Create a Post
johnnyringo
Collaborator

Custom routes for CloudGuard IaaS in GCP

I have a question about route injection when using CloudGuard High Availability Clusters on Google Cloud Platform.  I know that this behavior is determined in $FWDIR/conf/gcp-ha.json which looks like this, by default:

{
    "debug": false,
    "public_ip": "mycluster01-primary-cluster-address",
    "secondary_public_ip": "mycluster01-secondary-cluster-address",
    "dest_ranges": ["0.0.0.0/0"]
}

Instead of a default route, I'd like to advertise the RFC-1918 routes to the internal VPC network.  So I modify the last line like this:

    "dest_ranges": ["192.168.0.0/16", "172.16.0.0/12", "10.0.0.0/8"]

 And perform a reboot.  I'd expect all 3 routes to be injected, but I only see 192.168.0.0/16.  

0 Kudos
5 Replies
Eva_K
Employee
Employee

Hi johnnyringo,

Can you elaborate on why you are trying to change the route on the gateway itself? Routing generally is set on the other side (GCP portal).

I also found this link that might be relevant - https://cloud.google.com/vpc/docs/routes

 

 

0 Kudos
johnnyringo
Collaborator

With HA deployments, the static routes must be injected by the CheckPoint gateway for outbound traffic to be correctly routed to the active member.  

Simply adding static routes in GCP is fine for standalones, but not for HA clusters.  

natanelm
Employee
Employee

Hi johnnyringo,

We added support for multiple destinations ranges only for higher builds, please see sk147032 for the full list.
You are probably using an older build, so in order to use multiple destinations, please upgrade to the last build.
For more details see CloudGuard Network High Availability for Google Cloud Platform R80.30 and Higher Deployment Guide.

If it's not the case, please Contact Check Point support, and request to open a ticket.

Thanks,
Natanel

(1)
johnnyringo
Collaborator

OK, thanks.  I took a closer look at $FWDIR/scripts/gcp_had.py  and see this line:

def add_route(name, network, priority, next_hop_instance, range=None, project=None):
    if not range:
        range = conf['dest_ranges'][0]

To support multiple ranges, it would of course need to treat dest_ranges as a list, and then do a for loop or something similar.  

We are currently on R80.40 Jumbo HF T158  with no plans to upgrade until next year.  Could the gcp_had.py script be copied from an R81.10 gateway and still work in R80.40?

0 Kudos
natanelm
Employee
Employee

We do not officially support it, but yes, it should work for you.

If you choose to take the risk, please follow the below:

  1. Backup gcp_had.py script on both instances.
    Run: mv $FWDIR/scripts/gcp_had.py $FWDIR/scripts/gcp_had.py.backup
  2.  Extract the attached script, and put it under $FWDIR/scripts/gcp_had.py for both instances.
  3. Kill the GCP daemon. Run in the Expert mode:
    ps aux | grep had
    killall had
  4. Make sure the process is running, run: ps aux | grep had
  5. In the Expert mode, run: cpwd_admin list | grep -E "PID|GCP_HAD"
  6. Test it again

Thanks