- CheckMates
- :
- Products
- :
- CloudMates Products
- :
- Cloud Network Security
- :
- Discussion
- :
- Re: Stealth Rule In Azure VSec Policy
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Are you a member of CheckMates?
×- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Stealth Rule In Azure VSec Policy
Hi Gang
I deployed an Azure Vsec Cluster and followed the SKs etc and it's and running fine. I'm starting to build out the policy and have run up against a problem.
Normally I would have the stealth rule as the 2nd or third rule, but when I try to allow nated traffic through to resources on the inside, it is getting dropped by the stealth rule
For Example:
Number: 2774078
Date: 12Oct2017
Time: 13:10:55
Interface: eth0
Origin: 52.169.50.242
Type: Log
Action: Drop
Service: TCP-8088 (8088)
Source Port: 54326
Source: ext_host_95.44.141.143 (95.44.141.143)
Destination: azure-external-int-fw1 (10.10.50.10)
Protocol: tcp
Rule: 3
Rule UID: {4DC1865D-5CF9-4D2A-8B84-7CF435A7BAAE}
Rule Name: Stealth
Current Rule Number: 4-wr-dub-azure1-pol
Information: inzone: External
outzone: External
Product: Security Gateway/Management
Product Family: Network
Policy Info: Policy Name: wr-dub-azure1-pol
Created at: Tue Oct 10 10:43:16 2017
Installed from: irb-dub-mgmt1
Do I need to put the rule which allows this traffic above the Stealth Rule?
Will this mean, that when I publish an App for the internet will I have an any rule above the Stealth Rule?
I had a look for best practices regarding building out policies in Azure, but could find very little.
Could somebody please inform me of the best way to build out a fw policy in CP Azure cluster.
Best regards
John
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
When you're protecting public websites in Azure, traffic isn't being routed through the vSEC gateway, but is being "proxied" in a way.
This means traffic must terminate on the vSEC instance--traffic a regular stealth rule will block.
You have to account for this.
In general, you might want to look at the reference architecture articles linked here: https://community.checkpoint.com/message/6026-reference-architecture-for-vsec-public-cloud?sr=search...
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks Dameon
I had had a look at these articles prior to posting here, but didn't find a satisfactory answer. Correct me if I'm wrong, but it seems to me that to allow HTTPS traffic to a web app protected by the firewall you need to do the following
- Publish a public IP in Azure (say 52.51.50.49) which accepts traffic on port 443
- Setup a UDR which forwards traffic received at 52.51.50.49 on port 443 to the external IP of the CP Instance (say 10.50.1.10) on a different port say 8081
- On the CP Instance you must then have a rule that allows any traffic to 10.50.1.10 on port 8081
- Then have a NAT rule which translates the packet to HTTPS
Am I correct with the above steps?
If so, is it safe to have an "any" rule like this to the external IP of your gateway?
Best regards
John
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
That all looks correct.
"Any" is fine in this case.