This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
israelsc
Collaborator
Collaborator
‎2024-03-01 04:05 PM
Jump to solution

Cluster HA (Azure) with Multiple VIP - NAT for internet egress

Hello everyone!


I am developing a lab (that if everything goes well will become a customer project), in this lab I am deploying an Azure HA Cluster with the Multiple VIP option.

In my cluster, I have chosen to deploy the firewalls with 3 VIP, that is, my "default" VIP + 2 additional VIP.

I can do the exposure of some test servers that I have in Azure, this through Azure FrontEnd LB rules that deploy the cluster template + firewall rules + "inbound" NAT rules.

However, if I try to make NAT rules of type "Outbound" so that my test servers can go out to the internet through any of the VIP (either the default VIP or any of the 2 additional VIP), I can only go out to the internet with my servers if I make an automatic Hide NAT from the Check Point object that represents the server with the private IP (backend subnet in Azure).
When I do this, my test server can browse the internet using the "default" VIP of the HA cluster.

But, if I try to make this Hide NAT rule "Outbound" manually and setting the default VIP or any of the other 2 VIP as "Translated Source", my server cannot browse the internet.

  • HA cluster and test servers are on separate VNETs/subnets.
  • HA cluster VNET and test server VNET are interconnected through peerings.
  • The routing tables (UDR) of my servers have only two routes, a "local" route for the servers to reach any other server on the same subnet and a "default" route for everything it does not know (0.0.0.0.0/0) to send to the Backend LB (and for the Backend LB to send the traffic to inspection with the firewalls).
  • Cluster HA and SMS for this tests are in R81.20

 

Would I have to do any additional configuration in Check Point to achieve this desired configuration with the OutBound Hide NAT where I decide which VIP the server needs to browse the internet?

Any additional configuration in Azure?

 

I hope I have explained myself, if any additional data is needed, I will gladly share it with you.

Greetings to all! I hope you can help me.

Labels
0 Kudos
1 Solution

Accepted Solutions
israelsc
Collaborator
Collaborator
‎2024-03-04 08:49 AM
In response to yairra
Jump to solution

Hello @yairra ,

I am very grateful, the comments you shared with me were the solution to my problem, thanks a lot!

I tried creating a couple of manual Hide NAT rules, using the VIP of the cluster; using the private IPs of the active cluster member in Azure, i.e. (for example):

IP 10.2.0.6 (private IP for VIP) - Public IP 172.212.126.209
IP 10.2.0.7 (private IP for my second extra VIP) - 172.212.126.218
IP 10.2.0.8 (private IP for my third extra VIP) - 172.212.127.24

I attach some images of the configuration for firewalls rules and Hide NATFirewallRule.png
HideNATrules.png

After these configurations, I was able to go out to the internet with the test server using the Hide NAT of my choice, for example:

-If I used Hide NAT 1, I was able to exit to the internet with the public IP 172.212.126.209.
-If I used the Hide NAT 2, I had access to the internet with the public IP 172.212.126.218.
-If I used Hide NAT 3, I had access to the Internet with the public IP 172.212.127.24.

This was the definitive solution, thank you very much!

 

 

 

 



View solution in original post

0 Kudos
2 Replies
yairra
Employee Alumnus
Employee Alumnus
‎2024-03-03 06:41 AM
Jump to solution

Hi @israelsc ,
You can set the automatic Hide NAT of the relevant subnet to hide behind IP address instead of behind the gateway,
In the IPv4 address field use the Private IP Address of your preferred VIP,
You can find the Private IP Address of a VIP under the IP configuration section of the active member's external NIC (in Azure portal). 

Feel free to contact if you need any assistance 🙂

Thanks,
Yair.

 

 

 

0 Kudos
israelsc
Collaborator
Collaborator
‎2024-03-04 08:49 AM
In response to yairra
Jump to solution

Hello @yairra ,

I am very grateful, the comments you shared with me were the solution to my problem, thanks a lot!

I tried creating a couple of manual Hide NAT rules, using the VIP of the cluster; using the private IPs of the active cluster member in Azure, i.e. (for example):

IP 10.2.0.6 (private IP for VIP) - Public IP 172.212.126.209
IP 10.2.0.7 (private IP for my second extra VIP) - 172.212.126.218
IP 10.2.0.8 (private IP for my third extra VIP) - 172.212.127.24

I attach some images of the configuration for firewalls rules and Hide NATFirewallRule.png
HideNATrules.png

After these configurations, I was able to go out to the internet with the test server using the Hide NAT of my choice, for example:

-If I used Hide NAT 1, I was able to exit to the internet with the public IP 172.212.126.209.
-If I used the Hide NAT 2, I had access to the internet with the public IP 172.212.126.218.
-If I used Hide NAT 3, I had access to the Internet with the public IP 172.212.127.24.

This was the definitive solution, thank you very much!

 

 

 

 



0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events