This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
AK2
Collaborator
‎2023-04-10 10:24 PM
Jump to solution

UDP through Azure Load Balancer as part of CloudGuard VMSS

Hi,

I have deployed a standard Scale Set, CloudGuard R81.20

TCP traffic works fine, for example outbound https to internet is NAT-ed correctly and connects ok.

However, I can't send UDP traffic to the internet. For example, ntpdate 0.pool.ntp.org

I logged a case with TAC. They confirmed UDP traffic is leaving the Check Point gateway correctly and suggested I open a case with Microsoft. I'm not in a position to do this.

The load balancer is the standard backend-lb deployed by the Azure Marketplace solution. The loadbalancer rule is the standard "HA" one (all ports, all protocols) deployed in the same way.

I tried separating into a TCP LB rule and a UDP lb rule. This did not help.

I have reproduced the issue in a freshly built test environment.

Any help/suggestions appreciated.

Cheers

Andrew

 

 

0 Kudos
1 Solution

Accepted Solutions
AK2
Collaborator
‎2023-04-12 02:34 PM
Jump to solution

On the "frontend-lb" created by the Check Point CloudGuard deployment scripts, adding an "Outbound rule"  of protocol UDP got outbound UDP working correctly.

I think the logic here is that outbound SNAT for TCP is automagically created because the deployment script creates an example inbound NAT rule, however as there is no example UDP inbound rule, there is no corresponding automagic UDP outbound SNAT rule created. Creating an outbound rule for UDP corrects this. I also tried creating an inbound UDP rule (similar to the example TCP one) instead of an outbound UDP rule, however this did not work in my case.

udp rule.JPG

 

 

View solution in original post

0 Kudos
2 Replies
PhoneBoy
Admin
Admin
‎2023-04-12 09:30 AM
Jump to solution

This is likely caused by a networking issue in Azure if the traffic is leaving the gateway correctly.
In which case, you will have to troubleshoot the issue there (possibly with Microsoft's help).

0 Kudos
AK2
Collaborator
‎2023-04-12 02:34 PM
Jump to solution

On the "frontend-lb" created by the Check Point CloudGuard deployment scripts, adding an "Outbound rule"  of protocol UDP got outbound UDP working correctly.

I think the logic here is that outbound SNAT for TCP is automagically created because the deployment script creates an example inbound NAT rule, however as there is no example UDP inbound rule, there is no corresponding automagic UDP outbound SNAT rule created. Creating an outbound rule for UDP corrects this. I also tried creating an inbound UDP rule (similar to the example TCP one) instead of an outbound UDP rule, however this did not work in my case.

udp rule.JPG

 

 

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
UPCOMING CLOUDMATES EVENTS
    All CloudMates Events