We have a VSX with VSLS deployment where the virtual firewalls are more or less evenly spread. Each VS has multiple security blades enabled, including Threat Emulation which needs to connect to the Threat Cloud directly and the virtual firewalls are interconnected with a virtual switch and route propagation. The customer's setup is such that the proxy which is used for Internet access can be reached only through a firewall which we'll call Firewall_One. Firewall_One can connect to the proxy without issues and thus reach the Threat Cloud, however Firewall_Two which is Active on the Standby VSX cannot. The relevant route on Firewall_Two to reach the proxy through Firewall_One is present in the former's routing table. Firewall_Two has an outbound NAT rule for its internal network IP address toward the proxy as per the admin guide - https://sc1.checkpoint.com/documents/R80.40/WebAdminGuides/EN/CP_R80.40_VSX_AdminGuide/Content/Topic... From the traffic capture on both VSX's I can see:
1. Traffic toward the proxy on Firewall_Two (on the Standby VSX), only SYN packets;
2. Traffic toward the proxy from the NAT-ed source IP address of Firewall_Two on the virtual switch on the Active VSX.
3. No traffic toward the proxy from the NAT-ed IP address of Firewall_Two on Firewall_One (the latter on the Active VSX).
So, in summary, the traffic from Firewall_Two toward the proxy is properly NAT-ed, sent from the Standby VSX to the Active VSX over the Virtual Switch between the two, seen on the tcpdump performed on the switch on the active VSX but not on the tcpdump on Firewall_One. Respectively proxy access doesn't work for the Firewall_Two VS. Any idea what can be done?