This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Blason_R
MVP Gold
MVP Gold
‎2025-09-18 11:57 PM
Jump to solution

Please suggest if this is a recommended way?

Hi Team,

I have a situation as described below where a customer is transitioning to the SAP S4 RISE platform, which is a SaaS-based solution from SAP. This platform is hosted on Azure, and we have CGNS implemented within our tenant. Peering has been established between the two tenants to facilitate communication. According to SAP, they do not permit NONRFC1918 addresses, which are public IP addresses; therefore, we have been instructed to perform source NAT for all incoming traffic on the CheckPoint Firewall.

Given that in Azure CGNS we have both FLB and BLB, it is necessary to configure port forwarding rules on the FLB, followed by NAT on the firewall. In this scenario, our objective is to achieve the following:

OS : INTERNET
OD : LocalGatewayExternal
OP: 5678 (Forwarded by LB) 
XS : 10.10.20.6
XD : 10.10.10.100
XP: 443

Currently, I identify two issues.

First, I must implement inbound HTTPS interception; otherwise, we will be unable to capture any attacks.

Secondly, since the Azure backend interface does not possess any VIP (AFAIK), I believe we will need to NAT the traffic behind a physical IP. Alternatively, is there another option? Or can I use any other IP which will failover as well in case of firewall failover?

In the event of a failover, I am curious about how the connection would function if I am NATing it behind a physical IP. Furthermore, since SAP does not permit non-RFC1918 subnets, I am uncertain about how outbound traffic will be transmitted initiated from S4 RISE hosts. I am quite confident that it cannot.

 

Please suggest

Thanks and Regards,
Blason R
CCSA,CCSE,CCCS
Preview file
48 KB
1 Solution

Accepted Solutions
Blason_R
MVP Gold
MVP Gold
‎2025-09-29 10:17 AM
In response to the_rock
Jump to solution

Well I achieved it using DynamicObject. Just like LocalGateway External I created LocalGatewayInternal with Primary firewall Internal IP on primary firewall and secondary LAN ip on seconday firewall. Then used that object in NAT rule base and that resolved the issue.

Thanks and Regards,
Blason R
CCSA,CCSE,CCCS

View solution in original post

6 Replies
the_rock
MVP Diamond
MVP Diamond
‎2025-09-19 09:02 AM
Jump to solution

Excellent query...also curious to see what best way is.

Andy

Best,
Andy
"Have a great day and if its not, change it"
0 Kudos
Blason_R
MVP Gold
MVP Gold
‎2025-09-23 12:41 AM
In response to the_rock
Jump to solution

No one replied so definitely this is not a ideal way - i believe routing it through ALB or WAF seems to be a ideal way or at least to have a reverse proxy

Thanks and Regards,
Blason R
CCSA,CCSE,CCCS
0 Kudos
the_rock
MVP Diamond
MVP Diamond
‎2025-09-23 03:51 AM
In response to Blason_R
Jump to solution

Not sure if TAC could assist with that question?

Best,
Andy
"Have a great day and if its not, change it"
0 Kudos
G_W_Albrecht
MVP Silver
MVP Silver
‎2025-09-23 04:43 AM
In response to Blason_R
Jump to solution

SAP and CGNS are high level topics not many people have to cope with. Informative SR# with TAC is suggested, maybe CP Professional Services could help here ?

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
the_rock
MVP Diamond
MVP Diamond
‎2025-09-23 04:51 AM
In response to G_W_Albrecht
Jump to solution

Yes sir, very good advice!

Best,
Andy
"Have a great day and if its not, change it"
0 Kudos
Blason_R
MVP Gold
MVP Gold
‎2025-09-29 10:17 AM
In response to the_rock
Jump to solution

Well I achieved it using DynamicObject. Just like LocalGateway External I created LocalGatewayInternal with Primary firewall Internal IP on primary firewall and secondary LAN ip on seconday firewall. Then used that object in NAT rule base and that resolved the issue.

Thanks and Regards,
Blason R
CCSA,CCSE,CCCS

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events