This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Alejandro_Ferna
Explorer
‎2019-06-07 02:00 AM

Inspecting and detecting original source address of TCP NLB inbound traffic

Hello,

I have a AWS TCP Network Load Balancer with proxy protocol v2 enabled. This LB routes the traffic to a logical server IP with a group of internal web servers. The ports it use are 30080 and 30443, configured as TCP service with HTTP/S protocol but it seems that IPS are not inspecting this traffic.

Futhermore, I can see the real client IP address in the web server's log, so it seems proxy protocol are working, but in the Checkpoint log I only see the internal LB addresses so I can not differentiate between real traffic and LB health check traffic.

 

I appreciate any kind of suggestion or hint.

Thank you, regards!

0 Kudos
6 Replies
Vladimir
Champion
Champion
‎2019-06-07 12:55 PM

For HTTPS, you may have to add server cert to the Check Point:

image.png

and for HTTP, it should work by default, but just in case it is different in AWS, check the "Non-standard ports" setting here:

image.png

and in App Control URLF Advanced Settings.

 

Also, take a look at this thread, perhaps it could be helpful for pinning down the real traffic:

https://community.checkpoint.com/t5/CloudGuard-IaaS/X-Forwarded-Headers-for-Logical-Server-in-vSEC-f...

 

0 Kudos
PhoneBoy
Admin
Admin
‎2019-06-08 04:30 PM
In response to Vladimir

Your post is missing the link to the relevant thread.
Vladimir
Champion
Champion
‎2019-06-08 04:43 PM
In response to PhoneBoy

@PhoneBoy , thanks for pointing it out: got one of those errors when pasting into the post, but it allowed the process to complete sans the URL.

0 Kudos
PhoneBoy
Admin
Admin
‎2019-06-08 07:36 PM
In response to Vladimir

The errors you're talking about seem to be transient in nature. Haven't been able to see it consistently enough to report it...
0 Kudos
Alejandro_Ferna
Explorer
‎2019-06-10 02:33 AM
In response to Vladimir

Hi Vladimir, thank you for your help.

I ve checked the "non-standard port" setting and it is enabled in both blades.

I'm checking the IPS with this URL that triggers the "web server exposed git repository..." protection:

http://{public-ip}/.git/config

When I put a web server public IP address the IPS works, prevent the connection and creates a log.

When I put the LB public IP address nothing is detected. I can see it in the checkpoint log with the LB internal IP address as a source and the connection reaches the web server.

 

I have read the thread as well and confirmed that the proxy protocol are enabled in the LB. The real source IP appears correctly in the web servers behind the logical servers, but in Checkpoint log:

Captura de pantalla 2019-06-10 a las 11.03.57.png

 

 

 

 

 

 

Currently, the 10.89.240.23 is a logical server. I will change it for a host object and check if it affects in some way.

I will uptade this thread with the results.

Regards!

0 Kudos
Alejandro_Ferna
Explorer
‎2019-06-11 07:35 AM
In response to Alejandro_Ferna

Checked with host object instead of logical server but nothing changes. The IPS does not apply the protections and still appears the LB internal address as a source address in the tracker.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
UPCOMING CLOUDMATES EVENTS
    All CloudMates Events