Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
flachance
Advisor

do you need to add the external IP of the cluster to the LoadBalancerFrontend IP configuration?

Hi

we're setting up CloudGuard Iaas High Availability in Azure (R80.30)
I can access the two firewall members when using their respective external IPs. But connectivity using the cluster-vip external IP doesn't seem to work. Trying to establish a VPN tunnel or just pinging doesn't work. I'm not seeing anything on the Active firewall with fw monitor
do you need to add the cluster-vip external IP to the LoadBalancerFrontend IP configuration?

thanks

0 Kudos
5 Replies
Matthias_Haas
Advisor

Hi,

you should have a NSG attached to the external subnet ?

If so, please check if the access to the  VIP is allowed

Matthias

 

0 Kudos
flachance
Advisor

Mathias,

 

This is the NSG attached to the frontend subnet

Inbound

AllowAllInbound Any Any Any Any Allow

AllowVnetInbound Any Any VirtualNetwork VirtualNetwork Allow

AllowAzureLBInbound Any Any AzureLoadBalancer Any Allow

DenyAllInbound Any Any Any Any Deny

 

Outbound

AllowVnetOutbound Any any VirtualNetwork VirtualNetwork Allow

AllowInternetOutbound Any Any Any Internet Allow

DenyAllOutbound Any Any Any Any Deny

0 Kudos
Matthias_Haas
Advisor

ok, and your VIP is attached to the external interface of the master  I guess ?

Unbenannt.png

 

 

0 Kudos
ChristianCastil
Employee
Employee

to your specific question, no, you don't need it, the VIP for VPN purposes on the CG IaaS HA Template is a "floating IP" attached as secondary to the NIC of the active member, this job is done by a service principal deployed by the template if selected (this is by default); attached image.

If you selected "NO" that can cause the no modification of this IP to the active member also.

 

 

0 Kudos
flachance
Advisor

So. The IP for cluster was assigned but to the standby member. We've been able to fix that with https://community.checkpoint.com/t5/CloudGuard-IaaS/Vsec-Cluster-in-Azure-anyone-know-how-to/m-p/796...

So now we can ping the vip and see it's being directed to the proper active member. We still can't establish a VPN tunnel but that might need another post...

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.