Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Participant

Management HA over VPN

Hi,

R80.30. Can you set up Management HA if the management servers are on different sites and communications goes over VPN.

It seems the traffic between the two management server hits the implied rules and doesn't get encrypted.

 

thanks

Francis

4 Replies
Admin
Admin

Management traffic itself is encrypted already.
Excluding management traffic from implied rules is NOT recommended.
See this thread and the linked discussion: https://community.checkpoint.com/t5/General-Management-Topics/Managing-a-gateway-over-VPN/m-p/13674#... 

Participant

thanks. I guess the solution would be to follow this sk https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

My only issue is that the management HA is in Azure behind a CloudGuard cluster and I just can't figure out how to properly do the NATing on that side. Anyone knows of Guides or Docs to do that?

Admin
Admin

Are you defining the object for the HA management in terms of the NAT address?

0 Kudos
Reply
Participant

Not sure I understand your question.

For the management HA Properties- General tab I used the private address. In the NAT tab I assigned a static NAT with the external IP of the management HA (did not apply to Security Gateway control connections)

I created an object representing the NATed IP of the management HA.

I created Manual Static NAT rules for communication between NATed (external) IP addresses of Management servers.

For the NATing of the management HA, I’ve tried using the Public IP assigned to the management HA by Azure. I also tried using the public IP of the frontend load balancer and adding a load balancing rule. I also tried assigning a second public IP to the load balancer and Used this IP for NATing (along with a load balancing rule).

None of these worked. Although I can see the properly NATed connections leaving the gateways that protect the active management server I never see anything at all reaching the Cloudguard Gateway.

Looking at the Effective Security Rules for the Management HA interface, I don’t see any issues with the NSG. I think I’m missing something on the Azure side of things but haven’t been able to find it.

0 Kudos
Reply