This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Sandra_Suarez
Participant
‎2018-06-20 08:11 PM

Additional External IP (AWS)

The customers has a cluster R80.10 on AWS environment.

The front-end 172.31.19.x with public IP address (eth0)

The back-en 172.31.18.x (eth1)

On the front-end interfaces are configured severals subiterfaces to public services, something like this

ETH0 

172.31.19.x  public1

172.31.19.y  public2

172.31.19.z  public3

172.31.19.v  public4

172.31.19.q  public5

But the customer reach the limit of interface to associate public IP address and need to public more.

We try to do that add another external interface but it does not work.

Anyone how which is the procedure in this case??

3 Replies
PhoneBoy
Admin
Admin
‎2018-06-20 08:48 PM

Both the number of interfaces and the number of IPs you can associate to a given interface are a function of the AWS instance size you are using.

Your options are:

  • Use an elastic load balancer, which can also rewrite the source port for an incoming connection (allowing you to reduce the number of IPs assigned to the gateway).
  • Use more (smaller) gateways to protect these servers.
0 Kudos
Matt_J
Contributor
‎2018-07-05 01:39 PM

We ran into this exact same issue with AWS. In order to get more IPs, we had to add another external interface. It's a pain... There was a lot of tinkering involved, a lot of swearing and a lot of headdesks... 

What I had to do was setup policy based routing on the CheckPoint to make sure that incoming and outgoing traffic went in/out of the same interface. I also had to setup incoming/outgoing NAT. Unfortunately, this doesn't work if you are using a Logical Server object to NAT to the ELB CNAME. So we ended up with NAT using the local ELB IP addresses which are subject to change, and when they do, the site goes down... 

One of the reasons we needed so many IPs was that ELB's only supported a single certificate. With the new ALBs, they support multiple so if you have a lot of different websites requiring https, you can add multiple to ALBs. So we were able to merge a lot of load balancers and lower the number of IPs we needed. 

Also, as Dameon stated, we are in the process of moving part of our stuff to another CheckPoint so that we can get down to 1 external interface and  re-implement the Logical Server workaround so we can NAT to CNAME and not have the issue with the ALB IP changing. 

Hope this helps and good luck!

0 Kudos
Sandra_Suarez
Participant
‎2018-07-05 06:00 PM

Hi

Thanks for the comments.

We already be able to do the configuration and works fine.

We configure a second external Interface, to avoid any routing problem we configure ISP Redundancy between two external Interfaces.

Thanks again. I hope this help for others

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    Virtual

    Thu 05 Mar 2026 @ 12:00 PM (SGT)

    2026 Threat Landscape Briefing - APAC
    Virtual

    Thu 05 Mar 2026 @ 03:00 PM (CET)

    2026 Threat Landscape Briefing - EMEA
    Virtual

    Thu 05 Mar 2026 @ 11:00 AM (EST)

    Tips and Tricks 2026 #1: MCP Servers
    Virtual

    Thu 05 Mar 2026 @ 02:00 PM (EST)

    2026 Threat Landscape Briefing -AMER
    Virtual

    Tue 10 Mar 2026 @ 03:00 PM (EDT)

    Americas Deep Dive: Web Filtering Best Practices
    Virtual

    Wed 11 Mar 2026 @ 12:00 PM (EDT)

    Ink Dragon: A Major Nation-State Cyber Campaign
    CheckMates Events