Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
mehtasiddha
Participant
Jump to solution

Health Check Fails on AWS External Application Load Balancer for a Security Gateway

I have attached an external application load balancer to my security gateway in AWS. The health check on port 80 is always failing even after changing the health settings according to https://community.checkpoint.com/t5/Cloud-Network-Security/AWS-LB-sandwich-does-not-come-up-healthy-.... I am using R81.10 version of gateway. Is there any solution to this problem? 

0 Kudos
1 Solution

Accepted Solutions
Nir_Shamir
Employee Employee
Employee

the GW needs to forward the port 80 health checks to the Application . the GW is not listening on port 80.

View solution in original post

0 Kudos
6 Replies
Nir_Shamir
Employee Employee
Employee

make sure you have all the right Access and NAT rules to access the application from the Load Balancers.

they need to health check the application.

0 Kudos
mehtasiddha
Participant

The application load balancer is in front of the gateway listening on port 80 and forwarding the traffic to the gateway. But the health checks at the gateway are failing. 

0 Kudos
Nir_Shamir
Employee Employee
Employee

the GW needs to forward the port 80 health checks to the Application . the GW is not listening on port 80.

0 Kudos
mehtasiddha
Participant

But now I am facing a new issue, the http traffic is not being replied back, I am receiving connection timeout error while trying to the reach the internal servers running on port 80 via the external lb dns attached to the gateway. What could be causing the connection timeout error?

0 Kudos
Nir_Shamir
Employee Employee
Employee

first check access to the web server by login in one of the FW instances and curl or telnet the WEB server. if it works run fw monitor / cppcap on the GW and check if the traffic is coming in and out of the GW , doing NAT etc. 

0 Kudos
JoSec
Collaborator

If you have an ALB as a frontend to one firewall in each AZ...then read further.

Did you create a source NAT rule for the ALB subnet so it comes from a IP not in your VPC CIDR? A different IP for each AZ subnet which you would then have a route on the app subnet that routes the traffic to each firewalls ENI in each AZ. Also, your firewall rule will have to allow the inbound traffic.

Also...

1. Check the firewalls SG and subnet NACL attached to the subnet of the ALB...Need a SG rule to allow for the health check

2. Check the SG, subnet NACL and Subnet route table attached to the firewalls second interface in the routing subnet.

3. Check the SG, subnet NACL and Subnet Route Table where the application is located. Also, you need to route return traffic to the firewalls internal ENI.

4. You have to add static routes to the firewalls as well to route to the backend subnets since the firewalls do not know about the AWS routes. Example, to get to 192.168.2.0/25 GW 192.168.2.1 and obviously different GW for a firewall on another subnet.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.