This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Diyon
Explorer
Sunday
Jump to solution

CP in AWS

Hi everyone,.. 

That is possible if deployment cloudguard GWLB in AWS using scheme centralized security VPC (transparent inspection) without subnet tagging? 

0 Kudos
1 Solution

Accepted Solutions
Nir_Shamir
Employee Employee
Employee
Monday
Jump to solution

Hi,

Yes, you don't really need the subnet tagging. most of our deployment are done without Subnet tagging , using a centralized security VPC.

View solution in original post

0 Kudos
10 Replies
_Val_
Admin
Admin
Sunday
Jump to solution

@Shay_Levin can you please answer?

0 Kudos
Nir_Shamir
Employee Employee
Employee
Monday
Jump to solution

Hi,

Yes, you don't really need the subnet tagging. most of our deployment are done without Subnet tagging , using a centralized security VPC.

0 Kudos
Diyon
Explorer
Monday
In response to Nir_Shamir
Jump to solution

Hi @Nir_Shamir okay, i want make sure again. so if we deployment centralized security vpc ( without subnet tagging and without transit gateway? Thats posible to inspect north south traffic? 

If possible, any guidance to help us. 

 

0 Kudos
Nir_Shamir
Employee Employee
Employee
Monday
In response to Diyon
Jump to solution

Yes.

it will inspect any traffic you push through the GWLB endpoints.

just make sure to take care of routing in and out.

check this GWLB infrastructure SK which has all the architecture options:

https://support.checkpoint.com/results/sk/sk174447

0 Kudos
(1)
Diyon
Explorer
Monday
In response to Nir_Shamir
Jump to solution

Hi @Nir_Shamir I have been deploy centralized security vpc. But i have problem in spoke VPC which is using nat gateway infrastructure. If applied the concept gwlbe with nat gateway (spoke vpc), for private ip under the nat gateway , the ip instance cannot reach internet ? the routing table like this in attachment.

 

any solution ?

Preview file
104 KB
Preview file
151 KB
0 Kudos
Nir_Shamir
Employee Employee
Employee
yesterday
In response to Diyon
Jump to solution

This is how is should be:

To Internet:

VM > GWLBe > Cloudguard instances > GWLBe > NAT GW > Internet.

Back from Internet:

Internet > NAT GW > GWLBe > CloudGuard instances > GWLBe > VM

 

can you send a topology of the network you created so I can understand the flow of it ?

0 Kudos
Diyon
Explorer
yesterday
In response to Nir_Shamir
Jump to solution

Hi @Nir_Shamir Thank you very much for your respond

So I need add new subnet for allocation NAT subnetright ?

VM > GWLBe > Cloudguard instances > GWLBe > NAT GW > Internet. ==> for this, its mean topology flow in spoke VPC right.

 

Here is attachment for the topology . Please advice 

Thank you

Preview file
77 KB
0 Kudos
Nir_Shamir
Employee Employee
Employee
2m ago
In response to Diyon
Jump to solution

Yes,

you will need to build the NAT GW's in different subnets to allow different route table back to the GWLBe for the return traffic.

0 Kudos
Diyon
Explorer
yesterday
In response to Nir_Shamir
Jump to solution

Hi  @Nir_Shamir I have been deploying centralized security VPC. But I got some issues in spoke VPC using Nat gateway infrastructure. If using nat gateway, for private IP under nat gateway can't reach internet and can't inspect to the security vpc ( checkpoint ). Overall scheme from spoke VPC using nat gateway connect to the security vpc just using gwlbe to gwlbe via vpc endpoint (without any transit gateway) . For routing table already correct configuration  like this  ==> routing table private subnet destination 0.0.0.0/0 to vpc endpoint , and then routing table gwlbe for the 0.0.0.0/0 to the nat gateway.
 
Any solution for this case? Please help us.

0 Kudos
Nir_Shamir
Employee Employee
Employee
yesterday
In response to Diyon
Jump to solution

the NAT GW needs to be on a different subnet (if it's not already is).

it needs to have a separate routing table pointing to the Private subnet via the GWLBe.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
UPCOMING CLOUDMATES EVENTS
    Sort by:
    All CloudMates Events