Showing results for 
Search instead for 
Did you mean: 
Create a Post
inside CloudGuard IaaS yesterday
views 136 2 2

centralizing AWS VPC endpoint/privatelink inspection in a Transit Gateway-centered architecture

I want to share quickly some steps in implementing the following scenario: 1) you are interconnecting your VPCs using a transit gateway (TGW) 2) you're using Check Point TGW-integrated autoscaling group to inspect egress, inter-VPC and/or AWS<->on prem traffic 3) you want to consume a service through an interface VPC endpoint (AKA Privatelink) and want to inspect traffic flowing between your resources and that service How do you achieve that? Here's an outline of the steps The easy part: 0) Make sure that, if the VPC that has the Check Point gateways (the Egress Security VPC, in the pic above) has a VPC-attachment to the TGW, then that VPC attachment is NOT propagating routes to TGW route tables associated with any spoke VPCs with resources that need access to the service. (that was a fun sentence to write!) 1) create the VPC endpoint (VPCe) on some subnet, dedicated to that purpose, inside the VPC that has the Check Point Cloudguard (CGI) Autoscaling Group (ASG) deployed. We'll call that VPC the "CGI-VPC". 2)In SmartConsole, create the appropriate access rules allowing traffic from the appropriate resources within your spoke VPC to the IP addresses of the VPC endpoints you created for the service 3) If this is not configured correctly (as it should if you followed the steps in the userguide), make sure that traffic to this service is going to be "hide" source NATed by the gateways The non trivial part (all having to do with DNS!) in general, the AWS DNS resolver inside the CGI VPC itself (where the VPCe are) can be easily configured to resolve the native name of the service you're consuming through the VPCe, to the private IP addresses on those VPCe (which are implemented as ENIs on the subnet). this is where you enable it in the AWS VPC console when you create the VPCe so e.g, if you created an SNS endpoint in a VPC in us-east-1, then after the deployment, will resolve to the IP addresses of the ENIs that implement this VPCe. The challenge is making this the case also for the spoke VPCs, i.e., making it the case that will resolve to the same private IP addresses, on the CGI VPC, also when requested from the spokes. Here's one way to do it a) in AWS Route53 console, create an "inbound endpoint" in the CGI VPC. (you can use the same 2 subnets that are used for the VPCe). record the IP addresses set for this inblound endpoint b) in the AWS Route53 console, create an "outbound endpoint" in the CGI VPC (you can use the same 2 subnets as above). c) In AWS Route53 console, create a rule with the following details c1) type: forward c2) domain name: put here the FQDN of the service you're trying to provide access to c3) VPCs: Here you'll have to enter all the spoke VPCs. Note that Whenever a new VPC is created that needs the service, you'll have to add it to this rule c4) Outbound Endpoint: here you pick the outbound endpoint you created in step b. c5) Target IP addresses: here you enter, individually, the IP addresses of the ENIs that were created for the inbound endpoint in step a. d) do a sanity check on all the security groups: d1) on the ENIs of the outbound endpoints only an outbound rule is really required that allows DNS to the inbound endpoint's IP addresses d2) on the ENIs of the inbound endpoint an inbound rule is required that allows DNS from the addresses of outbound endpoint's ENIs. I believe that an outbound rules is also required for DNS to the native AWS resolver in the VPC d3) on the ENIs of the VPCe, the service itself, inbound rules are required, on the port of the service (usually 443) from the subnets where the Check Point Cloudguard gateways live. And that's it! Please let me know if i missed something... Y
RGK_019 inside CloudGuard IaaS yesterday
views 147 7

Checkpoint NSX vSEC-Controller and vSEC gateway upgrade

Hi Experts, I Looking out for detailed Documentation on Checkpoint NSX vSEC-Controller and vSEC gateway upgrade Currently running vSEC controller R80 target version R80.10 and vSEC gateway R77.30 and Target version R80.10
G_W_Albrecht inside CloudGuard IaaS yesterday
views 51

Check Point CloudGuard / vSEC solutions Overview

I have found a nice SK listing all CloudGuard / vSEC flavors with their relevant SKs: sk132552: Check Point CloudGuard / vSECsolutions ! Might come handy for many people...
Sumeet inside CloudGuard IaaS Sunday
views 324 1

Change Private IP address CloudGuard on Azure

We have deployed the Checkpoint CloudGuard on Azure using "CloudGuard IaaS High Availability ", which gets deployed successfully. We are required to change the Private IP address on on the Interfaces i.e. eth0, eth1, Cluster VIPi.e. Azure auto assigned IP eth0, the IP is changed to, like wise for the other interfacesWe noticed that once the Private IP address is changed internet traffic is reaching the firewall.While when we use the environment with the Azure Auto assigned Private IP addresses, everything works fine
Abhishek_Singh1 inside CloudGuard IaaS Thursday
views 86 2

Checkpoint Vsec ClusterXL deployment in Azure with Active/Active - Loadsharing mode

Hi guys , I am looking for a solution to implement Active-Active (Load sharing) clusterXL in Azure , but didn't find any templates . Does checkpoint Vsec in Azure doesnot support this by design , or , What changes it would require to support this config ? Thanks!
SDE_License_Acc inside CloudGuard IaaS 2 weeks ago
views 39 1

Alias IP addresses on 1 NIC in Azure CloudGuard

Hi All,We have a customer trying to go off script and not follow the CP Azure reference architecture, by acquiring public IP addresses from Azure and adding the internal IP addresses as Aliases to the CP Standalone CloudGuard firewall's external NIC. About 20 aliases 😞The customer has deployed this same setup using R80.10, but wants us to deploy it with R80.20. What are the repercussions of doing this as it is not mentioned anywhere in the reference architecture.Could hotfixes or patches kill this design ? on physical appliances this is supported, but no mention for CloudGuard.Please advise on the same.ThanksBhav
rohan_savant inside CloudGuard IaaS 2 weeks ago
views 34 1

Can i import an Internal ELB from aws and use it in the NAT and security policy

we are trying to setup an internal ALB and nat to the Public IP of the On-prem firewall so any inbound connections go from the public ip get NAT'ed and go to the internal ALB via VPN and VGW, i do not see any load balancers when i import objects using cloudguard controller
Tom_Thwaites inside CloudGuard IaaS 2 weeks ago
views 2147 15 10

Additional External IP (azure)

How do i add an additional external IP to the CloudGuard device in Azure. I've added the new IP in the Azure Portal and attached to the VM, but within the GUI the IP isn't being display?If i create a new alias within the CG GUI, i can't specify the IP as it doesn't allow for /32 within the subnet mask.Any help would be really appreciated.ThanksTom
HS inside CloudGuard IaaS 2 weeks ago
views 145 1

MGMT Cli with proxy

Hi,we create a R80.20 management on Azure Cloud and we need to backup the configurations to a blob storage account.we found this sk there is no internet connections and we are unable to use proxy by cli. Do anyone have some idea how we can use proxy with cli ?Than you very much for your replys
Dawei_Ye inside CloudGuard IaaS 3 weeks ago
views 360 1

Request from AWS NLB didn't enter vpn tunnel

Hi , We are deploying a Transit VPC architecture right now.we tried to publish a service via AWS NLB.NLB would transfer the request to our Gateway ,and we setup a NAT rule to translate the destination to our internal server.But we found the gateway did translate the packet but didn't transfer to the internal gw(in transit VPC). we tried to capture packets via tcpdump and fw monitor. is NLB's tcpdump records,it seems the traffic sent out via physical interface?in gw logs ,it didn't enter vpn tunnel but did NAT translation. Regards
Abeja_huhuhu inside CloudGuard IaaS 3 weeks ago
views 1927 6

BGP does not import route from second peer

Hi Guys,We are currently configuring checkpoint to connect to two BGP peer using different AS. We have configure routemap to import routes coming from these two AS with specific local preference. local AS number is 138932. we have setup two routemap rules which stated as below:set routemap ipv4-new-import id 6 onset routemap ipv4-new-import id 6 allowset routemap ipv4-new-import id 6 match as 38182 onset routemap ipv4-new-import id 6 action localpref 15set routemap jbix-import id 5 onset routemap jbix-import id 5 allowset routemap jbix-import id 5 match as 2.6937 onset routemap jbix-import id 5 action localpref 10the issue that we have is that it seems like our checkpoint firewall manage to import route from AS 38182 but not from AS138009.i can confirm that there are routes being distribute from peer AS 138009 as i can see these routes with state Hidden and inactive when i run show route bgp allbelow are output from show bgp peersPeerID AS Routes ActRts State InUpds OutUpds Uptimex.x.x.x 38182 782587 782585 Established 139987 1 00:22:32y.y.y.y 2.6937 66241 0 Established 12965 1 00:25:08we try to simulate AS 38182 as down and still the route from AS 138009 is not being imported. i did try to change the routemap from using match as number to match nexthop, but still with no luck.i have also try to disable routemap and use inbound route filter instead, still not able to import routes coming from AS138009.would appreciate if anyone could help on this.
Eric_Danso inside CloudGuard IaaS a month ago
views 871 2

Upgrade and integrate from cloud to onprem management

Hi, I have an Azure deployment with mgmt and 2 x VMSS gateways in the cloud. I also have an on-prem mgmt, managing multiple gateway types including NSX and physical gateways.Mgmt on-prem is r80.10 - Critical deviceMgmt in the cloud is r80.20 take 47 - to be decommissionedIs there a process I should be taken to perform this upgrade of the on-prem to r80.20 and then integrating with my Azure environment in order to manage the VMSS gateways?Any help would be great.Thanks,E
Prashant_Bhardw inside CloudGuard IaaS 2019-07-19
views 783 1

Running NAT 64 or other supported IPv6 NAT on R77.30 Gateways with R80.20 on Management Server

Dear All, Is it possible to Run IPV6 supported NAT for R77.30 like NAT64 on the Gateway whereas my Management Server is R80.20 or R80.10.I know that as per sk39374, NAT64 is supported on R77.30 but requires R77.30 Add-on on Management server, however it is not clear what if I use R80.20 management server itself. Will it work? Thanks-PB
Prashant_Bhardw inside CloudGuard IaaS 2019-07-19
views 1141 2

CheckPoint CloudGuard Support for NSX-T 2.4

Hello All- I am looking for the Cloud Guard Support for NSX-T. Below are my requirements in specific.Does Check Point officially supports Cloud Guard with NSX-T version 2.4, I know it supports as Service Insertion at the Edge(sk139213) with version 2.3. However it says later version also supported but couldn't get any documented affirmation. I also see the CP partnership with NSX-T 2.4 from VMware site and through an announcement published in Check Pont Blog Also with NSX-T does CheckPoint CloudGarud support service insertion & inspection for East-West, Micro segmentation traffic. If it supported, where could I find supported documentation. Else, Is there any official announcement for EA, GA release dates for the NSX-T 2.4 versionThanks in Advance!!!-PB
Krishna inside CloudGuard IaaS 2019-07-15
views 1810 3

The NAT issue on CP firewall deployed in the Azure

We have built tunnel between the CP firewall (FW1) in Azure and CP firewall(FW2) in On-Primese.The FW1 is a cluster and has two gateways in it. IP of gateway 1 is, IP of gateway 2 is and IP of Cluster is Gateway 1 is activeThe tunnel initiation traffic/Phase 1 traffic is sent by the FW2 from port 500 to port 500 of FW 1.We have done packet capture on the gateway 1 of FW1 and found that the the FW1 is receiving the traffic on cluster IP sent by the FW2, both source and destination ports are 500.The gateway1 of the FW1 is replying to the FW2 from port 500 to port 500 of FW2In the next packet while the gateway 1 IP is getting translated to the cluster IP i.e, from to the source port is also getting translated from port 500 to random port. Below are the logs collected from gateway 1[vs_0][fw_0] eth0:o[180]: X.X.X.X -> (UDP) len=180 id=20396UDP: 500 -> 500[vs_0][fw_0] eth0:o[180]: -> X.X.X.X (UDP) len=180 id=10087UDP: 500 -> 500[vs_0][fw_0] eth0:O[180]: -> X.X.X.X (UDP) len=180 id=10087UDP: 12410 -> 500 Due to this the phase 1 of the tunnel is not getting established and the tunnel is not forming. Kindly provide a solution to this.