cancel
Showing results for 
Search instead for 
Did you mean: 
Post a Question

Additional External IP (azure)

Jump to solution

How do i add an additional external IP to the CloudGuard device in Azure. I've added the new IP in the Azure Portal and attached to the VM, but within the GUI the IP isn't being display?

If i create a new alias within the CG GUI, i can't specify the IP as it doesn't allow for /32 within the subnet mask.

Any help would be really appreciated.

Thanks

Tom 

1 Solution

Accepted Solutions

Re: Additional External IP (azure)

Jump to solution

Hi Tom,

you could use a LB and use Load Balancing Rules (instead of a Inbound NAT Rule). If you enable "Floating IP (direct server return)", which is disabled per default, the LB will not NAT the Destination IP. In this case you will see the Public IP on the Firewall and you can NAT accordingly.

If using a Standard LB, please make sure to have a Network Security Group which has to allow  the traffic (this is not necessary if you use a Basic LB which is sufficient and allows the traffic per default).

May be that helps ?

Matthias

14 Replies
Admin
Admin

Re: Additional External IP (azure)

Jump to solution

What are you using the IP address for?

If it's just for, say, Address Translation, the IP doesn't actually need to appear in the OS config at all, there just needs to be a NAT rule for it.

0 Kudos

Re: Additional External IP (azure)

Jump to solution

Thanks Dameon, 

I just need it for NAT to forward traffic to a web server. Do i need to create an object for the external IP. How do i assign the nat to the new IP?

Thanks

Tom

0 Kudos

Re: Additional External IP (azure)

Jump to solution

Re: Additional External IP (azure)

Jump to solution

Thanks Huseyin, 

I've followed this before, but this is setup using the eth0 external IP. I have this working, but i need more than 1 external IP. For instance i may have more than 2 external webservers that all resolved using different DNS. 

So i need to a way to send 1 external IP to one web server and the other External IP to another web server. I dont have any kinda of LB so i can't content switch i just need 1 IP to 1 server and 1 to another 

Thanks

Tom

0 Kudos
Admin
Admin

Re: Additional External IP (azure)

Jump to solution

Create host objects for the new public IP address if you haven't already.

In the NAT tab for these objects, specify the internal IP address.

Repeat for each public IP address.

Ensure there is a rule allowing access to these objects for services http/https and install policy.

Re: Additional External IP (azure)

Jump to solution

I've done that, but i can't seem to get it to work. Plus i don't see any reference to the external IP/Host Object in the logs so it doesn't look like the IP address is even hitting the CG. 

If i do the same with the original ETH0 external IP it works, but just not with the additional IP. 

Thanks

Tom

0 Kudos
Admin
Admin

Re: Additional External IP (azure)

Jump to solution

Have you done a tcpdump on the relevant interface to verify the traffic to that IP address is even reaching the gateway?

0 Kudos

Re: Additional External IP (azure)

Jump to solution

@Tom,

If I understand correctly, you have setup a web server and you want to assign a Azure public IP and route the traffic from Internet to that web server

If this the case, you will have to create an

1. Azure public IP address

2. Attach the public IP address to the Azure load balancer in front of the Check Point firewalls

3. Create an Inbound NAT rule in the Azure load balancer

4. Create a NAT rule on the Check Point firewalls which will receive the traffic from Azure load balancer and NAT it back to the original port of the inside web server

This way you will be able to route traffic from Internet to the web server. Let me know if this helps.

Re: Additional External IP (azure)

Jump to solution

Thanks for the reply. 

Im getting closer now, i can hit the external IP of the Azure LB and NAT through to the CG, but do i create a rule to send the traffic to the webserver only assigned to that IP.

It's hard to explain, but i have 2 Web Servers (Web1 and Web2) both have a LB in front. I have a rule that says from the internet to web1 and from the internet to web2 both for http. How do i specify that if you come in on External IP 1 you go to Web1 and if you come in on External IP2 you go to web2. at the moment i can only get it to route to the web server in the first rule? I have checked the logs and see that the source traffic is always the CG and not the external IP address?

How do i route based on source the IP's if being NAT'd from the Azure LB into the cloud guard?

Hope that makes sense?

Thanks

Tom

0 Kudos

Re: Additional External IP (azure)

Jump to solution

I dont understand this. I have a rule that says any source to cloudguard for https accept.

I then have a NAT rule that says source address is the Azure LB Public IP > destination CloudGuard > HTTPS > Translated Source Original > Destination is WebServer but it just won't translate it through to the web server....

What am i missing Smiley Sad

Tom

0 Kudos

Re: Additional External IP (azure)

Jump to solution

I just am working on these scenarios with a customer of mine implementing all their web presence into Azure.  This is what we have working for multiple web servers.

We had to use an external load balancer to map additional ip addresses into the scenario.  Essentially the external load balancer just takes care of the NAT converting https on the external ip addresses to custom ports on the firewall 9443,9444 etc for http on the firewall.

The firewall then has NAT rules (and access rules) allowing traffic into the firewall and NATing the traffic back to http on either the web server directly or an internal load balancer to balance the traffic among multiple web servers.

we currently have 5 https servers each on their own IP address.  If you hit the limit for external ip addresses, you can just spin up another external load balancer.

this has the advantage of leaving the external looking like https, and the internal web server also receives https.

however this works for any TCP protocol and now possibly UDP with the improvements to the load balancer.

it did take me a long time to figure out what works and what wouldn’t work, but this was the working scenario that works here.

a lot of the problem here is getting the external ip traffic to the firewall so that NAT can happen.  I was never able to route this to the firewall, Microsoft seems to always think that you’re going to put these ip addresses directly on your hosts rather than thru a security gateway.

0 Kudos

Re: Additional External IP (azure)

Jump to solution

Thanks Ted, so you route based on incoming port rather than source IP? Or do you route on both? 

Its odd cause you’d think you can just route based on incoming IP. To me this is just basic functionality of a firewall rule, also I’m pretty sure it works on the 77.30 version. 

There has had to be way to do it other than in port, otherwise the firewall is going to get really messy and hard to manage over time Smiley Sad

thanks

Tom

Re: Additional External IP (azure)

Jump to solution

Hi Tom,

you could use a LB and use Load Balancing Rules (instead of a Inbound NAT Rule). If you enable "Floating IP (direct server return)", which is disabled per default, the LB will not NAT the Destination IP. In this case you will see the Public IP on the Firewall and you can NAT accordingly.

If using a Standard LB, please make sure to have a Network Security Group which has to allow  the traffic (this is not necessary if you use a Basic LB which is sufficient and allows the traffic per default).

May be that helps ?

Matthias

Re: Additional External IP (azure)

Jump to solution

Hi Matthias, 

Thanks for the reply.

This is exactly what I've done and works perfectly.

Cheers

Tom.