This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
flachance
Advisor
‎2020-09-21 12:59 PM

Management HA over VPN

Hi,

R80.30. Can you set up Management HA if the management servers are on different sites and communications goes over VPN.

It seems the traffic between the two management server hits the implied rules and doesn't get encrypted.

 

thanks

Francis

4 Replies
PhoneBoy
Admin
Admin
‎2020-09-23 03:15 PM

Management traffic itself is encrypted already.
Excluding management traffic from implied rules is NOT recommended.
See this thread and the linked discussion: https://community.checkpoint.com/t5/General-Management-Topics/Managing-a-gateway-over-VPN/m-p/13674#... 

flachance
Advisor
‎2020-10-16 08:35 AM
In response to PhoneBoy

thanks. I guess the solution would be to follow this sk https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

My only issue is that the management HA is in Azure behind a CloudGuard cluster and I just can't figure out how to properly do the NATing on that side. Anyone knows of Guides or Docs to do that?

PhoneBoy
Admin
Admin
‎2020-10-16 01:09 PM
In response to flachance

Are you defining the object for the HA management in terms of the NAT address?

0 Kudos
flachance
Advisor
‎2020-10-21 06:24 AM
In response to PhoneBoy

Not sure I understand your question.

For the management HA Properties- General tab I used the private address. In the NAT tab I assigned a static NAT with the external IP of the management HA (did not apply to Security Gateway control connections)

I created an object representing the NATed IP of the management HA.

I created Manual Static NAT rules for communication between NATed (external) IP addresses of Management servers.

For the NATing of the management HA, I’ve tried using the Public IP assigned to the management HA by Azure. I also tried using the public IP of the frontend load balancer and adding a load balancing rule. I also tried assigning a second public IP to the load balancer and Used this IP for NATing (along with a load balancing rule).

None of these worked. Although I can see the properly NATed connections leaving the gateways that protect the active management server I never see anything at all reaching the Cloudguard Gateway.

Looking at the Effective Security Rules for the Management HA interface, I don’t see any issues with the NSG. I think I’m missing something on the Azure side of things but haven’t been able to find it.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events