This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
John_Colfer
Contributor
‎2017-10-12 06:04 AM

Stealth Rule In Azure VSec Policy

Hi Gang

I deployed an Azure Vsec Cluster and followed the SKs etc and it's and running fine. I'm starting to build out the policy and have run up against a problem.

Normally I would have the stealth rule as the 2nd or third rule, but when I try to allow nated traffic through to resources on the inside, it is getting dropped by the stealth rule

For Example:

Number: 2774078
Date: 12Oct2017
Time: 13:10:55
Interface: eth0
Origin: 52.169.50.242
Type: Log
Action: Drop
Service: TCP-8088 (8088)
Source Port: 54326
Source: ext_host_95.44.141.143 (95.44.141.143)
Destination: azure-external-int-fw1 (10.10.50.10)
Protocol: tcp
Rule: 3
Rule UID: {4DC1865D-5CF9-4D2A-8B84-7CF435A7BAAE}
Rule Name: Stealth
Current Rule Number: 4-wr-dub-azure1-pol
Information: inzone: External
outzone: External
Product: Security Gateway/Management
Product Family: Network
Policy Info: Policy Name: wr-dub-azure1-pol
Created at: Tue Oct 10 10:43:16 2017
Installed from: irb-dub-mgmt1

Do I need to put the rule which allows this traffic above the Stealth Rule? 

Will this mean, that when I publish an App for the internet will I have an any rule above the Stealth Rule?

I had a look for best practices regarding building out policies in Azure, but could find very little.

Could somebody please inform me of the best way to build out a fw policy in CP Azure cluster.

Best regards

John

0 Kudos
3 Replies
PhoneBoy
Admin
Admin
‎2017-10-12 03:42 PM

When you're protecting public websites in Azure, traffic isn't being routed through the vSEC gateway, but is being "proxied" in a way.

This means traffic must terminate on the vSEC instance--traffic a regular stealth rule will block.

You have to account for this.

In general, you might want to look at the reference architecture articles linked here: https://community.checkpoint.com/message/6026-reference-architecture-for-vsec-public-cloud?sr=search...

0 Kudos
John_Colfer
Contributor
‎2017-10-13 12:36 AM
In response to PhoneBoy

Thanks Dameon

I had had a look at these articles prior to posting here, but didn't find a satisfactory answer. Correct me if I'm wrong, but it seems to me that to allow HTTPS traffic to a web app protected by the firewall you need to do the following

  1. Publish a public IP in Azure (say 52.51.50.49) which accepts traffic on port 443
  2. Setup a UDR which forwards traffic received at 52.51.50.49 on port 443 to the external IP of the CP Instance (say 10.50.1.10) on a different port say 8081
  3. On the CP Instance you must then have a rule that allows any traffic to 10.50.1.10 on port 8081
  4. Then have a NAT rule which translates the packet to HTTPS

Am I correct with the above steps?

If so, is it safe to have an "any" rule like this to the external IP of your gateway?

Best regards

John

0 Kudos
PhoneBoy
Admin
Admin
‎2017-10-13 10:04 AM
In response to John_Colfer

That all looks correct.

"Any" is fine in this case.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
UPCOMING CLOUDMATES EVENTS
    All CloudMates Events