This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
rohan_savant
Participant
‎2019-08-09 06:31 AM

Can i import an Internal ELB from aws and use it in the NAT and security policy

we are trying to setup an internal ALB and nat to the Public IP of the On-prem firewall so any inbound connections go from the public ip get NAT'ed and go to the internal  ALB via VPN and VGW, i do not see any load balancers when i import objects using cloudguard controller

 

0 Kudos
3 Replies
PhoneBoy
Admin
Admin
‎2019-08-09 11:33 AM

While I can't speak to whether the CloudGuard Controller can import them or not, I do know in general we handle ELB objects using Logical Server objects.
This is required because ELBs are load balanced with DNS.
Using the Logical Server object as described in SK handles this and performs the necessary NAT.
See: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...
Boris_Karnaukh
Participant
‎2019-11-03 04:52 AM
In response to PhoneBoy

sk104249 deals with scenario when CheckPoint vSEC runs in AWS VPC.

When CheckPoint gateway sits on-premises and has VPN tunnel to Amazon VPC this solution fails to match ELB traffic. One can try using domain objects, but it is still not the best solution.

PhoneBoy
Admin
Admin
‎2019-11-04 01:31 AM
In response to Boris_Karnaukh

Domain objects don't work with NAT.
Even if the ELB could be imported with CloudGuard Connector, you wouldn't be able to use it in the NAT policy anyway.
But you could use a Dynamic Object and update it based on a DNS record.
See: https://community.checkpoint.com/t5/API-CLI-Discussion-and-Samples/Pre-R80-10-dynamic-objects-from-D...

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
UPCOMING CLOUDMATES EVENTS
    All CloudMates Events