This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Blason_R
Leader
Leader
‎2021-10-04 12:25 AM

Cloudguard IAAS Routing doubt and S2S VPN

Hi Team,

 

Just a confusion about routing in Azure and would really appreicate if someone can help me on the doubt

I am going to setup Check Point cluster in Azure which will have 

  • VNET - 10.1.0.0/16
  • FE Subnet - 10.1.1.0/24
  • BE Subnet- 10.1.2.0/24
  • FE-FW1 - 10.1.1.4/24
  • FE-FW2 - 10.1.1.5/24
  • FE Cluster - 10.1.1.7/24
  • BE-FW1 - 10.1.2.4/24
  • BE-FW2 - 10.1.2.5/24
  • BE Cluster - 10.1.2.7/24
  • DB Subnet - 10.1.3.0/24 
  • App Subnet - 10.1.4.0/24
  • BE LB - 10.1.2.6/24
  • FE LB - 10.1.1.6/24

In this case for DB & App Subnet UDRs will be

0.0.0.0/0  NH 10.1.2.4 or 10.1.2.6?

for 10.1.0.0/16 NH 10.1.2.4 or 10.1.2.6?

Plus I have received two public IP addresses for both the VMs. Since I wanted to configure VPN which Public IP should be configured on VPN Link selection page?

 

TIA

Blason R

 

Thanks and Regards,
Blason R
CCSA,CCSE,CCCS
0 Kudos
7 Replies
Nir_Shamir
Employee Employee
Employee
‎2021-10-04 12:40 AM

Hi,

first thing, CP cluster in Azure has these Private IPs:

Frontend - 1 per GW + VIP

Backend - 1 per GW (no VIP).

also you get two LBs:

1 Frontend (external) - has Public IPs only.

1 backend (internal) - has internal private IPs only.

 

when you route traffic from your peered vNets , you route the default GW to the internal LB Private IP.

 

Now regarding the VPN , both GWs get Public IPs that are attached to their frontend IPs interfaces. these are usually used to manage the GWs from a Management Server located outside their environment (On-Premise or other Cloud Vendor).

The VIP IP address is attached to the Primary Member Frontend Interface. it also has a Public IP attached to it. you use this IP for VPN configuration. 

0 Kudos
Blason_R
Leader
Leader
‎2021-10-04 02:31 AM
In response to Nir_Shamir

Hi Nir,

Thanks for the reply; now regarding public IP do we get VIP as well for public IP adress? and those needs to be defined in Topology as well?

Thanks and Regards,
Blason R
CCSA,CCSE,CCCS
0 Kudos
Nir_Shamir
Employee Employee
Employee
‎2021-10-04 02:40 AM
In response to Blason_R

you have 3 Public IPs:

1) 1 per GW - to manage the GWs from remote location.

2) 1 on the VIP - used usually for VPN.

check the Azure High-Availability admin guide for the configuration:

https://sc1.checkpoint.com/documents/IaaS/WebAdminGuides/EN/CP_CloudGuard_IaaS_HighAvailability_for_...

anyway , you don't define the Public IPs on the Topology of the Cluster , only the Private IPs.

https://sc1.checkpoint.com/documents/IaaS/WebAdminGuides/EN/CP_CloudGuard_IaaS_HighAvailability_for_...

0 Kudos
Blason_R
Leader
Leader
‎2021-10-06 09:18 PM
In response to Nir_Shamir

Hey Guys,

I am still confused on Inbound NAT rule by disassociating public IP from one vm to External LB. I have setup whose outbound flow is working fine however I am having issues with Inbound NAT. This is cluster deployment

My vnet is 10.2.0.0/16

Web Subnet is 10.2.2.0/24 and web server IP is 10.2.2.4

Public IP associated was 20.30.40.50; now I have disassociated the public IP and then as per SKU I could not attach to LB hence I decided to go with new public IP.

Now while adding Inbound NAT rule in Azure portal

Front End new Public IP is 13.82.65.188

Service : HTTP

Port: 80

What will be my Target virtual machine? cpcluster1 or cpcluster2?

What will be my member-ip ? cluster VIP or member-ip1 or member-ip2

Target port I am sending at 9944 [ This would go to Check Point]

***********

Then on Check Point

Osource = Any

Odst =? [Its not accepting cluster object] [

OService = 9944

Xsource = original

xlate Dst = 10.2.2.4 [web server IP]

xlate port = 80

 

This is what error I am getting on portal

Gateway: cpazurecluster
Policy: Standard
Status: Failed
- Invalid Object 'cpazurecluster' in Original Dst of Address Translation Rule 2. The valid objects are: host, gateway, network, address range and router.
- Policy verification failed.
--------------------------------------------------------------------------------

Thanks and Regards,
Blason R
CCSA,CCSE,CCCS
Preview file
32 KB
Preview file
59 KB
0 Kudos
Nir_Shamir
Employee Employee
Employee
‎2021-10-06 11:22 PM
In response to Blason_R

Hi,

Check the admin guide from " Configure NAT Rules"

https://sc1.checkpoint.com/documents/IaaS/WebAdminGuides/EN/CP_CloudGuard_IaaS_HighAvailability_for_...

 

this will explain the NAT and the load balancer configuration.

0 Kudos
Matthias_Haas
Advisor
‎2021-10-07 06:17 AM
In response to Blason_R

Hi, Blason,

I would use Load Balancing Rules (instead of a Inbound NAT Rule). If you enable "Floating IP (direct server return)", which is disabled per default, the LB will not NAT the Destination IP. In this case you will see the Public IP on the Firewall and you can do the NAT accordingly. That´s more straightforward in my opinion.

If using a Standard LB, please make sure to have a Network Security Group which has to allow  the traffic (this is not necessary if you use a Basic LB which is sufficient and allows the traffic per default).

0 Kudos
Prabulingam_N1
Advisor
‎2021-10-25 11:42 PM
In response to Blason_R

Hi Blason,  

in cpnat.jpg - for NAT Rule - use attached NAT rule (Create Dynamic Object)
in webnet.jpg - for Network IP Configuration - use cluster-vip (not member IP) - attached & LoadBalancing Rule

 

Regards, Prabu

Preview file
27 KB
Preview file
11 KB
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
UPCOMING CLOUDMATES EVENTS
    All CloudMates Events