This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Michael_Thompso
Participant
‎2020-03-21 06:57 AM

Control which azure cloudguard instance receives traffic

Hello all,

I have r80.30 cloudguard in azure scaleset fronted by standard lb. How can I control which instance in the scaleset receives traffic from the lb? Is the best way to block the health probes on port 8117 on the specific instance? If yes, what is the best way to do that?

thanks

0 Kudos
4 Replies
HeikoAnkenbrand
Champion Champion
Champion
‎2020-03-21 07:51 AM

Why do you want to control traffic to a gateway?

Solutions:

1) You can change the order in the ClusterXL object like in a real ClusterXl. So you can control the direction. <<< Best way:-)

2) For maintenance work you can also start a "clusterXL_admin down" on a gateway.

3) The monitoring of port 8117 is included in the implied rules. So you may have to change the implied rules in the global properties and add a drop rule. I don't think that's a good idea!

 

➜ CCSM Elite, CCME, CCTE ➜ www.checkpoint.tips
0 Kudos
Michael_Thompso
Participant
‎2020-03-21 03:28 PM
In response to HeikoAnkenbrand

thanks for your reply.

To answer your question, I want to be able perform maintenance on the instances in the scaleset. In this case apply the latest hotfix. Reading the Microsoft documentation on standard load balancers, if the health probe fails for a particular instance it will redirect new traffic to another instance. It will also let the current sessions terminate on their own. This is what I want so that there is no disruption of traffic. AWS makes this easy by just deregistering the instance from the target group. 

My azure cloudguard is in a scaleset so it is not configured to use clusterXL. there isn’t a cluster object defined in smart console. The cme service creates only gateway objects. In this case I don’t think option 1 or 2 will work. Unless I am missing something

0 Kudos
Matthias_Haas
Advisor
‎2020-03-24 01:07 AM
In response to Michael_Thompso

the Health Check Port is controlled by the kernel parameter  "cloud_balancer_port":

[Expert@gw]# fw ctl get int cloud_balancer_port

cloud_balancer_port = 8117

 

this is also defined in /var/opt/fw.boot/modules/fwkern.conf

so you could try to modify the parameter on the fly like

fw ctl set int cloud_balancer_port 8119

 

at least on my instance, the healt check was answered by a "RST" after the modification but not sure what the LB is doing

0 Kudos
Michael_Thompso
Participant
‎2020-03-25 05:07 PM
In response to Matthias_Haas

I will test this in my lab. Thanks!

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
UPCOMING CLOUDMATES EVENTS
    All CloudMates Events