cancel
Showing results for 
Search instead for 
Did you mean: 
Create a Post
Admin
Admin

Re: Inconsistent behavior of vSEC in AWS

Jump to solution

Logical Servers (aka ConnectControl) have been around for quite some time (pre-NG, I think?) and were initially designed to serve as a load balancer.

Not much development has occurred with this feature in the past several years.

However, we effectively resurrected it with the developments around vSEC in the Public Cloud.

The Domain option for Logical Servers (which sk31162 says is not supported) was repurposed for use in vSEC Public Cloud.

In particular, the name of the Logical Server object is queried against DNS to determine where to send and NAT the traffic.

The group you assign to this Logical Server object needs to be there for the policy to validate, but is otherwise not relevant to the configuration.

This is described here: Supporting internal Elastic Load Balancers (ELB) in Amazon Web Services (AWS) 

I will have sk31162 updated appropriately.

0 Kudos
Iain_King
Copper

Re: Inconsistent behavior of vSEC in AWS

Jump to solution

Look, I have a configuration in AWS for a customer in the same scenario in R77.30 which is working and in production. It was not simple.. as the SSL terminated on the FE ELB and then traffic is NAT'd again to the back end ELBs both using logical server objects with domain settings for cross-region distribution.

It required both NAT and PAT in both directions and logical server options.. but it is in production for a large company (it's is a ticketing, sales and reporting system for amusement parks). I am happy to provide more details privately if anyone is interested (I have diagrams I can blank etc NDA).

Is the problem you are having not working in R80.10 only.. ? because this is working in R77.30 I can confirm.

the vSEC license distribution btw is just a script which cpr_util rexec / rcmd bash..  cplic imports. 

0 Kudos
Iain_King
Copper

Re: Inconsistent behavior of vSEC in AWS

Jump to solution

Thinking about it, the diagram / configuration may be incomplete.. you may be receiving connections from more front end ELB's than you realize. It might be a good idea to tcpdump for connections destined for the firewall (or wherever the ELB is sending it), The ELB's also do ICMP to the firewalls for up-time determination and default security profiles for the cloud network may prevent the return ICMP from the firewall (this was one problem I experienced which was very difficult to debug and required AWS support involvement).

Cheers,

Iain

0 Kudos
Vladimir
Pearl

Re: Inconsistent behavior of vSEC in AWS

Jump to solution

Iain,

Thanks for your input.

No, the situation described here is exactly as depicted on the diagram.

This was part of the POCs that I have build, some of which do include the ELBs are shown here:

https://community.checkpoint.com/docs/DOC-2301-vsec-deployment-scenarios-in-aws as well as a more complex scenarios including external ELBs, that I have not yet published.

In this particular case, native Logical Server object was used to load balance between web-hosts and was configured according to CP documentation.

As to scenarios utilizing AWS ELBs, these do work as advertised in R80.10.

0 Kudos
Highlighted
Admin
Admin

Re: Inconsistent behavior of vSEC in AWS

Jump to solution

We don't officially support ELBs with R80.10 just yet... I know it's in the near-term plans to address this.

0 Kudos
Iain_King
Copper

Re: Inconsistent behavior of vSEC in AWS

Jump to solution

Ahh I see!

No worries, I'll have a good look through those deployment scenarios (thanks for the publication btw, it will definitely be helpful for everyone).

Iain

0 Kudos
Vladimir
Pearl

Re: Inconsistent behavior of vSEC in AWS

Jump to solution

Update: The reason for the timeout appears to be related to the ICMP health probe the gateway is running on the target servers. In the absence of ICMP echo request in the Security Group the servers belong to, after one minute Logical Server object deems server as not reachable. If ICMP echo request is permitted, it works without timeout.

I am still waiting for the response from R&D in regards to supported modes of load balancing in AWS using Logical Servers and will update this thread once I receive it.

For now, it was successfully tested using:

Service Type: Other

Server Group: [Simple Group with target servers]

Use persistent server mode: True

Persistency  by server

Balance method: Round trip

Iain_King
Copper

Re: Inconsistent behavior of vSEC in AWS

Jump to solution

Yep, we experienced this as well.. very difficult to debug as an integrator without access to the AWS console.