This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
AyGit
Contributor
‎2021-04-19 09:25 AM
Jump to solution

GCP external TCP LB healtcheck

Hi,

We are deploying CloudGuard firewalls in GCP in MIG mode.  A GCP external TCP LB will be set in front the CloudGuard firewalls.

The LB will be internet facing and in a single region.

We are struggling to attach a healthceck in the LB backend configuration, as we can only use HTTP one. Protocol choice is grayed as you can see below.

Do you know how a workaround to set a TCP healtcheck? FYI, we don't use internal LB for the moment.

Regards

2021-04-19_18h22_58.png

 

0 Kudos
1 Solution

Accepted Solutions
arielto
Employee Alumnus
Employee Alumnus
‎2021-04-20 09:32 AM
Jump to solution

Hi @AyGit 

When selecting a TCP load balancing, you have 2 options for backend types.

You can set a TCP health check when selecting the Backend service as backend type.

FYI - R&D is currently working on a new MIG solution that will handle HC automatically after that a GW has been provisioned by CME. The ETA for the solution release is June 2021.  

View solution in original post

5 Replies
arielto
Employee Alumnus
Employee Alumnus
‎2021-04-20 09:32 AM
Jump to solution

Hi @AyGit 

When selecting a TCP load balancing, you have 2 options for backend types.

You can set a TCP health check when selecting the Backend service as backend type.

FYI - R&D is currently working on a new MIG solution that will handle HC automatically after that a GW has been provisioned by CME. The ETA for the solution release is June 2021.  

AyGit
Contributor
‎2021-04-20 03:55 PM
In response to arielto
Jump to solution

Hi @arielto 

Thanks for your feedback. Soluton working as you described. 

Furthermore the new MIG template, should be also great if we have a solution for Cluster/HA deployment using private Cluster VIP address for architecture without SMS public IP address.

Regards

0 Kudos
arielto
Employee Alumnus
Employee Alumnus
‎2021-04-20 11:47 PM
In response to AyGit
Jump to solution

Hi @AyGit 
Glad to hear you are all set.

What do you mean by private Cluster VIP, and without SMS public IP address?

Please note that there is a GCP limitation stating we can't attach more than 1 public IP per NIC.

Also, cluster members should have public IP for GCP API calls.

Thanks,

Ariel

0 Kudos
AyGit
Contributor
‎2021-04-21 06:05 AM
In response to arielto
Jump to solution

Hi @arielto ,

We are constrained by the network interconnection between the SMS and GCP environment which are connected through a VPN IPSec link. I attached a diagram which represent our network architecture.

So we use the GCP public IP for the VIP and the internal nic1 private IP for each member in order to have the connection with GCP. And I've supposed that the communication with GCP was only through the Cluster VIP (I have some error messages with the VIP public IP address in cloud_proxy.elg log file).

Regards

Preview file
101 KB
0 Kudos
arielto
Employee Alumnus
Employee Alumnus
‎2021-04-21 12:55 PM
In response to AyGit
Jump to solution

Hi @AyGit ,

Unfortunately, I can't see the image in a good enough quality.

Please send me a personal mail with the image attached to get an understanding of the environment.

Thanks,

Ariel

 

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
UPCOMING CLOUDMATES EVENTS
    All CloudMates Events