Showing results for 
Search instead for 
Did you mean: 
Create a Post
Abhishek_Singh1 inside CloudGuard IaaS 27m ago
views 151 4

Checkpoint Vsec ClusterXL deployment in Azure with Active/Active - Loadsharing mode

Hi guys , I am looking for a solution to implement Active-Active (Load sharing)  clusterXL in Azure , but didn't find any templates  . Does checkpoint Vsec in Azure doesnot support this by design , or , What changes it would require to support this config ? Thanks!
Liam_McElhinney inside CloudGuard IaaS yesterday
views 123 2 1

CloudGuard Failure Issues in Azure

Hi,We have recently upgraded our R80.10 HA CloudGuard cluster in Azure to R80.20. We used the latest Azure marketplace template and have successfully deployed the two gateways to form the cluster. We successfully got everything configured and it has been working well. However, on two occasions now I have returned to work on the Monday morning to find that no traffic is flowing through to our IaaS estate in Azure through the firewalls. Upon checking SmartConsole I see red crosses and 'connection is lost' for both cluster members. On looking at the logs i see one last log originating from the Azure cluster member and the description is "(ClusterXL) interface enP1p0s2 of member 1 ( was removed."A restart of the gateway VM's in Azure brings them back to life but this obviously isn't a viable solution. Has anyone had this issue before and can shed any light on it for us?ThanksLiam
inside CloudGuard IaaS Wednesday
views 158 2

Planned Delisting Announcement for CloudGuard IaaS in Azure and AWS

Dear All,   Soon we intend to begin a process in Azure and AWS to remove R80.20 listings/images from the marketplace. In both platforms, there are already R80.30 listings/images available and we recommend to upgrade to this latest version. R80.10 and R80.20 listings in Google Cloud Platform were already removed.   R80.30 brings with it a performance boost and stability improvements. It is also important to mention that R80.20 GOGO based version JHF new content is not planned (only security fixes will be provided) and all new JHF will be introduced for R80.30.   Please note the following Current users that are already deployed with R80.20 will still be able to use their offerings and will be supported R80.20, once removed, won't be available to customers in the marketplace Customers with a legitimate business need for R80.20 or R80.10 (e.g. in final POC process) will need to contact us in order to get access to these images/listings once they will be removed. R80.30 Gateways can be managed by deploying a jumbo hotfix on older Management Servers starting from R80.20 Jumbo Hotfix take 91 and above & R80.10 Jumbo Hotfix take 225 and above (see sk149272 for more information). Index for upgrade documentation was created for your convenience - sk162365   If any concern is raised or more information is needed, please contact us.   Thank you
pmetridis inside CloudGuard IaaS Friday
views 141 1

Use DataCenter objects from vCenter Vmware .

Dear all , I am trying to understand the usage of the integration with a Data Center VMware vCenter . I have configured successfully the VMware vCenter and i get information (like ip , name , ect ) from our vm infrastructure . So what i thought that i could use this kind of information i get , either to the Access Policy and use Data Center Objects , or for update the information i have for already imported objects . I have a few question , which i really have searched a lot before i post here . 1. The user which is configured for the integration to vCenter , what exactly permissions must have .2. Why when i try to use a DataCenter object to a rule i got error message like : Data Center objects and Network objects cannot be used together in the Source column OR Please refer to the vSEC Controller Administration Guide to configure the gateway as required by vSec ? Regarding the vSEC Controller Administration Guide , is necessary to enable the Identity Awareness - Identity Web API with the localhost ? I use different gateways for the PDP use & Identity Collector with IDC (Identity Sources - Identity Collector) - should i enable also the Web API ?  3. When i have import a server manually for example Srv_Web1 - , but from the vCenter integration i have more specific information for the server , like name InternetWebServer - , is it possible to update the information i manually added ? I really trying to understand at an environment with Firewall GWs , SMS Server & PDP Gws , which one has the role of vSec controller to integrate with the vCenter . Generally what benefits you have with the integration of the vCenter ? Where you can use this integration ?  Thanks in advanced for any info . Makis   
Abhishek_Kumar1 inside CloudGuard IaaS a week ago
views 250 9

Failover Issue with AWS deployment

Hi All We have deployed Firewall in AWS in HA.We have multiplease server configure in Static nat which is accessible from out side.we deployed firewall in cluster, we add virtual IP as secondary IP in Active Firewall interface and other multiple IPs which used for Static NAT.where my PRI IP:-, SEC IP :- and vertual IP is :- add the route for all subnet in AWS through the active firewall Network Interface. ( secondary IP is passing through the active firewall and everything is working fine.when we failover the traffic from Active to Standby. after few minuted all secondary Ip is mapped with Standby Firewall network interface.But route is not changed.When we check the traceroute, traffic is goint through Active firewall interface it should go through the Virtual IP ( why our traffic is not working.when we change the route manually and add the Standby Firewall Network Interface traffic started working.and checked the Traceroute, it is going through the Virtual IP ( someone help me to resolve the issue. 
Constantin_Pop inside CloudGuard IaaS a week ago
views 368 5

Azure NIC issues - possibly waagent related

Hi all,  I noticed recurring issues with the Azure CP R80.20 cluster and was wondering if anyone else had this behavior.Basically the interfaces related to Azure Accelerated Networking unregister and may come up with a different name which breaks the traffic completely.Although this was supposed to be solved by Jumbo HF take 17 it occurred again.I believe it may be related to outdated buggy version of the Microsoft Azure Linux Agent (waagent) v2.2.11 installed on the VM (the last available version is v2.2.42)Now waiting for my SR to be picked up...Two other issues with the agent that are resolved in newer version:-agent's logs filling up the Azure Serial Console making it unusable-does not use the configured proxy serverEntries in /var/log/messages: kernel: kernel: hv_netvsc 000d3a25-c27e-000d-3a25-c27e000d3a25 eth0: Data path switched from VF: enP1p0s2 kernel: kernel: hv_netvsc 000d3a25-c27e-000d-3a25-c27e000d3a25 eth0: VF unregistering: enP1p0s2 kernel: kernel: [SIM4];cphwd_api_forward_packet: sim_mgr_prepare_packet failed kernel: kernel: [SIM4];simlinux_br_port: dev == NULL !!!!!  
Fareed_Farooqu1 inside CloudGuard IaaS 2 weeks ago
views 754 4

cloudguard interface _rename issue

HiWe are deploying cloudguard R80.20 in Azure as per sk110194 and are noticing extra interfaces with '_rename' in them. Instead of eth0 and eth1 we see total of 4 interfaceseth0 eth1eth2_renameeth3_renameOutput of  ifconfig  isifconfig -a | grep -v grep | grep HWaddr | awk '{print $1,$5}'eth0 00:0D:3A:7E:82:B6                      state -oneth1 00:0D:3A:7E:87:40                       state -oneth2_rename 00:0D:3A:7E:87:40       state -oneth3_rename 00:0D:3A:7E:82:B6       state -offHas anyone came across this issue? R80.10 does not have this issue.Thanks 
Suguru_Kawahara inside CloudGuard IaaS 2 weeks ago
views 121 2

Changing the virtual NIC on CloudGuard IaaS

Hi, My customer has a plan to change the CloudGuard IaaS virtual NIC to another network adapter and reconfigure the IP address. This is done for the current Cluster Interface. We conducted a test with reference to sk57100. But it was not successful. When changing to a VMware network adapter, Topology was set separately and Cluster-XL could not be assembled. Can we change the settings to a virtual NIC without turning off the power? Best,
Maciej inside CloudGuard IaaS 3 weeks ago
views 127

Failed to update Data Center server objects on gateway Azure-Production--checkpoint

Hi CheckMates,First I would like to show my deep appreciation by saying "Thank you" to all forum contributors. It's my first post but only because all the informations I was seeking for were already here or in SK's. Up to this day 😉 So without further ado. For LAB purpouses I've configured VMSS with Management in the Azure Cloud and configured Azure-VSEC Data Centre connection. I've followed CloudGuard Controller AdminGuide step-by-step.It seems that it works perfect as it automatically updates objects in the management database and few seconds later on the security gateways but in logs I see the following error:Failed to update Data Center server objects on gateway Azure-Production--checkpointFW_3--VMSS_CHECKPOINT. If issue persists contact Check Point Support.It appears only when I use Data Center objects somewhere in the policy. I wanted to troubleshoot the problem so I've run some tail -f in $FWDIR/log/ on the management server. In the meantime I've changed the IP of linux machine (kalilinux) to  It shows the following:cpm.elg02/09/19 22:20:30,953 INFO objects.cloud_shadow_objects.CloudOverviewObjectFactoryImpl [taskScheduler-6]: Creating overview object for: CloudShadowObject{cloudId='1a69f475-0856-47d6-ae76-064ec0ecb0c4', cmsUid=5529580e-5a0f-483e-97a0-bebcafcc9283, cloudType=VM, innerObjectType='Virtual Machine', hasChildren=false, dynamicProperties=[, , /Network by Subscriptions/Free Trial/Virtual Networks/VMSS-Checkpoint (checkpoint-management)/Virtual Machines, , West Europe], dynamicPropertiesNames=[IP, Note, URI, Tags, Location], ipaddr='', state=0, dataCenterTimeStamp=Mon Sep 02 22:20:02 UTC 2019, cloudName='kalilinux (linuxnet)', checksum='85A060E5334BB4C149BD45A1EBF8C5E1', canImport=false, previouslyExisted=false}cloud_proxy.elg02/09/19 22:20:55,142 ERROR IDA.requests.IDARequestsSender [Thread-16]: Error while attempt to connect to server: (this is the IP of one of the security gateways)com.fasterxml.jackson.core.JsonParseException: Unexpected character ('/' (code 47)): maybe a (non-standard) comment? (not recognized as one since Feature 'ALLOW_COMMENTS' not enabled for parser) at [Source: /tmp/ line 19: warning: here-document at line 4 delimited by end-of-file (wanted `EOF'){   "responses" : [      {         "ipv4-address" : "",         "message" : "Association sent to PDP."      }   ]}; line: 1, column: 2]        at com.fasterxml.jackson.core.JsonParser._constructError(        at com.fasterxml.jackson.core.base.ParserMinimalBase._reportError(        at com.fasterxml.jackson.core.base.ParserMinimalBase._reportUnexpectedChar(        at com.fasterxml.jackson.core.json.ReaderBasedJsonParser._skipComment(        at com.fasterxml.jackson.core.json.ReaderBasedJsonParser._skipWSOrEnd2(        at com.fasterxml.jackson.core.json.ReaderBasedJsonParser._skipWSOrEnd(        at com.fasterxml.jackson.core.json.ReaderBasedJsonParser.nextToken(        at com.fasterxml.jackson.databind.ObjectMapper._initForReading(        at com.fasterxml.jackson.databind.ObjectMapper._readMapAndClose(        at com.fasterxml.jackson.databind.ObjectMapper.readValue(        at com.cp.enforcement_updater.common.JsonTools.getJsonFromString(        at com.cp.enforcement_updater.IDA.api.IDACpridRequestSenderClient.sendAddRequests(        at com.cp.enforcement_updater.IDA.requests.IDARequestsSender.sendIDAAddRequests(        at com.cp.enforcement_updater.IDA.requests.IDARequestsSender.sendRequests(        at com.cp.enforcement_updater.DomainEnforcementUpdater.generateAndSendRequests(        at com.cp.enforcement_updater.DomainEnforcementUpdater.sendUpdatesToTargets(        at The same message appears on the second gateway. Nevertheless the rule on the security gateway is automaticaly updated and works.Have you ever experienced a similiar behaviour or have seen this error? Is it something I need be worry before going production or its a known bug. Maybe I've done some misconfiguration and with your help I will be able to find it. Some details:I run default configuration R80.20 deployment with two loadbalancers in frontend and backend. Management is in the same VNET but different subnet. For testing rule any any allow. Default security groups created by template. I've checked Identity Awareness settings by configuring it manually and adding -ia to autoprov-cfg template. No changes.Thank you in Advance for any suggestions 🙂Best Regards,Maciej       
Abhishek_Kumar1 inside CloudGuard IaaS 3 weeks ago
views 248 8

AWS PAY as u GO licensing issue after migration

Hi - We are upgrading our R77.30 MGMT server to R80.20 on AWS.we created a new instance with diffrent IP address in same subnet in same VPC. we are using PAY as u Go subscription.we export the migration export from R77.30  and import in R80.20 MGMT.Migration import is done successfully, but we are having issue with license. we install the evaluation license for temprory basis. and we are able to login in MGMT server.can anyone explain how to get new license for R80.20 MGMT in Pay as u Go subscription? RegardsAbhishek
Martin_Valenta inside CloudGuard IaaS a month ago
views 145

Azure China - r80.20+ clusters and scale sets

When it's planned to offer High Availability or Scale sets templates with r80.20+ version on Azure China Marketplace? @Valeri_Loukine or @PhoneBoy  can you direct this question to somebody? 🙂 Thanks
Vladimir inside CloudGuard IaaS a month ago
views 5171 39 5

Inspection of Inter-Subnet traffic in AWS VPC using CloudGuard

I've been asked an interesting and, seemingly, trivial question: "How would you protect the hosts in AWS VPC located in a different subnets by inspecting traffic between them?"I was also assured that presently, AWS did not have a solution to this problem, as every routing table you create will contain "local" route, all traffic from all subnets within one VPC will be routed through it.To work on this puzzle, this lab environment was provisioned:...and answer to this dilemma is to use static routes in the instances pointing to the interfaces of the vSEC or cluster, as well as security groups as Sources fro the traffic to the Private Subnets: [root@ip-10-255-255-200 ec2-user]# routeKernel IP routing tableDestination     Gateway         Genmask         Flags Metric Ref    Use Ifacedefault         UG    0      0        0 eth010.255.255.128 UG    0      0        0 eth010.255.255.192  *      U     0      0        0 eth0169.254.169.254 *      UH    0      0        0 eth0[root@ip-10-255-255-200 ec2-user]#  [root@ip-10-255-255-150 ec2-user]# routeKernel IP routing tableDestination     Gateway         Genmask         Flags Metric Ref    Use Ifacedefault         UG    0      0        0 eth010.255.255.128  *      U     0      0        0 eth010.255.255.192 UG    0      0        0 eth0169.254.169.254 *      UH    0      0        0 eth0[root@ip-10-255-255-150 ec2-user]#  With Firewall Access rules set:  With NAT rules set to:  And was able to see the packet traversing firewall ( and are its interfaces):   [root@ip-10-255-255-150 ec2-user]# ssh ec2-user@ denied (publickey).[root@ip-10-255-255-150 ec2-user]# And here is the tcpdump from the target host:[root@ip-10-255-255-200 ec2-user]# tcpdump src verbose output suppressed, use -v or -vv for full protocol decodelistening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes21:03:53.440273 IP > Flags [S], seq 2098326363, win 26883, options [mss 1460,sackOK,TS val 843716 ecr 0,nop,wscale 7], length 0...  With this Security group assigned to both hosts in my demo, the and sg-e2264391 is the:[ec2-user@ip-10-255-255-150 ~]$ date; ssh Feb 16 13:29:42 UTC 2018Permission denied (publickey).[ec2-user@ip-10-255-255-150 ~]$ curl[ec2-user@ip-10-255-255-150 ~]$---[ec2-user@ip-10-255-255-200 ~]$ date; ssh Feb 16 13:30:04 UTC 2018Permission denied (publickey).[ec2-user@ip-10-255-255-200 ~]$ curl[ec2-user@ip-10-255-255-200 ~]$And f you really want to be sure that the traffic in question was traversing the firewall and NOT a default VPC router:and [root@ip-10-255-255-200 ec2-user]# ifconfig | grep eth0eth0      Link encap:Ethernet  HWaddr 02:70:96:B0:44:80[root@ip-10-255-255-200 ec2-user]#----------------[root@ip-10-255-255-200 ec2-user]# tcpdump -tttt -ne host verbose output suppressed, use -v or -vv for full protocol decodelistening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes2018-02-15 16:01:28.245759 02:af:87:e2:04:c6 > 02:70:96:b0:44:80, ethertype IPv4 (0x0800), length 74: > Flags [S], seq 3739857756, win 26883, options [mss 1460,sackOK,TS val 331468 ecr 0,nop,wscale 7], length 02018-02-15 16:01:28.245898 02:70:96:b0:44:80 > 02:af:87:e2:04:c6, ethertype IPv4 (0x0800), length 74: > Flags [S.], seq 3645387522, ack 3739857757, win 26847, options [mss 8961,sackOK,TS val 324911 ecr 331468,nop,wscale 7], length 02018-02-15 16:01:28.246290 02:af:87:e2:04:c6 > 02:70:96:b0:44:80, ethertype IPv4 (0x0800), length 66: > Flags [.], ack 1, win 211, options [nop,nop,TS val 331469 ecr 324911], length 02018-02-15 16:01:28.246441 02:af:87:e2:04:c6 > 02:70:96:b0:44:80, ethertype IPv4 (0x0800), length 87: > Flags [P.], seq 1:22, ack 1, win 211, options [nop,nop,TS val 331469 ecr 324911], length 212018-02-15 16:01:28.246450 02:70:96:b0:44:80 > 02:af:87:e2:04:c6, ethertype IPv4 (0x0800), length 66: > Flags [.], ack 22, win 210, options [nop,nop,TS val 324912 ecr 331469], length 0The addition of the static routes could be either bootstrapped or included in AMIs, depending on your situation.To verify that the instances residing in different subnets will remain isolated in the absence of the static routes, those were removed and we can see that the SSH connection attempt is timing out:[ec2-user@ip-10-255-255-150 ~]$ routeKernel IP routing tableDestination Gateway Genmask Flags Metric Ref Use Ifacedefault UG 0 0 0 eth010.255.255.128 * U 0 0 0 eth0169.254.169.254 * UH 0 0 0 eth0[ec2-user@ip-10-255-255-150 ~]$ ssh ec2-user@ connect to host port 22: Connection timed out[ec2-user@ip-10-255-255-150 ~]$ ----[ec2-user@ip-10-255-255-200 ~]$ routeKernel IP routing tableDestination Gateway Genmask Flags Metric Ref Use Ifacedefault UG 0 0 0 eth010.255.255.192 * U 0 0 0 eth0169.254.169.254 * UH 0 0 0 eth0[ec2-user@ip-10-255-255-200 ~]$ ssh ec2-user@ connect to host port 22: Connection timed out[ec2-user@ip-10-255-255-200 ~]$And reinstatement of the static routes results in:[root@ip-10-255-255-150 ec2-user]# nano /etc/sysconfig/network-scripts/route-eth0[root@ip-10-255-255-150 ec2-user]# reboot[root@ip-10-255-255-150 ec2-user]#Broadcast message from ec2-user@ip-10-255-255-150(/dev/pts/0) at 16:54 ...The system is going down for reboot NOW!Using username "ec2-user".Authenticating with public key "imported-openssh-key"Last login: Fri Feb 16 16:42:28 2018 from| __|_ )_| ( / Amazon Linux AMI___|\___|___|[ec2-user@ip-10-255-255-150 ~]$ ssh ec2-user@ denied (publickey).[ec2-user@ip-10-255-255-150 ~]$and:root@ip-10-255-255-200 ec2-user]# nano /etc/sysconfig/network-scripts/route-eth0[root@ip-10-255-255-200 ec2-user]# reboot[root@ip-10-255-255-200 ec2-user]#Broadcast message from ec2-user@ip-10-255-255-200(/dev/pts/0) at 16:55 ...The system is going down for reboot NOW!Using username "ec2-user".Authenticating with public key "imported-openssh-key"Last login: Fri Feb 16 16:42:10 2018 from| __|_ )_| ( / Amazon Linux AMI___|\___|___|[ec2-user@ip-10-255-255-200 ~]$ ssh ec2-user@ denied (publickey).[ec2-user@ip-10-255-255-200 ~]$This is the Gaia config for the vSEC used in this lab:vSEC01> show configuration## Configuration of vSEC01# Language version: 13.1v1## Exported by admin on Thu Feb 15 13:47:33 2018#set installer policy check-for-updates-period 3set installer policy periodically-self-update onset installer policy send-cpuse-data offset installer policy self-test install-policy offset installer policy self-test network-link-up offset installer policy self-test start-processes onset arp table cache-size 4096set arp table validity-timeout 60set arp announce 2set message banner onset message motd onset message caption offset core-dump enableset core-dump total 1000set core-dump per_process 2set clienv debug 0set clienv echo-cmd offset clienv output prettyset clienv prompt "%M"set clienv rows 24set clienv syntax-check offset dns primary dns secondary edition 64-bitset expert-password-hash $blablablaset format date dd-mmm-yyyyset format time 24-hourset format netmask Dottedset hostname vSEC01add allowed-client host any-hostset web table-refresh-rate 15set web session-timeout 30set web ssl-port 443set web ssl3-enabled offset web daemon-enable onset inactivity-timeout 10set ipv6-state offadd command api path /bin/api_wrap description "Start, stop, or check status of API server"add command tecli path /bin/tecli_start description "Threat Emulation Blade shell"set net-access telnet offset ntp active onset ntp server primary version 2set user admin shell /bin/bashset user admin password-hash $blablablaset user monitor shell /etc/cli.shset user monitor password-hash *set password-controls min-password-length 6set password-controls complexity 2set password-controls palindrome-check trueset password-controls history-checking trueset password-controls history-length 10set password-controls password-expiration neverset password-controls expiration-warning-days 7set password-controls expiration-lockout-days neverset password-controls force-change-when noset password-controls deny-on-nonuse enable falseset password-controls deny-on-nonuse allowed-days 365set password-controls deny-on-fail enable falseset password-controls deny-on-fail failures-allowed 10set password-controls deny-on-fail allow-after 1200set aaa tacacs-servers state offset aaa radius-servers super-user-uid 96set max-path-splits 8set tracefile maxnum 10set tracefile size 1set syslog filename /var/log/messagesset syslog cplogs offset syslog mgmtauditlogs onset syslog auditlog permanentset timezone America / New_Yorkset interface eth0 comments "vSEC01-Ext"set interface eth0 link-speed 10G/fullset interface eth0 state onset interface eth0 auto-negotiation onset interface eth0 mtu 1500set interface eth0 ipv4-address mask-length 26set interface eth1 comments "vSEC01-Int"set interface eth1 link-speed 10G/fullset interface eth1 state onset interface eth1 auto-negotiation onset interface eth1 mtu 1500set interface eth1 ipv4-address mask-length 26set interface eth2 comments "vSEC01-Proxy"set interface eth2 link-speed 10G/fullset interface eth2 state onset interface eth2 auto-negotiation onset interface eth2 mtu 1500set interface eth2 ipv4-address mask-length 26set interface lo state onset interface lo ipv4-address mask-length 8add host name Simple01-LogicalServer-Web ipv4-address inbound-route-filter ospf2 accept-all-ipv4set inbound-route-filter rip accept-all-ipv4set management interface eth0set ospf area backbone onset rip update-interval defaultset rip expire-interval defaultset snmp mode defaultset snmp agent offset snmp agent-version v3-Onlyset snmp traps trap authorizationError disableset snmp traps trap biosFailure disableset snmp traps trap coldStart disableset snmp traps trap configurationChange disableset snmp traps trap configurationSave disableset snmp traps trap fanFailure disableset snmp traps trap highVoltage disableset snmp traps trap linkUpLinkDown disableset snmp traps trap lowDiskSpace disableset snmp traps trap lowVoltage disableset snmp traps trap overTemperature disableset snmp traps trap powerSupplyFailure disableset snmp traps trap raidVolumeState disableset snmp traps trap vrrpv2AuthFailure disableset snmp traps trap vrrpv2NewMaster disableset snmp traps trap vrrpv3NewMaster disableset snmp traps trap vrrpv3ProtoError disableset static-route default comment "To Subnet Router"set static-route default nexthop gateway address onset static-route comment "To Subnet Router for Peered VPC CIDR"set static-route nexthop gateway address onset static-route comment "To Subnet Router"set static-route nexthop gateway address onset static-route comment "To Subnet Router"set static-route nexthop gateway address onvSEC01>Enjoy 
Tom_Thwaites inside CloudGuard IaaS a month ago
views 2445 16 10

Additional External IP (azure)

How do i add an additional external IP to the CloudGuard device in Azure. I've added the new IP in the Azure Portal and attached to the VM, but within the GUI the IP isn't being display?If i create a new alias within the CG GUI, i can't specify the IP as it doesn't allow for /32 within the subnet mask.Any help would be really appreciated.ThanksTom 
inside CloudGuard IaaS 2019-08-19
views 260 2 2

centralizing AWS VPC endpoint/privatelink inspection in a Transit Gateway-centered architecture

I want to share quickly some steps in implementing the following scenario:  1) you are interconnecting your VPCs using a transit gateway (TGW) 2) you're using Check Point TGW-integrated autoscaling group to inspect egress, inter-VPC and/or AWS<->on prem traffic 3) you want to consume a service through an interface VPC endpoint (AKA Privatelink) and want to inspect traffic flowing between your resources and that service  How do you achieve that?   Here's an outline of the steps   The easy part: 0) Make sure that, if the VPC that has the Check Point gateways (the Egress Security VPC, in the pic above) has a VPC-attachment to the TGW, then that VPC attachment is NOT propagating routes to TGW route tables associated with any spoke VPCs with resources that need access to the service. (that was a fun sentence to write!) 1) create the VPC endpoint (VPCe) on some subnet, dedicated to that purpose, inside the VPC that has the Check Point Cloudguard (CGI) Autoscaling Group (ASG) deployed. We'll call that VPC the "CGI-VPC".  2)In SmartConsole, create the appropriate access rules allowing traffic from the appropriate resources within your spoke VPC to the IP addresses of the VPC endpoints you created for the service 3) If this is not configured correctly (as it should if you followed the steps in the userguide), make sure that traffic to this service is going to be "hide" source NATed by the gateways   The non trivial part (all having to do with DNS!) in general, the AWS DNS resolver inside the CGI VPC itself (where the VPCe are)  can be easily configured to resolve the native name of the service you're consuming through the VPCe, to the private IP addresses on those VPCe (which are implemented as ENIs on the subnet).    this is where you enable it in the AWS VPC console when you create the VPCe so e.g, if you created an SNS endpoint in a VPC in us-east-1, then after the deployment, will resolve to the IP addresses of the ENIs that implement this VPCe.  The challenge is making this the case also for the spoke VPCs, i.e., making it the case that will resolve to the same private IP addresses, on the CGI VPC, also when requested from the spokes. Here's one way to do it a) in AWS Route53 console, create an "inbound endpoint" in the CGI VPC. (you can use the same 2 subnets that are used for the VPCe). record the  IP addresses set for this inblound endpoint b) in the AWS Route53 console, create an "outbound endpoint" in the CGI VPC (you can use the same 2 subnets as above).  c) In AWS Route53 console, create a rule with the following details c1) type: forward c2) domain name: put here the FQDN of the service you're trying to provide access to c3) VPCs: Here you'll have to enter all the spoke VPCs. Note that Whenever a new VPC is created that needs the service, you'll have to add it to this rule c4) Outbound Endpoint: here you pick the outbound endpoint you created in step b. c5) Target IP addresses: here you enter, individually, the IP addresses of the ENIs that were created for the inbound endpoint in step a.  d) do a sanity check on all the security groups: d1) on the ENIs of the outbound endpoints only an outbound rule is really required that allows DNS to the inbound endpoint's IP addresses d2) on the ENIs of the inbound endpoint an inbound rule is required that allows DNS from the addresses of outbound endpoint's ENIs. I believe that an outbound rules is also required for DNS to the native AWS resolver in the VPC d3) on the ENIs of the VPCe, the service itself, inbound rules are required, on the port of the service (usually 443) from the subnets where the Check Point Cloudguard gateways live.   And that's it! Please let me know if i missed something... Y       
RGK_019 inside CloudGuard IaaS 2019-08-19
views 285 7

Checkpoint NSX vSEC-Controller and vSEC gateway upgrade

Hi Experts, I Looking out for detailed  Documentation   on Checkpoint NSX vSEC-Controller and vSEC gateway upgrade  Currently running vSEC controller R80 target version R80.10 and vSEC gateway R77.30 and Target version R80.10