This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
ABOUT CHECKMATES & FAQ
Create a Post
rohan_savant
Participant
‎2019-08-09 06:31 AM

Can i import an Internal ELB from aws and use it in the NAT and security policy

we are trying to setup an internal ALB and nat to the Public IP of the On-prem firewall so any inbound connections go from the public ip get NAT'ed and go to the internal  ALB via VPN and VGW, i do not see any load balancers when i import objects using cloudguard controller

 

0 Kudos
3 Replies
PhoneBoy
Admin
Admin
‎2019-08-09 11:33 AM

While I can't speak to whether the CloudGuard Controller can import them or not, I do know in general we handle ELB objects using Logical Server objects.
This is required because ELBs are load balanced with DNS.
Using the Logical Server object as described in SK handles this and performs the necessary NAT.
See: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...
Boris_Karnaukh
Participant
‎2019-11-03 04:52 AM
In response to PhoneBoy

sk104249 deals with scenario when CheckPoint vSEC runs in AWS VPC.

When CheckPoint gateway sits on-premises and has VPN tunnel to Amazon VPC this solution fails to match ELB traffic. One can try using domain objects, but it is still not the best solution.

PhoneBoy
Admin
Admin
‎2019-11-04 01:31 AM
In response to Boris_Karnaukh

Domain objects don't work with NAT.
Even if the ELB could be imported with CloudGuard Connector, you wouldn't be able to use it in the NAT policy anyway.
But you could use a Dynamic Object and update it based on a DNS record.
See: https://community.checkpoint.com/t5/API-CLI-Discussion-and-Samples/Pre-R80-10-dynamic-objects-from-D...