet ?

If so, please check if the access to the  VIP is allowed

Matthias

 

0 Kudos
Highlighted

Mathias,

 

This is the NSG attached to the frontend subnet

Inbound

AllowAllInbound Any Any Any Any Allow

AllowVnetInbound Any Any VirtualNetwork VirtualNetwork Allow

AllowAzureLBInbound Any Any AzureLoadBalancer Any Allow

DenyAllInbound Any Any Any Any Deny

 

Outbound

AllowVnetOutbound Any any VirtualNetwork VirtualNetwork Allow

AllowInternetOutbound Any Any Any Internet Allow

DenyAllOutbound Any Any Any Any Deny

0 Kudos
Highlighted

ok, and your VIP is attached to the external interface of the master  I guess ?

Unbenannt.png

 

 

0 Kudos
Highlighted

to your specific question, no, you don't need it, the VIP for VPN purposes on the CG IaaS HA Template is a "floating IP" attached as secondary to the NIC of the active member, this job is done by a service principal deployed by the template if selected (this is by default); attached image.

If you selected "NO" that can cause the no modification of this IP to the active member also.

 

 

0 Kudos
Highlighted

So. The IP for cluster was assigned but to the standby member. We've been able to fix that with https://community.checkpoint.com/t5/CloudGuard-IaaS/Vsec-Cluster-in-Azure-anyone-know-how-to/m-p/796...

So now we can ping the vip and see it's being directed to the proper active member. We still can't establish a VPN tunnel but that might need another post...

0 Kudos