Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Simon_Macpherso
Advisor

CloudGuard Network for AWS Security Cluster R81.20

I have deployed a Check Point CloudGuard Network Security Cluster into an existing VPC on AWS using terraform at https://github.com/CheckPointSW/CloudGuardIaaS/tree/master/terraform/aws/cluster and added to Smart Console using the following guide.

https://sc1.checkpoint.com/documents/IaaS/WebAdminGuides/EN/CloudGuard_Network_for_AWS_Cluster_Deplo...

The active gateway does not have an internet access.

$FWDIR/scripts/aws_ha_test.py script is failing when attempting to connect to ec2.us-west-1.amazonaws.com:443.

Testing cluster interface configuration...
Cluster interface configuration tested successfully

Testing connection to ec2.us-west-1.amazonaws.com:443...
Traceback (most recent call last):
File "/opt/CPsuite-R81.20/fw1/scripts/aws_ha_test.py", line 155, in test
subprocess.check_call(cmd)
File "/opt/CPsuite-R81.20/fw1/Python/lib/python3.7/subprocess.py", line 363, in check_call
raise CalledProcessError(retcode, cmd)
subprocess.CalledProcessError: Command '['nc', '-w', '5', '-z', 'ec2.us-west-1.amazonaws.com', '443']' returned non-zero exit status 1.
Error:
Failed to connect to the AWS API endpoint
Please verify that outgoing connections over TCP port 443 (HTTPS) to the AWS
endpoint are allowed by the firewall security policy.
See:
http://docs.aws.amazon.com/general/latest/gr/rande.html#vpc_region

Regards,
Simon

0 Kudos
7 Replies
G_W_Albrecht
Legend Legend
Legend

You wrote: $FWDIR/scripts/aws_ha_test.py script is failing when attempting to connect to ec2.us-west-1.amazonaws.com:443.

You know that the connection should be possible, but the script is failing ? These outgoing connections over TCP port 443 (HTTPS) to the AWS endpoint are allowed by the firewall security policy ?

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
Nir_Shamir
Employee Employee
Employee

does the VM has any access to that URL ?

can you run "curl_cli -v -k "https://ec2.us-west-1.amazonaws.com" and see that it can connect ?

 

0 Kudos
Simon_Macpherso
Advisor

curl_cli -v -k "https://ec2.us-west-1.amazonaws.com" fails to connect

0 Kudos
Simon_Macpherso
Advisor

There is a hide NAT at the bottom of the NAT policy for the public facing subnet to translate all egress traffic from all internal networks to the external private IP allocated as cluster virtual IP for public subnet - interface-0 (external). You can see it in one of the screenshot attached but I have included the details below.

 

Original Source: All_Internet_Net (10.0.0.0/8)

Original Destination: Any

Original Services: Any

Translated Source: AZR_USW1_VMC_NAT (IP allocated as cluster virtual IP for public subnet - interface-0 (external))

Translated Destination: Original

Translated Services: Original

 

When I disable the NAT, connectivity to ec2.us-west-1-amazonaws.com from both active and standby members succeeds i.e. curl_cli -v -k "https://ec2.us-west-1-amazonaws.com".

0 Kudos
Simon_Macpherso
Advisor

I incorrectly configured the virtual cluster IP and has since been modified to the correct IP allocated from the public subnet by AWS. Re the hide NAT rule, the object used in the translated source field has been updated use the correct virtual cluster IP and the rule has been reenabled. Egress traffic is now working and being translated as configured.

However, during failing over to the standby member, the route target for 0.0.0.0/0 in the private subnet is not updated to point to the new active member ENI.

 The route is only updated when the hide NAT rule is disabled.

0 Kudos
Simon_Macpherso
Advisor

After adding the following NAT rules for each member where the original source is the external private IP, egress works after failover. 

Original Source: member A eth0 IP

Original Destination: Any

Original Services: Any

Translated Source: Original

Translated Destination: Original

Translated Services: Original

 

Original Source: member B eth0 IP

Original Destination: Any

Original Services: Any

Translated Source: Original

Translated Destination: Original

Translated Services: Original

 

Regards.

Simon

0 Kudos
Simon_Macpherso
Advisor

I have an unrelated question, is a cluster virtual IP required for the private subnet interface? Or is it sufficient to configure the interface strictly as a Sync interface?

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.