This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Prabulingam_N1
Advisor
‎2021-11-10 02:52 AM

CheckPoint Cloudguard Iaas in Azure

Dear Team,

 

Requesting anyone can help on the attached setup

Need to reach FROM internal VM 192.168.16.10   TO    On-Prem VM 192.168.94.3 via ExpressRouteCircuit

We have VNET Peering between CheckPoint Vnet & ExpressRouteCircuit, ExpressRouteCircuit & On-Prem Vnet

1) CheckPoint Iaas Cluster in Azure Cloud
2) Internal VM (192.168.16.10, 17.10) has Route table pointing to BackendLB

Checked the packet capture in CheckPoint External interface: It leaves external interface, but not reaching On-Prem

How can i assure that this packet leaving CheckPoint External Interface passes via VNET Peering to ER Circuit and further

Any idea will be helpful.

 

Regards, Prabu

Preview file
19 KB
0 Kudos
5 Replies
Nir_Shamir
Employee Employee
Employee
‎2021-11-10 03:39 AM

Hi,

Does the Route table on the External Subnet of the Cluster points to the right default GW towards your On-Premise networks ?

 

0 Kudos
Prabulingam_N1
Advisor
‎2021-11-11 02:16 AM
In response to Nir_Shamir

Hi Nir,

I had created Route table for Frontend (External) subnet with next hop as ER only (since I did not get default GW IP of OnPrem)

If I get default GW of On-Prem I will apply.

Meanwhile how can we make sure that traffic destined to On-Prem actually passes via VNet Peer (my cloud<-->ER)

Is there any I have to point towards VNet peering?

 

Regards, Prabu

0 Kudos
Nir_Shamir
Employee Employee
Employee
‎2021-11-11 02:55 AM
In response to Prabulingam_N1

run 'fw monitor' on the Firewall to see the traffic.

you need to see:

i,I from incoming interface

o,O from outgoing interface.

if you have these four then traffic is going through the Firewall and exiting via the NIC.

0 Kudos
Prabulingam_N1
Advisor
‎2021-11-11 04:26 AM
In response to Nir_Shamir

Hi Nir,

Yes I could see i,I,o,O the packet exits via External NIC of FW.

But how can we assure that this packet is passing inside VNET Peering and reaches other end On-Prem?

Or how can we force FW to send the packet inside the VNET Peering?

 

Regards, Prabu

0 Kudos
Nir_Shamir
Employee Employee
Employee
‎2021-11-11 05:25 AM
In response to Prabulingam_N1

The only next hop the Firewall has is it's Azure Subnet Router on his Vnet. from there Azure takes charge.

You can contact Azure Support and they can see those packets in the backend and see if they are directed to the right place.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
UPCOMING CLOUDMATES EVENTS
    All CloudMates Events