This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
flachance
Advisor
‎2020-02-27 08:12 AM

do you need to add the external IP of the cluster to the LoadBalancerFrontend IP configuration?

Hi

we're setting up CloudGuard Iaas High Availability in Azure (R80.30)
I can access the two firewall members when using their respective external IPs. But connectivity using the cluster-vip external IP doesn't seem to work. Trying to establish a VPN tunnel or just pinging doesn't work. I'm not seeing anything on the Active firewall with fw monitor
do you need to add the cluster-vip external IP to the LoadBalancerFrontend IP configuration?

thanks

0 Kudos
5 Replies
Matthias_Haas
Advisor
‎2020-02-28 04:55 AM

Hi,

you should have a NSG attached to the external subnet ?

If so, please check if the access to the  VIP is allowed

Matthias

 

0 Kudos
flachance
Advisor
‎2020-02-28 06:21 AM
In response to Matthias_Haas

Mathias,

 

This is the NSG attached to the frontend subnet

Inbound

AllowAllInbound Any Any Any Any Allow

AllowVnetInbound Any Any VirtualNetwork VirtualNetwork Allow

AllowAzureLBInbound Any Any AzureLoadBalancer Any Allow

DenyAllInbound Any Any Any Any Deny

 

Outbound

AllowVnetOutbound Any any VirtualNetwork VirtualNetwork Allow

AllowInternetOutbound Any Any Any Internet Allow

DenyAllOutbound Any Any Any Any Deny

0 Kudos
Matthias_Haas
Advisor
‎2020-02-28 06:37 AM
In response to flachance

ok, and your VIP is attached to the external interface of the master  I guess ?

Unbenannt.png

 

 

0 Kudos
ChristianCastil
Employee
Employee
‎2020-02-28 09:11 AM

to your specific question, no, you don't need it, the VIP for VPN purposes on the CG IaaS HA Template is a "floating IP" attached as secondary to the NIC of the active member, this job is done by a service principal deployed by the template if selected (this is by default); attached image.

If you selected "NO" that can cause the no modification of this IP to the active member also.

 

 

Preview file
21 KB
0 Kudos
flachance
Advisor
‎2020-03-02 06:17 AM
In response to ChristianCastil

So. The IP for cluster was assigned but to the standby member. We've been able to fix that with https://community.checkpoint.com/t5/CloudGuard-IaaS/Vsec-Cluster-in-Azure-anyone-know-how-to/m-p/796...

So now we can ping the vip and see it's being directed to the proper active member. We still can't establish a VPN tunnel but that might need another post...

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
UPCOMING CLOUDMATES EVENTS
    All CloudMates Events