Solved: Something just don’t click for me regarding CloudG...

NetAdminFTW · ‎2023-12-24

Hey guys,

I am in the process of deploying CloudGuard for the first time (and Check Point in general), and even after going through the various admin guides, there is something that I just don’t understand.

I am required to use transit gateway and gateway load balancer for the solution. The transit gateway and gateway load balancer are already made.
I have spoke VPCs and security VPC, every VPC has 2 AZs, and they are all attached to the transit gateway.
I have deployed a gateway load balancer with 2 GLBEs, each in AZ.

All north south traffic is going through a Site to Site VPN that is attached to the transit gateway for an an on prem network, and I’m not allowed to use NAT / Internet Gateway at all.

I manually deployed 2 CloudGuard ec2 instances each in its own AZ, and I’m supposed to add them to on prem security management server.

my question is this (sorry if this is a newb question)- are they supposed to be joined as a cluster? Or 2 standalone machines?
And if I add them as a cluster, I don’t use elastic IP, so what I type in as the “Cluster IP”?

Thanks!

Shay_Levin · ‎2023-12-28

GWLB communicate with the GW over GENEVE protocol and it’s only being configured by the dedicated cloudformation template.

View solution in original post

Shay_Levin · ‎2023-12-28

Hi,

Please watch the video here , for step by step deployment

the_rock · ‎2023-12-28

I will answer your questions to the best of my ability/knowledge, but I might be totally wrong, so take it with a grain of salt : - )

As far as your 1st question, are they supposed to be joined as a cluster or 2 standalone machines? My answer is either one works and by standalone, I guess you mean 2 single gateways, as standalone refers to both gw+mgmt as one machine. We have customer that uses 2 single firewalls and works totally fine.

As far as 2nd question, I checked my notes when I worked with government client and we had CP cloud architect help us (cheers to Dan, he is AMAZING) and I see my note that he told us for cluster, you do NOT need internal interface, only external and sync for cluster to work right. We never used elastic IP that I can recall.

As far as traffic flow, what I reckon is that traffic would hit load balancers, then firewall and then reverse proxy, but again, that depends on the setup.

Hope I helped you some and if not, apologies mate.

Best,

Andy

NetAdminFTW · ‎2023-12-28

Hi,

Thank you for your answers, and yes, I meant 2 single gateways, and that is what I did, but ran into a problem (which in short I will detail on). Regarding your first customer, does he also works with transit gateway and gateway load balancer? If so, did you deploy the machines manually or by using the cloudformation templates?

Now about my problem..

I deployed the machines using the unified image from the aws marketplace called “ CloudGuard with threat prevention and sandblast BYOL”

I also made the gateway load balancer stuff along with the associated VPC endpoints, adjusted the routing where necessary, opened udon port 6081 on the associated Security Group behind the ec2 machines etc..

Now I try to initiate some traffic to a server in different VPC, it doesn’t work and I don’t see the traffic logs in SmartConsole except that every time I initiate traffic I see the associated ip address that GLB uses sending udp 6081 packets to the FW.

I took a PCAP through both tcpdump and few monitor, and there I see the traffic (for example RDP) encapsulated with the geneve header, but I only see SYNs, no response back from the server, meaning the firewall gets the packet and it is supposed to transfer it (only rule at the moment is allow any any) but it doesn’t happen and it won’t show in smartconsole. If if try to telnet from the firewall console itself to the server it works so this is not an NACL or SG problem.

the_rock · ‎2023-12-28

So, I recall almost 3 years ago, when customer switched from Cisco to CP, we did all S1C instance for mgmt and on prem gateways, but guy from PS CP team helped them configure firewalls in Azure. Now, I know 100% he did it from actual template, I think they call that Azure marketplace or something. There is thing called CME (cloud management extension), but I suppose thats way different on AWS (just my educated guess)

To answer your initial question, yes, transit gateways and gateway load balancers, right. I really think if you can send simple network diagram outlining the issue, I might be able to assist more. Honestly, I dont care if its paint diagram, as long as I can clearly see whats failing : - )

Best,

Andy

Shay_Levin · ‎2023-12-28

GWLB communicate with the GW over GENEVE protocol and it’s only being configured by the dedicated cloudformation template.

NetAdminFTW · ‎2023-12-28

That’s what I and my colleague thought..

we will try to deploy it with the template and see how it goes.

the_rock · ‎2023-12-29

Its pretty much the same for all the other major fw vendors.

Best,

Andy

Shay_Levin · ‎2023-12-31

It will save you time if you watch the video

Please watch the video here , for step-by-step deployment

NetAdminFTW · ‎2024-01-17

Thanks for the video. I ran the template (had to modify it a little bit because of IMDv2 requirement) and it is working as expected.

Are you a member of CheckMates?

Something just don’t click for me regarding CloudGuard and AWS gateway load balancer