Tom_Thwaites
Participant

Additional External IP (azure)

Jump to solution

How do i add an additional external IP to the CloudGuard device in Azure. I've added the new IP in the Azure Portal and attached to the VM, but within the GUI the IP isn't being display?

If i create a new alias within the CG GUI, i can't specify the IP as it doesn't allow for /32 within the subnet mask.

Any help would be really appreciated.

Thanks

Tom 

1 Solution

Accepted Solutions
Matthias_Haas
Advisor

Hi Tom,

you could use a LB and use Load Balancing Rules (instead of a Inbound NAT Rule). If you enable "Floating IP (direct server return)", which is disabled per default, the LB will not NAT the Destination IP. In this case you will see the Public IP on the Firewall and you can NAT accordingly.

If using a Standard LB, please make sure to have a Network Security Group which has to allow  the traffic (this is not necessary if you use a Basic LB which is sufficient and allows the traffic per default).

May be that helps ?

Matthias

View solution in original post

27 Replies
PhoneBoy
Admin
Admin

What are you using the IP address for?

If it's just for, say, Address Translation, the IP doesn't actually need to appear in the OS config at all, there just needs to be a NAT rule for it.

0 Kudos
Tom_Thwaites
Participant

Thanks Dameon, 

I just need it for NAT to forward traffic to a web server. Do i need to create an object for the external IP. How do i assign the nat to the new IP?

Thanks

Tom

0 Kudos
Huseyin_Rencber
Collaborator
Tom_Thwaites
Participant

Thanks Huseyin, 

I've followed this before, but this is setup using the eth0 external IP. I have this working, but i need more than 1 external IP. For instance i may have more than 2 external webservers that all resolved using different DNS. 

So i need to a way to send 1 external IP to one web server and the other External IP to another web server. I dont have any kinda of LB so i can't content switch i just need 1 IP to 1 server and 1 to another 

Thanks

Tom

0 Kudos
PhoneBoy
Admin
Admin

Create host objects for the new public IP address if you haven't already.

In the NAT tab for these objects, specify the internal IP address.

Repeat for each public IP address.

Ensure there is a rule allowing access to these objects for services http/https and install policy.

Tom_Thwaites
Participant

I've done that, but i can't seem to get it to work. Plus i don't see any reference to the external IP/Host Object in the logs so it doesn't look like the IP address is even hitting the CG. 

If i do the same with the original ETH0 external IP it works, but just not with the additional IP. 

Thanks

Tom

0 Kudos
PhoneBoy
Admin
Admin

Have you done a tcpdump on the relevant interface to verify the traffic to that IP address is even reaching the gateway?

0 Kudos
Chandhrasekar_S
Collaborator

@Tom,

If I understand correctly, you have setup a web server and you want to assign a Azure public IP and route the traffic from Internet to that web server

If this the case, you will have to create an

1. Azure public IP address

2. Attach the public IP address to the Azure load balancer in front of the Check Point firewalls

3. Create an Inbound NAT rule in the Azure load balancer

4. Create a NAT rule on the Check Point firewalls which will receive the traffic from Azure load balancer and NAT it back to the original port of the inside web server

This way you will be able to route traffic from Internet to the web server. Let me know if this helps.

Tom_Thwaites
Participant

Thanks for the reply. 

Im getting closer now, i can hit the external IP of the Azure LB and NAT through to the CG, but do i create a rule to send the traffic to the webserver only assigned to that IP.

It's hard to explain, but i have 2 Web Servers (Web1 and Web2) both have a LB in front. I have a rule that says from the internet to web1 and from the internet to web2 both for http. How do i specify that if you come in on External IP 1 you go to Web1 and if you come in on External IP2 you go to web2. at the moment i can only get it to route to the web server in the first rule? I have checked the logs and see that the source traffic is always the CG and not the external IP address?

How do i route based on source the IP's if being NAT'd from the Azure LB into the cloud guard?

Hope that makes sense?

Thanks

Tom

0 Kudos
Tom_Thwaites
Participant

I dont understand this. I have a rule that says any source to cloudguard for https accept.

I then have a NAT rule that says source address is the Azure LB Public IP > destination CloudGuard > HTTPS > Translated Source Original > Destination is WebServer but it just won't translate it through to the web server....

What am i missing Smiley Sad

Tom

0 Kudos
Ted_Serreyn
Contributor

I just am working on these scenarios with a customer of mine implementing all their web presence into Azure.  This is what we have working for multiple web servers.

We had to use an external load balancer to map additional ip addresses into the scenario.  Essentially the external load balancer just takes care of the NAT converting https on the external ip addresses to custom ports on the firewall 9443,9444 etc for http on the firewall.

The firewall then has NAT rules (and access rules) allowing traffic into the firewall and NATing the traffic back to http on either the web server directly or an internal load balancer to balance the traffic among multiple web servers.

we currently have 5 https servers each on their own IP address.  If you hit the limit for external ip addresses, you can just spin up another external load balancer.

this has the advantage of leaving the external looking like https, and the internal web server also receives https.

however this works for any TCP protocol and now possibly UDP with the improvements to the load balancer.

it did take me a long time to figure out what works and what wouldn’t work, but this was the working scenario that works here.

a lot of the problem here is getting the external ip traffic to the firewall so that NAT can happen.  I was never able to route this to the firewall, Microsoft seems to always think that you’re going to put these ip addresses directly on your hosts rather than thru a security gateway.

Tom_Thwaites
Participant

Thanks Ted, so you route based on incoming port rather than source IP? Or do you route on both? 

Its odd cause you’d think you can just route based on incoming IP. To me this is just basic functionality of a firewall rule, also I’m pretty sure it works on the 77.30 version. 

There has had to be way to do it other than in port, otherwise the firewall is going to get really messy and hard to manage over time Smiley Sad

thanks

Tom

Matthias_Haas
Advisor

Hi Tom,

you could use a LB and use Load Balancing Rules (instead of a Inbound NAT Rule). If you enable "Floating IP (direct server return)", which is disabled per default, the LB will not NAT the Destination IP. In this case you will see the Public IP on the Firewall and you can NAT accordingly.

If using a Standard LB, please make sure to have a Network Security Group which has to allow  the traffic (this is not necessary if you use a Basic LB which is sufficient and allows the traffic per default).

May be that helps ?

Matthias

View solution in original post

Tom_Thwaites
Participant

Hi Matthias, 

Thanks for the reply.

This is exactly what I've done and works perfectly.

Cheers

Tom.

jesusarteria
Explorer

Hi Matthias, 

 

Can you share your configuration?


Regarsd

JSalinas

0 Kudos
Matthias_Haas
Advisor

Hi JSalinas,

just define a Load balancing rule on the LB:

 LB.rules.png

 

 

LB.rules-2.png

Important: you have to enable Floating IP. If doing so tells the LB not to NAT the Destination IP.

On the FW you´ll see the Public IP:

Log.png

If you are using a Standard LB, a NSG which allows this traffic is necessary. This NSG has to be attached  to the Subnet in which the (External) Interface of the FW is deployed. (the Interface definded as the Backend Pool on the LB).

Matthias

P.S. the public IPs are no longer part of my environment 😉

0 Kudos
Ping_Choi
Participant

Hello Mathias,

in your solution- did you have to create a brand new Load Balancer? The reason I ask is because when we deployed Cloudgard, it spins up a front end load balancer and a back end load balancer as part of its deployment requirements. Im wondering if we could leverage those existing LBs or do we have to create new LB's.

 

Thank you

0 Kudos
Matthias_Haas
Advisor

Hello Ping_Choi,

please use the front end load balancer which was deployed by Checkpoint, you don´t need a new load balancer

 

Matthias

 

 

0 Kudos
yunier88
Explorer

Hi there,
I have followed the stages as you explain them in your post. But I can't access my web server, using the public IP of the LB. I created a NAT rule and also a Policy rule. Here I share a screenshot of my NAT rule. Could you give me some idea why it doesn't work?
Thank you

0 Kudos
JackPrendergast
Collaborator

Your NAT rule is incorrect.

The original source of your traffic IS NOT the External IP.

Think about it. Your original source is me, the world, the WWW - people accessing it.

 

The original destination is your external IP - this is what people are accessing to get to your internal server.

 

Your translated destination is then the internal server.

 

Do not apply NAT on the Azure Load Balancer - only NAT on the CP Firewall. 

Follow the load balancing rules as per above and traffic will be received by the firewall 

0 Kudos
yunier88
Explorer

Hi there,
My object: ExternalIP represents the public IP of my LB, is this correct?

You say: Do not apply NAT on the Azure Load Balancer - only NAT on the CP Firewall.
So I just need to create:
A Load Balancer Rules? I don't need to create an Inbound NAT rules on the LB?

0 Kudos
JackPrendergast
Collaborator

No NAT at all on the load balancer.

 

If you follow the guide above, traffic will come to the firewall un'NAT'd - so the firewall will see the original source i.e the world.

To clarify - NO NAT on the load balancer. Just the rules.

 

Then, your original destination on the check point NAT is the public IP you want your users to get to.

 

So, if you was setting up a webserver for me, and you gave me the IP of 200.200.200.200. The original destination would be 200.200.200.200.

 

The public IP lives on the load balancer. The load balancer uses its load balancing rules to FORWARD not NAT to the Check Point.

 

The Check Point recieves the traffic in its original form and NAT's according to policy 🙂 

0 Kudos
yunier88
Explorer

Hi there,
First of all a million thanks 🙂

Two questions!!

1-In my CheckPoint do I need to create a Policy rule? Or just a nat rule like you explained to me earlier?

2-Why when I create the BackendPool (in the LB), right away my CheckPoint, in the Azure platform shows me the IP address that I just created in the LB? (screenshot here)

 

Thanks

0 Kudos
yunier88
Explorer

Here I show all the stages I have done, but it still doesn't work.

 

LoadBalancer:
1-I created a BackendPool pointing towards my VM FW (Image 1)

2-I created a Helth PRobes (image 2)

3-I created a load Balancing Rules (image3)

 

FW CheckPoint:

1-I created a Policy Access Rules (image 4)

2-I created a NAT Rule (image 5) 

 

***When I try to access my Web server with the public IP of the LB I get this: Image 6

 

If someone else could help me find out what is not working, I would appreciate it, thank you 🙂

0 Kudos
Matthias_Haas
Advisor

1. you don´t need that double port modification (LB 80-> 9091, FW 9091 -> 80), just keep it on Port 80 (but it should work anyway)

2. do you get any log entry on the Firewall ? If not, which type of LB are you using (Standard or Basic) ? If Standard, make sure you have a NSG attached to the subnet of the backend pool (external interface of the FW) which allows traffic from "any" Source IP  (Port 80/9091) to the Public IP

0 Kudos
yunier88
Explorer

-I made the port modification since I will have several web servers that will be accessible through that port (80). Therefore I need to use other ports and then NAT on the FW. Do you think it is well done this way?

-Currently I do not see any log in the firewall that refers to the public IP of the LB. Previously when I had created an Inbound NAT Rule on the LB (JackPrendergast told me it was not the correct solution), instead of a Load Balancing Rule. In the firewall I saw the public IP of the LB.

-I'm using Basic LB. Therefore I don't think there is anything else that I should configure in Azure, only the LB

 

Any other ideas please?

!!!!!!!!Just as a detail, I followed the stages of a course in UDEMY where they explain how to create the LB in azure and then the necessary rules in the FW. In the course they use the option: Inbound NAT rule and everything works correctly. I tried that way following exactly the same steps and it didn't work

 

0 Kudos
ChrisMartel
Employee
Employee

Hi Yunier,

Did you confirm that your backend subnet has a route set for outgoing internet access? By default it is not set.

0 Kudos