Create a Post
kb1
Collaborator

Checkpoint azure front end load balancer use case

Jump to solution

So we have deployed chkpt azure firewalls in cluster (1 active, 1 standby) and are trying to figure out what is the use of the front end load balancer? For our use case users will be coming in from the outside to the servers behind the firewalls and servers from the inside will be initiating connections as well, so what is the use of the front end lb in this case? or in any case for that matter? Can i just delete it?

Thank You in advance!

0 Kudos
1 Solution

Accepted Solutions
Nir_Shamir
Employee
Employee

In Azure , our Cluster can only have one public VIP.

If you need to publish many applications on different Public IPs you can do it with the Frontend LB.

you can add more Public IPs to the Frontend LB and it will forward the traffic towards the Cluster and from there to your internal Servers.

you can see how to do it in the admin guide:

https://sc1.checkpoint.com/documents/IaaS/WebAdminGuides/EN/CP_CloudGuard_IaaS_HighAvailability_for_...

 

 

View solution in original post

6 Replies
PhoneBoy
Admin
Admin

If you’re deploying an Active/Standby cluster, a load balancer isn’t needed.
It’s more useful when you are using an auto scale group (instead of clustering) for the firewalls.

Nir_Shamir
Employee
Employee

In Azure , our Cluster can only have one public VIP.

If you need to publish many applications on different Public IPs you can do it with the Frontend LB.

you can add more Public IPs to the Frontend LB and it will forward the traffic towards the Cluster and from there to your internal Servers.

you can see how to do it in the admin guide:

https://sc1.checkpoint.com/documents/IaaS/WebAdminGuides/EN/CP_CloudGuard_IaaS_HighAvailability_for_...

 

 

View solution in original post

Blason_R
Advisor

@Nir_Shamir I am going to deploy the cluster in existing customers topology and their web servers are being protected by Third party WAF solution which is forwarding the traffic to CNAME of the servers in Azure. In that case I even feel incoming traffic would not be able to scan by Check Point and even cluster topology might not even work?

0 Kudos
Nir_Shamir
Employee
Employee

If you need to deploy the cluster into a working topology then there would be some architecture changes.

Need to understand what will be the purpose of this Firewall , what assets does it needs to protect etc.

0 Kudos
Blason_R
Advisor

Hi,

My vnet is 10.1.1.0/24 and have I have 4 subnet running which are DB/APP/WEb/UAT. Currently 3 Web servers are being accessed through third party waf. While all those subnets does not have internet access and mostly have NSG running on al those.

I am going to deploy Check Point by carving two new subnet called Front and Back end from 10.1.1.0/24

Then deploy the cluster and define UDR to route all those 4 subnets behind Check Point cluster VIP. However since those 3 web servers are configured behind waf wondering how do I integrate those behind Check Point as a static NAT since  I believe it would take System route table plus on third party waf they have defined CNAME of existing public IPs which would change if add few more public IPs on front-end LB.

 

0 Kudos
Nir_Shamir
Employee
Employee

do you plan to put the WAF infront of the Cluster or behind it ?

In Front:

you need to have the WAF access via the Firewall towards the Servers for Health checks and access.

No changes needed in NAT and CNAME because the WAF is doing that.

Behind:

the CNAME / Public IP from the WAF needs to move to the Frontend LB and open ports / NAT towards the WAF in the Firewall. The WAF will need to have an internal IP and not a Public IP and you need make sure it has access towards the Servers.

0 Kudos