This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
reybanger
Explorer
2 weeks ago
Jump to solution

Both Active and Standby AWS Cloudguard reply to HTTPS probes

Hello CheckMates,


I am trying to understand, why Checkpoint CloudGuard standby gateway in AWS is replying to my 443 health probes? 

My management portal has been moved from the default port to 9443, 

I have tried to configure $FWDIR/boot/modules/fwkern.conf with a cloud_balancer_port=8117 as per https://support.checkpoint.com/results/sk/sk181836 but it seems like the behavior is different than in Azure. It will actually forward the probes to the endpoint server, and as a regular webserver - it does listen to 443, not 8117. 


0 Kudos
1 Solution

Accepted Solutions
Nir_Shamir
Employee Employee
Employee
2 weeks ago
In response to reybanger
Jump to solution

What kind of deployment do you exactly have ?

from what you wrote it looks like a Cluster HA and with Clusters in AWS we use the “virtual IP”  as the destination because it forwards the traffic to the ACTIVE member. 
in AWS we use LB’s only with Autoscale deployments. 

View solution in original post

3 Replies
_Val_
Admin
Admin
2 weeks ago
Jump to solution

HTTPS port on a standby GW answering probes is a normal situation. HTTPS is open in one of many scenarios, when specific blades, such as RAS VPN, Mobile access, Identity Awareness, and more, are enabled.

Why does it cause an issue for you?

0 Kudos
reybanger
Explorer
2 weeks ago
In response to _Val_
Jump to solution

Thank you for replying. This is basically to avoid session issues or asymmetric traffic. IT would be nice if Checkpoint would work in a similar way like in Azure - where the traffic from LB is forwarded only to active member. 

I am looking for some options here to point traffic to my backend servers listening on 443 using load balancer in front. 



0 Kudos
Nir_Shamir
Employee Employee
Employee
2 weeks ago
In response to reybanger
Jump to solution

What kind of deployment do you exactly have ?

from what you wrote it looks like a Cluster HA and with Clusters in AWS we use the “virtual IP”  as the destination because it forwards the traffic to the ACTIVE member. 
in AWS we use LB’s only with Autoscale deployments. 

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
UPCOMING CLOUDMATES EVENTS
    All CloudMates Events