This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
abihsot__
Advisor
‎2022-07-08 08:22 AM
Jump to solution

Cloudguard Network FW - egress NAT

Hello,

Before I reach out to TAC for an official answer, maybe someone already knows the answer

 

Is this supported? Cloudguard Network Firewall used via Gateway Load Balancer in transit GW setup

 

Two-arm mode: As shown in figure 5b below, the firewall is deployed in two-arm mode and performs both inspection as well as NAT. Some AWS partners provide firewall with NAT functionality. GWLB integrates seamlessly in such deployment mode. You don’t need to do any additional configuration changes in the GWLB. However, the firewall networking differs – one network interface is on the private subnet and the other is on public subnet. This mode requires software support from the firewall partner. Some of the GWLB partners (Palo Alto Networks, Valtix) support this feature, however consult with an AWS partner of your choice before using this mode.

 

source:

https://aws.amazon.com/blogs/networking-and-content-delivery/best-practices-for-deploying-gateway-lo...

0 Kudos
1 Solution

Accepted Solutions
Roman_Kats
Employee
Employee
‎2022-07-11 12:39 AM
In response to abihsot__
Jump to solution

Hi @abihsot__
Unfortunately NAT is not supported on Check Point Gateways behind Gateway Load balancer 
You have to use NAT Gateway
 

View solution in original post

0 Kudos
6 Replies
Vladimir
Champion
Champion
‎2022-07-08 02:48 PM
Jump to solution

I did not have a chance to try this myself, (use of public IPs on firewall interfaces in AWS), but it should work just fine, as this is basic functionality of CheckPoint gateways.

Last time I was working with CloudGuard in AWS, I was using NAT between private and public segments, but I had to associate AWS public EIP to the external interface, so there was one more NAT step being performed by AWS Internet Gateway.

 

0 Kudos
Nir_Shamir
Employee Employee
Employee
‎2022-07-09 10:15 PM
Jump to solution

Hi,

From what I know this should work , although the GWLB in TGW template we usually use have NAT Gateways for outbound NAT do deal with all the routing .

0 Kudos
abihsot__
Advisor
‎2022-07-10 11:52 PM
In response to Nir_Shamir
Jump to solution

Yes, I know, template deploys AWS NAT gateways automatically, however I was thinking if I already have checkpoint gateways, why not use them to NAT outgoing traffic. This might be interesting to try. Thank you for replies!

0 Kudos
Roman_Kats
Employee
Employee
‎2022-07-11 12:39 AM
In response to abihsot__
Jump to solution

Hi @abihsot__
Unfortunately NAT is not supported on Check Point Gateways behind Gateway Load balancer 
You have to use NAT Gateway
 

0 Kudos
abihsot__
Advisor
‎2022-07-12 04:21 AM
In response to Roman_Kats
Jump to solution

Thank you for confirmation. Any idea if this limitation could be changed in the future?

0 Kudos
Roman_Kats
Employee
Employee
‎2022-07-10 02:21 AM
Jump to solution

Hi abihsot__
In addition to Nir's reply
Architectures references can be found in the GWLB admin guide and sk:

CloudGuard Network for AWS Gateway Load Balancer Security VPC for Transit Gateway R80.40 Deployment ...

https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut... 

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
UPCOMING CLOUDMATES EVENTS
    All CloudMates Events