Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
S_K_S
Contributor

Virtual firewall on standby VSX Internet/proxy access

We have a VSX with VSLS deployment where the virtual firewalls are more or less evenly spread. Each VS has multiple security blades enabled, including Threat Emulation which needs to connect to the Threat Cloud directly and the virtual firewalls are interconnected with a virtual switch and route propagation. The customer's setup is such that the proxy which is used for Internet access can be reached only through a firewall which we'll call Firewall_One. Firewall_One can connect to the proxy without issues and thus reach the Threat Cloud, however Firewall_Two which is Active on the Standby VSX cannot. The relevant route on Firewall_Two to reach the proxy through Firewall_One is present in the former's routing table. Firewall_Two has an outbound NAT rule for its internal network IP address toward the proxy as per the admin guide - https://sc1.checkpoint.com/documents/R80.40/WebAdminGuides/EN/CP_R80.40_VSX_AdminGuide/Content/Topic... From the traffic capture on both VSX's I can see:

1. Traffic toward the proxy on Firewall_Two (on the Standby VSX), only SYN packets;

2. Traffic toward the proxy from the NAT-ed source IP address of Firewall_Two on the virtual switch on the Active VSX.

3. No traffic toward the proxy from the NAT-ed IP address of Firewall_Two on Firewall_One (the latter on the Active VSX).

So, in summary, the traffic from Firewall_Two toward the proxy is properly NAT-ed, sent from the Standby VSX to the Active VSX over the Virtual Switch between the two, seen on the tcpdump performed on the switch on the active VSX but not on the tcpdump on Firewall_One. Respectively proxy access doesn't work for the Firewall_Two VS. Any idea what can be done?

0 Kudos
1 Reply
S_K_S
Contributor

OK, after installing policies a few more times it suddenly started working. Not quite sure what I may have missed since the policies have been installed multiple times before that, but that's that...

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events