This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Vladimir
Champion
Champion
‎2017-10-02 05:21 PM

AWS ELBs supported by vSEC R.80.10

I'd be interested to know what kinds of ELBs are officially supported by Check Point in AWS and what, if any, caveats that are applied to each kind.

As part of an ongoing project, I am required to route inbound traffic to peered VPCs.

Classic and Network ELBs does not support this, as it requires targets to be instances in the same VPC.

The Application ELB does:

Thank you,

Vladimir

8 Replies
PhoneBoy
Admin
Admin
‎2017-10-02 09:21 PM

First of all, R80.10 doesn't yet support ELBs--this is coming.

As far as the different types of ELBs, there's two ways to look at this:

  • As a target from an External ELB, we're just like any other instance: we'll receive the packet based on however the ELB decides to route it to us.
  • As a source that routes it to an internal ELB, we are going to ultimately make the decision to route based on IP address, using a DNS lookup of the Logical Server object name to determine which IP to send the traffic to. Assuming we can route to the given IP, it doesn't matter if it's in the same VPC or not.

In both cases, I don't believe the type of ELB is relevant.

Vladimir
Champion
Champion
‎2017-10-05 01:08 PM
In response to PhoneBoy

Would you know if it is possible for vSEC to inject X-Forwarded to the packets send to ELBs?

I'm not sure that the source of traffic traversing Logical Server and ELBs can be identified by the instances, which may be required for applications.

0 Kudos
PhoneBoy
Admin
Admin
‎2017-10-05 02:38 PM
In response to Vladimir

There's an option in Application Control to do this, which means it's likely possible.

0 Kudos
Vladimir
Champion
Champion
‎2017-10-05 02:46 PM
In response to PhoneBoy

Can you point me to it?

The only place I've encountered it in was the "Advanced" properties of the Proxy settings.

0 Kudos
PhoneBoy
Admin
Admin
‎2017-10-05 02:55 PM
In response to Vladimir

That's the one.

0 Kudos
Vladimir
Champion
Champion
‎2017-10-05 02:59 PM
In response to PhoneBoy

Nah, this one works for the egress only.

I was looking to do the same on the way to ELBs.

0 Kudos
Matt_J
Contributor
‎2017-11-07 02:53 PM
In response to PhoneBoy

Dameon,

Does this workaround not apply to R80.10? I am in the process of deploying a new R80.10 CheckPoint in AWS to replace an R77.30 one. 

Supporting internal Elastic Load Balancers (ELB) in Amazon Web Services (AWS) 

When is official support coming? If this workaround is not applicable to R80.10, I am at a standstill on this project... 

Thanks

0 Kudos
PhoneBoy
Admin
Admin
‎2017-11-08 01:48 AM
In response to Matt_J

The current R80.10 AMIs do not support ELBs.

They are expected to soon but I do not have the exact timeframe for this.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
UPCOMING CLOUDMATES EVENTS
    All CloudMates Events