Showing results for 
Search instead for 
Did you mean: 
Create a Post
Vladimir inside CloudGuard IaaS 6 hours ago
views 4828 39 5

Inspection of Inter-Subnet traffic in AWS VPC using CloudGuard

I've been asked an interesting and, seemingly, trivial question: "How would you protect the hosts in AWS VPC located in a different subnets by inspecting traffic between them?"I was also assured that presently, AWS did not have a solution to this problem, as every routing table you create will contain "local" route, all traffic from all subnets within one VPC will be routed through it.To work on this puzzle, this lab environment was provisioned:...and answer to this dilemma is to use static routes in the instances pointing to the interfaces of the vSEC or cluster, as well as security groups as Sources fro the traffic to the Private Subnets: [root@ip-10-255-255-200 ec2-user]# routeKernel IP routing tableDestination Gateway Genmask Flags Metric Ref Use Ifacedefault UG 0 0 0 eth010.255.255.128 UG 0 0 0 eth010.255.255.192 * U 0 0 0 eth0169.254.169.254 * UH 0 0 0 eth0[root@ip-10-255-255-200 ec2-user]# [root@ip-10-255-255-150 ec2-user]# routeKernel IP routing tableDestination Gateway Genmask Flags Metric Ref Use Ifacedefault UG 0 0 0 eth010.255.255.128 * U 0 0 0 eth010.255.255.192 UG 0 0 0 eth0169.254.169.254 * UH 0 0 0 eth0[root@ip-10-255-255-150 ec2-user]# With Firewall Access rules set: With NAT rules set to: And was able to see the packet traversing firewall ( and are its interfaces): [root@ip-10-255-255-150 ec2-user]# ssh ec2-user@ denied (publickey).[root@ip-10-255-255-150 ec2-user]# And here is the tcpdump from the target host:[root@ip-10-255-255-200 ec2-user]# tcpdump src verbose output suppressed, use -v or -vv for full protocol decodelistening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes21:03:53.440273 IP > Flags [S], seq 2098326363, win 26883, options [mss 1460,sackOK,TS val 843716 ecr 0,nop,wscale 7], length 0... With this Security group assigned to both hosts in my demo, the and sg-e2264391 is the:[ec2-user@ip-10-255-255-150 ~]$ date; ssh Feb 16 13:29:42 UTC 2018Permission denied (publickey).[ec2-user@ip-10-255-255-150 ~]$ curl[ec2-user@ip-10-255-255-150 ~]$---[ec2-user@ip-10-255-255-200 ~]$ date; ssh Feb 16 13:30:04 UTC 2018Permission denied (publickey).[ec2-user@ip-10-255-255-200 ~]$ curl[ec2-user@ip-10-255-255-200 ~]$And f you really want to be sure that the traffic in question was traversing the firewall and NOT a default VPC router:and [root@ip-10-255-255-200 ec2-user]# ifconfig | grep eth0eth0 Link encap:Ethernet HWaddr 02:70:96:B0:44:80[root@ip-10-255-255-200 ec2-user]#----------------[root@ip-10-255-255-200 ec2-user]# tcpdump -tttt -ne host verbose output suppressed, use -v or -vv for full protocol decodelistening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes2018-02-15 16:01:28.245759 02:af:87:e2:04:c6 > 02:70:96:b0:44:80, ethertype IPv4 (0x0800), length 74: > Flags [S], seq 3739857756, win 26883, options [mss 1460,sackOK,TS val 331468 ecr 0,nop,wscale 7], length 02018-02-15 16:01:28.245898 02:70:96:b0:44:80 > 02:af:87:e2:04:c6, ethertype IPv4 (0x0800), length 74: > Flags [S.], seq 3645387522, ack 3739857757, win 26847, options [mss 8961,sackOK,TS val 324911 ecr 331468,nop,wscale 7], length 02018-02-15 16:01:28.246290 02:af:87:e2:04:c6 > 02:70:96:b0:44:80, ethertype IPv4 (0x0800), length 66: > Flags [.], ack 1, win 211, options [nop,nop,TS val 331469 ecr 324911], length 02018-02-15 16:01:28.246441 02:af:87:e2:04:c6 > 02:70:96:b0:44:80, ethertype IPv4 (0x0800), length 87: > Flags [P.], seq 1:22, ack 1, win 211, options [nop,nop,TS val 331469 ecr 324911], length 212018-02-15 16:01:28.246450 02:70:96:b0:44:80 > 02:af:87:e2:04:c6, ethertype IPv4 (0x0800), length 66: > Flags [.], ack 22, win 210, options [nop,nop,TS val 324912 ecr 331469], length 0The addition of the static routes could be either bootstrapped or included in AMIs, depending on your situation.To verify that the instances residing in different subnets will remain isolated in the absence of the static routes, those were removed and we can see that the SSH connection attempt is timing out:[ec2-user@ip-10-255-255-150 ~]$ routeKernel IP routing tableDestination Gateway Genmask Flags Metric Ref Use Ifacedefault UG 0 0 0 eth010.255.255.128 * U 0 0 0 eth0169.254.169.254 * UH 0 0 0 eth0[ec2-user@ip-10-255-255-150 ~]$ ssh ec2-user@ connect to host port 22: Connection timed out[ec2-user@ip-10-255-255-150 ~]$ ----[ec2-user@ip-10-255-255-200 ~]$ routeKernel IP routing tableDestination Gateway Genmask Flags Metric Ref Use Ifacedefault UG 0 0 0 eth010.255.255.192 * U 0 0 0 eth0169.254.169.254 * UH 0 0 0 eth0[ec2-user@ip-10-255-255-200 ~]$ ssh ec2-user@ connect to host port 22: Connection timed out[ec2-user@ip-10-255-255-200 ~]$And reinstatement of the static routes results in:[root@ip-10-255-255-150 ec2-user]# nano /etc/sysconfig/network-scripts/route-eth0[root@ip-10-255-255-150 ec2-user]# reboot[root@ip-10-255-255-150 ec2-user]#Broadcast message from ec2-user@ip-10-255-255-150(/dev/pts/0) at 16:54 ...The system is going down for reboot NOW!Using username "ec2-user".Authenticating with public key "imported-openssh-key"Last login: Fri Feb 16 16:42:28 2018 from| __|_ )_| ( / Amazon Linux AMI___|\___|___|[ec2-user@ip-10-255-255-150 ~]$ ssh ec2-user@ denied (publickey).[ec2-user@ip-10-255-255-150 ~]$and:root@ip-10-255-255-200 ec2-user]# nano /etc/sysconfig/network-scripts/route-eth0[root@ip-10-255-255-200 ec2-user]# reboot[root@ip-10-255-255-200 ec2-user]#Broadcast message from ec2-user@ip-10-255-255-200(/dev/pts/0) at 16:55 ...The system is going down for reboot NOW!Using username "ec2-user".Authenticating with public key "imported-openssh-key"Last login: Fri Feb 16 16:42:10 2018 from| __|_ )_| ( / Amazon Linux AMI___|\___|___|[ec2-user@ip-10-255-255-200 ~]$ ssh ec2-user@ denied (publickey).[ec2-user@ip-10-255-255-200 ~]$This is the Gaia config for the vSEC used in this lab:vSEC01> show configuration## Configuration of vSEC01# Language version: 13.1v1## Exported by admin on Thu Feb 15 13:47:33 2018#set installer policy check-for-updates-period 3set installer policy periodically-self-update onset installer policy send-cpuse-data offset installer policy self-test install-policy offset installer policy self-test network-link-up offset installer policy self-test start-processes onset arp table cache-size 4096set arp table validity-timeout 60set arp announce 2set message banner onset message motd onset message caption offset core-dump enableset core-dump total 1000set core-dump per_process 2set clienv debug 0set clienv echo-cmd offset clienv output prettyset clienv prompt "%M"set clienv rows 24set clienv syntax-check offset dns primary dns secondary edition 64-bitset expert-password-hash $blablablaset format date dd-mmm-yyyyset format time 24-hourset format netmask Dottedset hostname vSEC01add allowed-client host any-hostset web table-refresh-rate 15set web session-timeout 30set web ssl-port 443set web ssl3-enabled offset web daemon-enable onset inactivity-timeout 10set ipv6-state offadd command api path /bin/api_wrap description "Start, stop, or check status of API server"add command tecli path /bin/tecli_start description "Threat Emulation Blade shell"set net-access telnet offset ntp active onset ntp server primary version 2set user admin shell /bin/bashset user admin password-hash $blablablaset user monitor shell /etc/cli.shset user monitor password-hash *set password-controls min-password-length 6set password-controls complexity 2set password-controls palindrome-check trueset password-controls history-checking trueset password-controls history-length 10set password-controls password-expiration neverset password-controls expiration-warning-days 7set password-controls expiration-lockout-days neverset password-controls force-change-when noset password-controls deny-on-nonuse enable falseset password-controls deny-on-nonuse allowed-days 365set password-controls deny-on-fail enable falseset password-controls deny-on-fail failures-allowed 10set password-controls deny-on-fail allow-after 1200set aaa tacacs-servers state offset aaa radius-servers super-user-uid 96set max-path-splits 8set tracefile maxnum 10set tracefile size 1set syslog filename /var/log/messagesset syslog cplogs offset syslog mgmtauditlogs onset syslog auditlog permanentset timezone America / New_Yorkset interface eth0 comments "vSEC01-Ext"set interface eth0 link-speed 10G/fullset interface eth0 state onset interface eth0 auto-negotiation onset interface eth0 mtu 1500set interface eth0 ipv4-address mask-length 26set interface eth1 comments "vSEC01-Int"set interface eth1 link-speed 10G/fullset interface eth1 state onset interface eth1 auto-negotiation onset interface eth1 mtu 1500set interface eth1 ipv4-address mask-length 26set interface eth2 comments "vSEC01-Proxy"set interface eth2 link-speed 10G/fullset interface eth2 state onset interface eth2 auto-negotiation onset interface eth2 mtu 1500set interface eth2 ipv4-address mask-length 26set interface lo state onset interface lo ipv4-address mask-length 8add host name Simple01-LogicalServer-Web ipv4-address inbound-route-filter ospf2 accept-all-ipv4set inbound-route-filter rip accept-all-ipv4set management interface eth0set ospf area backbone onset rip update-interval defaultset rip expire-interval defaultset snmp mode defaultset snmp agent offset snmp agent-version v3-Onlyset snmp traps trap authorizationError disableset snmp traps trap biosFailure disableset snmp traps trap coldStart disableset snmp traps trap configurationChange disableset snmp traps trap configurationSave disableset snmp traps trap fanFailure disableset snmp traps trap highVoltage disableset snmp traps trap linkUpLinkDown disableset snmp traps trap lowDiskSpace disableset snmp traps trap lowVoltage disableset snmp traps trap overTemperature disableset snmp traps trap powerSupplyFailure disableset snmp traps trap raidVolumeState disableset snmp traps trap vrrpv2AuthFailure disableset snmp traps trap vrrpv2NewMaster disableset snmp traps trap vrrpv3NewMaster disableset snmp traps trap vrrpv3ProtoError disableset static-route default comment "To Subnet Router"set static-route default nexthop gateway address onset static-route comment "To Subnet Router for Peered VPC CIDR"set static-route nexthop gateway address onset static-route comment "To Subnet Router"set static-route nexthop gateway address onset static-route comment "To Subnet Router"set static-route nexthop gateway address onvSEC01>Enjoy
Tom_Thwaites inside CloudGuard IaaS 7 hours ago
views 2163 16 10

Additional External IP (azure)

How do i add an additional external IP to the CloudGuard device in Azure. I've added the new IP in the Azure Portal and attached to the VM, but within the GUI the IP isn't being display?If i create a new alias within the CG GUI, i can't specify the IP as it doesn't allow for /32 within the subnet mask.Any help would be really appreciated.ThanksTom
inside CloudGuard IaaS yesterday
views 139 2 2

centralizing AWS VPC endpoint/privatelink inspection in a Transit Gateway-centered architecture

I want to share quickly some steps in implementing the following scenario: 1) you are interconnecting your VPCs using a transit gateway (TGW) 2) you're using Check Point TGW-integrated autoscaling group to inspect egress, inter-VPC and/or AWS<->on prem traffic 3) you want to consume a service through an interface VPC endpoint (AKA Privatelink) and want to inspect traffic flowing between your resources and that service How do you achieve that? Here's an outline of the steps The easy part: 0) Make sure that, if the VPC that has the Check Point gateways (the Egress Security VPC, in the pic above) has a VPC-attachment to the TGW, then that VPC attachment is NOT propagating routes to TGW route tables associated with any spoke VPCs with resources that need access to the service. (that was a fun sentence to write!) 1) create the VPC endpoint (VPCe) on some subnet, dedicated to that purpose, inside the VPC that has the Check Point Cloudguard (CGI) Autoscaling Group (ASG) deployed. We'll call that VPC the "CGI-VPC". 2)In SmartConsole, create the appropriate access rules allowing traffic from the appropriate resources within your spoke VPC to the IP addresses of the VPC endpoints you created for the service 3) If this is not configured correctly (as it should if you followed the steps in the userguide), make sure that traffic to this service is going to be "hide" source NATed by the gateways The non trivial part (all having to do with DNS!) in general, the AWS DNS resolver inside the CGI VPC itself (where the VPCe are) can be easily configured to resolve the native name of the service you're consuming through the VPCe, to the private IP addresses on those VPCe (which are implemented as ENIs on the subnet). this is where you enable it in the AWS VPC console when you create the VPCe so e.g, if you created an SNS endpoint in a VPC in us-east-1, then after the deployment, will resolve to the IP addresses of the ENIs that implement this VPCe. The challenge is making this the case also for the spoke VPCs, i.e., making it the case that will resolve to the same private IP addresses, on the CGI VPC, also when requested from the spokes. Here's one way to do it a) in AWS Route53 console, create an "inbound endpoint" in the CGI VPC. (you can use the same 2 subnets that are used for the VPCe). record the IP addresses set for this inblound endpoint b) in the AWS Route53 console, create an "outbound endpoint" in the CGI VPC (you can use the same 2 subnets as above). c) In AWS Route53 console, create a rule with the following details c1) type: forward c2) domain name: put here the FQDN of the service you're trying to provide access to c3) VPCs: Here you'll have to enter all the spoke VPCs. Note that Whenever a new VPC is created that needs the service, you'll have to add it to this rule c4) Outbound Endpoint: here you pick the outbound endpoint you created in step b. c5) Target IP addresses: here you enter, individually, the IP addresses of the ENIs that were created for the inbound endpoint in step a. d) do a sanity check on all the security groups: d1) on the ENIs of the outbound endpoints only an outbound rule is really required that allows DNS to the inbound endpoint's IP addresses d2) on the ENIs of the inbound endpoint an inbound rule is required that allows DNS from the addresses of outbound endpoint's ENIs. I believe that an outbound rules is also required for DNS to the native AWS resolver in the VPC d3) on the ENIs of the VPCe, the service itself, inbound rules are required, on the port of the service (usually 443) from the subnets where the Check Point Cloudguard gateways live. And that's it! Please let me know if i missed something... Y
RGK_019 inside CloudGuard IaaS yesterday
views 152 7

Checkpoint NSX vSEC-Controller and vSEC gateway upgrade

Hi Experts, I Looking out for detailed Documentation on Checkpoint NSX vSEC-Controller and vSEC gateway upgrade Currently running vSEC controller R80 target version R80.10 and vSEC gateway R77.30 and Target version R80.10
G_W_Albrecht inside CloudGuard IaaS yesterday
views 52

Check Point CloudGuard / vSEC solutions Overview

I have found a nice SK listing all CloudGuard / vSEC flavors with their relevant SKs: sk132552: Check Point CloudGuard / vSECsolutions ! Might come handy for many people...
Sumeet inside CloudGuard IaaS Sunday
views 345 1

Change Private IP address CloudGuard on Azure

We have deployed the Checkpoint CloudGuard on Azure using "CloudGuard IaaS High Availability ", which gets deployed successfully. We are required to change the Private IP address on on the Interfaces i.e. eth0, eth1, Cluster VIPi.e. Azure auto assigned IP eth0, the IP is changed to, like wise for the other interfacesWe noticed that once the Private IP address is changed internet traffic is reaching the firewall.While when we use the environment with the Azure Auto assigned Private IP addresses, everything works fine
Abhishek_Singh1 inside CloudGuard IaaS Thursday
views 86 2

Checkpoint Vsec ClusterXL deployment in Azure with Active/Active - Loadsharing mode

Hi guys , I am looking for a solution to implement Active-Active (Load sharing) clusterXL in Azure , but didn't find any templates . Does checkpoint Vsec in Azure doesnot support this by design , or , What changes it would require to support this config ? Thanks!
SDE_License_Acc inside CloudGuard IaaS 2 weeks ago
views 39 1

Alias IP addresses on 1 NIC in Azure CloudGuard

Hi All,We have a customer trying to go off script and not follow the CP Azure reference architecture, by acquiring public IP addresses from Azure and adding the internal IP addresses as Aliases to the CP Standalone CloudGuard firewall's external NIC. About 20 aliases 😞The customer has deployed this same setup using R80.10, but wants us to deploy it with R80.20. What are the repercussions of doing this as it is not mentioned anywhere in the reference architecture.Could hotfixes or patches kill this design ? on physical appliances this is supported, but no mention for CloudGuard.Please advise on the same.ThanksBhav
rohan_savant inside CloudGuard IaaS 2 weeks ago
views 34 1

Can i import an Internal ELB from aws and use it in the NAT and security policy

we are trying to setup an internal ALB and nat to the Public IP of the On-prem firewall so any inbound connections go from the public ip get NAT'ed and go to the internal ALB via VPN and VGW, i do not see any load balancers when i import objects using cloudguard controller
HS inside CloudGuard IaaS 2 weeks ago
views 145 1

MGMT Cli with proxy

Hi,we create a R80.20 management on Azure Cloud and we need to backup the configurations to a blob storage account.we found this sk there is no internet connections and we are unable to use proxy by cli. Do anyone have some idea how we can use proxy with cli ?Than you very much for your replys
Dawei_Ye inside CloudGuard IaaS 3 weeks ago
views 360 1

Request from AWS NLB didn't enter vpn tunnel

Hi , We are deploying a Transit VPC architecture right now.we tried to publish a service via AWS NLB.NLB would transfer the request to our Gateway ,and we setup a NAT rule to translate the destination to our internal server.But we found the gateway did translate the packet but didn't transfer to the internal gw(in transit VPC). we tried to capture packets via tcpdump and fw monitor. is NLB's tcpdump records,it seems the traffic sent out via physical interface?in gw logs ,it didn't enter vpn tunnel but did NAT translation. Regards
Abeja_huhuhu inside CloudGuard IaaS 3 weeks ago
views 1927 6

BGP does not import route from second peer

Hi Guys,We are currently configuring checkpoint to connect to two BGP peer using different AS. We have configure routemap to import routes coming from these two AS with specific local preference. local AS number is 138932. we have setup two routemap rules which stated as below:set routemap ipv4-new-import id 6 onset routemap ipv4-new-import id 6 allowset routemap ipv4-new-import id 6 match as 38182 onset routemap ipv4-new-import id 6 action localpref 15set routemap jbix-import id 5 onset routemap jbix-import id 5 allowset routemap jbix-import id 5 match as 2.6937 onset routemap jbix-import id 5 action localpref 10the issue that we have is that it seems like our checkpoint firewall manage to import route from AS 38182 but not from AS138009.i can confirm that there are routes being distribute from peer AS 138009 as i can see these routes with state Hidden and inactive when i run show route bgp allbelow are output from show bgp peersPeerID AS Routes ActRts State InUpds OutUpds Uptimex.x.x.x 38182 782587 782585 Established 139987 1 00:22:32y.y.y.y 2.6937 66241 0 Established 12965 1 00:25:08we try to simulate AS 38182 as down and still the route from AS 138009 is not being imported. i did try to change the routemap from using match as number to match nexthop, but still with no luck.i have also try to disable routemap and use inbound route filter instead, still not able to import routes coming from AS138009.would appreciate if anyone could help on this.
Eric_Danso inside CloudGuard IaaS a month ago
views 871 2

Upgrade and integrate from cloud to onprem management

Hi, I have an Azure deployment with mgmt and 2 x VMSS gateways in the cloud. I also have an on-prem mgmt, managing multiple gateway types including NSX and physical gateways.Mgmt on-prem is r80.10 - Critical deviceMgmt in the cloud is r80.20 take 47 - to be decommissionedIs there a process I should be taken to perform this upgrade of the on-prem to r80.20 and then integrating with my Azure environment in order to manage the VMSS gateways?Any help would be great.Thanks,E
Prashant_Bhardw inside CloudGuard IaaS 2019-07-19
views 783 1

Running NAT 64 or other supported IPv6 NAT on R77.30 Gateways with R80.20 on Management Server

Dear All, Is it possible to Run IPV6 supported NAT for R77.30 like NAT64 on the Gateway whereas my Management Server is R80.20 or R80.10.I know that as per sk39374, NAT64 is supported on R77.30 but requires R77.30 Add-on on Management server, however it is not clear what if I use R80.20 management server itself. Will it work? Thanks-PB
Prashant_Bhardw inside CloudGuard IaaS 2019-07-19
views 1141 2

CheckPoint CloudGuard Support for NSX-T 2.4

Hello All- I am looking for the Cloud Guard Support for NSX-T. Below are my requirements in specific.Does Check Point officially supports Cloud Guard with NSX-T version 2.4, I know it supports as Service Insertion at the Edge(sk139213) with version 2.3. However it says later version also supported but couldn't get any documented affirmation. I also see the CP partnership with NSX-T 2.4 from VMware site and through an announcement published in Check Pont Blog Also with NSX-T does CheckPoint CloudGarud support service insertion & inspection for East-West, Micro segmentation traffic. If it supported, where could I find supported documentation. Else, Is there any official announcement for EA, GA release dates for the NSX-T 2.4 versionThanks in Advance!!!-PB