Hi Team,

I have a situation as described below where a customer is transitioning to the SAP S4 RISE platform, which is a SaaS-based solution from SAP. This platform is hosted on Azure, and we have CGNS implemented within our tenant. Peering has been established between the two tenants to facilitate communication. According to SAP, they do not permit NONRFC1918 addresses, which are public IP addresses; therefore, we have been instructed to perform source NAT for all incoming traffic on the CheckPoint Firewall.

Given that in Azure CGNS we have both FLB and BLB, it is necessary to configure port forwarding rules on the FLB, followed by NAT on the firewall. In this scenario, our objective is to achieve the following:

OS : INTERNET
OD : LocalGatewayExternal
OP: 5678 (Forwarded by LB) 
XS : 10.10.20.6
XD : 10.10.10.100
XP: 443

Currently, I identify two issues.

First, I must implement inbound HTTPS interception; otherwise, we will be unable to capture any attacks.

Secondly, since the Azure backend interface does not possess any VIP (AFAIK), I believe we will need to NAT the traffic behind a physical IP. Alternatively, is there another option? Or can I use any other IP which will failover as well in case of firewall failover?

In the event of a failover, I am curious about how the connection would function if I am NATing it behind a physical IP. Furthermore, since SAP does not permit non-RFC1918 subnets, I am uncertain about how outbound traffic will be transmitted initiated from S4 RISE hosts. I am quite confident that it cannot.

Please suggest