Static NAT configuration with Load balacer in Azure Vsec
we have R80.20 deployed on Azure Cloud, we have to configure Staic NAT with multiple server.
Where request coming with 443 and SSH, we have approx 100 servers which needs to configure Static NAT.
Can we configure same as AWS where we can add secondary IP on both firewall and attched public IP with firewall external subnet through the load balacer and configure static NAT.
Or if we have anu other option?
Please provide me solution for the same.
You can add secondary interfaces, but this limits your capability to use some of the templates (VMSS for example), also adds complexity, the best option is to create a Basic LB since this can have 200 frontend IP, then use the Load Balancing Rule if you will use several GW or the NAT Rule if you will only use 1 and don't care for a Probe, using the front port with 443 and 22 but the backend ports with one high per Server, for example 10443 and 10022 for "Server 1", in the configuration of the GW or GWs use NAT rules to take the XX443 and XXX22 port request and send to the proper server with the original request port 443 and 22.
This don't require a lot of IP addresses on the GW and let you use VMSS to have autoscalable performance.
The Load Balancer needs to be a Standard LB in Azure.
The Basic Load Balancer doesn't do the Health Probe properly with the Cloudguard boxes. A colleague of mine found out this the hard way!
As stated yes all you do is
1.) Add a Public IP to the Load Balancer, will have to be Standard to Attach to the Standard Load Balacer
2.) Determine the Servers that IP listen on and determine a Service Port to Translate each one to and then use the Health Probe to Load Balance the Inbound Traffic to the External Interface and a specific port
3.) On the Firewall take the specific port and translate through to the Internal IP of the Azure Machine/Load Balancer and the origional Service Port.
Covers how to do the work.
Internet > External Load Balancer > CloudGuard IaaS Gateways > Internal Load Balancer > Servers
This allows both your gateways and your servers to autoscale as needed.
I assume the Load Balancing is primarily for HTTPS.
If you need to reach each server individually with SSH (assuming for maintenance purposes), you're probably better off creating a jumphost (using a nano instance) with a single NAT and appropriate Security Groups/ACLs in place.
We add the public IP in External Load Balancer, where my Frontend IP is New Elastic IP (port 443) backend IP is Firewall external IPs (Port 8081)
Load Balace Policy Pics is Attached.
and also create Rule Base and NAT
src(ANY) --> DST (Fw External Interface IPs) --> servoces (All) --->Allow
Original SRC(ANY) --> ORG DST(Firewall EXTERNAL IPs -->ORG SERVICE(8081) --> TRANSLATE DST (Server IP) --> Trans PORT (443)
But while trying to initiate traffic from from internet and try to reach with 443 port, traffic is not reaching to firewall.
please suggest how we can resolve the same.
From the Admin Guide
By default, the template you deploy creates an External Load Balancer, with the name frontend-lb, which faces the Internet.
The External Load Balancer sends health probes to TCP port 8117 to determine the health of the CloudGuard IaaS Security Gateways.
Under Notes then
Do not change the health probe port.
Your HealthProbe Port is on 8081 not the defaut one of 8117. So your Health Probe is wrong. Is not like a regular load balancer where need to check against the service port.
In this case there is a Single Health Probe on port 8117 that is used for ALL of the FrontEnd IP that you configure no matter what port want to send the traffic on.
For every IP then send to the same IP ie the two Cluster Members but ONLY the Active Box in the Cluster will respond
sk110194 is unfortunately a bit out of date and you need to refer to
Also Step 8 in the Guide is creating the Dynamic Object named LocalGatewayExternal
This is used instead of defining hosts that represent the External Private Interface IP addresses
We did not change Health Prob Port, we create a new rule for new Elastic IP to traslate 443 traffic 8081 and create a STATIC NAT rule to translate external IP and PORT.
we have multiple firewall (with diffrent zone) with same policy package. can we use dynamic object if we have to configure NAT for all ZONE?
The Dynamic Object translates on the Gateway that the Rule is on to be the ExternalInterface IP. This is done on the Gateways/Cluster Members themselves.
If you are configuring NAT Rules on your Load Balancer then definitely configuring wrong!
Your Screenshot shows a Load Balancing Rule so presume you meanth Load Balancing Rule
Under Health probe then has
Every IP that publish should be using the same health probe setting and should be on the port specified in the guide. TCP port 8117.
At the moment then based on your screenshot then probing on 8081 which is NOT the port that should be probing on, That is the port that you forwarding the traffic too.
In my case I recently configured a LB in Azure to be able to obtain more public IP addresses in our FW CloudGuard.
I have followed the stages of a video in a UDEMY course.
In the video the example that shows the object that represents the FW is configured with its public IP address. In my case it is different, my object that represents the FW is configured with a private address. Hence my doubt when it comes to guiding me in all stages.
In the video they create a host that will represent the private IP address of the FW. And it is the object that they use later when creating the rules. But in my case only the object that represents my FW (Interoperable devices) has the private ip address. My question would be, can I use my FW object to create the rules as in the example that I share here?