cancel
Showing results for 
Search instead for 
Did you mean: 
Create a Post

Can i import an Internal ELB from aws and use it in the NAT and security policy

we are trying to setup an internal ALB and nat to the Public IP of the On-prem firewall so any inbound connections go from the public ip get NAT'ed and go to the internal  ALB via VPN and VGW, i do not see any load balancers when i import objects using cloudguard controller

 

0 Kudos
3 Replies
Admin
Admin

Re: Can i import an Internal ELB from aws and use it in the NAT and security policy

While I can't speak to whether the CloudGuard Controller can import them or not, I do know in general we handle ELB objects using Logical Server objects.
This is required because ELBs are load balanced with DNS.
Using the Logical Server object as described in SK handles this and performs the necessary NAT.
See: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

Re: Can i import an Internal ELB from aws and use it in the NAT and security policy

sk104249 deals with scenario when CheckPoint vSEC runs in AWS VPC.

When CheckPoint gateway sits on-premises and has VPN tunnel to Amazon VPC this solution fails to match ELB traffic. One can try using domain objects, but it is still not the best solution.

Admin
Admin

Re: Can i import an Internal ELB from aws and use it in the NAT and security policy

Domain objects don't work with NAT.
Even if the ELB could be imported with CloudGuard Connector, you wouldn't be able to use it in the NAT policy anyway.
But you could use a Dynamic Object and update it based on a DNS record.
See: https://community.checkpoint.com/t5/API-CLI-Discussion-and-Samples/Pre-R80-10-dynamic-objects-from-D...