This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES & FAQ
Create a Post
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
kamaladmire1
Participant
Participant
‎2023-12-14 07:59 AM

Cloudguard HA with Loadbalancer

Hi All, 

I am having issues with my test lab, same config was working previously. 

Cloudguard deployed in HA with Frontend and backend Loadbalancer.

 

Version R81.20 for both Mgmt and Cluster

Frontend subnet: 10.0.0.0/24

FW-1 10.0.0.4  FW-2 10.0.0.5  Frontend VIP: 10.0.0.6

Backend subnet: 10.0.1.0/24

FW-1 10.0.1.5     FW-2 10.0.1.6   Backend LB: 10.0.1.4

Prod Subnet: 10.1.0.0/24

Webserver IP 10.1.0.4

NO Public IP attached.

Prod Route : Picture attached  

NAT rules attached

Access Rules attached

AntiSpoofing off on both internal and external interface

FLB Load balancing rules configured and enable with Floating IP  (attached)

VNET peering setup and firewall can ping backend host and also able to ssh from firewall to backend host. 

Issue: 

same deployment previously worked traffic coming on FrontLB public IP natted to internal (backend server 10.1.0.4). 

something has recently changed on Azure Level and its to do with routing dont know what. but traffic from outside to internal/backend host is not reachable.

 

TCPDUMP:

Traffic coming from home Public IP going to FLB public IP can be seen on Eth0 and on Eth1, no traffic arrive on Backend host. 

TCPDUMP on Backend host: 

traffic going out from Host to internet can be seen on firewall logs and Firewall Eth1

backend can access Internet and tracroute shows going via active firewall. 

 

have tried everything can be possible and here to ask help, best would be someone to do the lab and can see the behaviour. 

 

Thanks 

 

 

 

 

Preview file
102 KB
Preview file
40 KB
Preview file
144 KB
Preview file
73 KB
Preview file
79 KB
Preview file
32 KB
Preview file
53 KB
Preview file
233 KB
Preview file
212 KB
0 Kudos
3 Replies
kamaladmire1
Participant
Participant
‎2023-12-15 02:08 AM

any thoughts?

0 Kudos
Chris_Atkinson
Employee Employee
Employee
‎2023-12-15 03:03 AM
In response to kamaladmire1

Have you checked if any applicable Azure NSG has changed and verified that it allows the traffic flow?

Might otherwise be faster to consult TAC via a remote session if you suspect the actual firewall...

CCSM R77/R80/ELITE
0 Kudos
kamaladmire1
Participant
Participant
‎2023-12-15 03:14 AM
In response to Chris_Atkinson

Hi Chris, 

NSG allow traffic, I have also created an Any Any rule for both direction.

 

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
UPCOMING CLOUDMATES EVENTS
    Sort by:
    All CloudMates Events