Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Prabulingam_N1
Advisor

R80.30 AWS - AutoScaleGW for Outbound traffic from Internal Webservers

Dear CheckMates,

 

I have deployed R80.30 Mgmt server Cloudguard controller and R80.30 AutoScale Gateways in AWS.

Deployed External Network LB and Internal Application LB.

Placed internal Webserver behind Internal ALB - works fine.

(Inbound traffic from Internet to the Webserver thru LBs)

 

Now we need to make the outbound traffic from Internal webservers thru AutoScale GW to the internet so that we can inspect the outbound webserver traffic.

Is this feasible?.  Per sk112575 - Point 5th: 

"Web clients in private subnets are configured to use an ELB as their HTTP/HTTPS proxy.
This Proxy ELB is configured to forward TCP connections to the CloudGuard Auto Scaling group"

 

Per AWS team they could not make Internal ALB as proxy. Only Classic LB we can docreate ProxyProtocolPolicy.

 

Any comments to do will be helpful.

 

Regards, Prabulingam.N

 

0 Kudos
2 Replies
mdjmcnally
Advisor

That does appear to be the case.   The AWS docs only refer to Classic LB for enabling the Proxy Protocol.

Guessing Check Point just setup with Classic in there testing as not looking to use the extra features.

Now is it possible to create a second Internal LB that is Classic (presuming you are using some of the ALB features) and then use that as the Proxy per that SK.

As the clients configured with Proxy and the Check Point see's the traffic from the LB not the Client then wouldn't have thought to be an issue doing this, however don't work with AWS so there will be more experienced people with AWS that can confirm/deny that this is possible

0 Kudos
Prabulingam_N1
Advisor

Thanks for input mdjmcnally...

Dear Cloud experts - Any suggestion for this requirement to achieve...

 

Regards, Prabu

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.