This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
giesseffe
Explorer
‎2023-11-02 10:01 AM

Multiple IP connection to local server

We need to find a solution that allows multiple ip's to communicate with one of our internal servers.

In other words, is it possible to mask randomly changing public ip's (ex: hyperforce ip) behind a single domain that communicates with internal servers?

Is reverse proxy a good solution?

Does the call from the external site need to come from a single domain that I can filter, or can I operate with checkpoints to create a single domain that will be called from the external site?

0 Kudos
7 Replies
PhoneBoy
Admin
Admin
‎2023-11-02 11:58 AM

Use Access Policy and NAT rules to allow/modify the traffic so it can be consumed internally.
A public IP specific to that server might be necessary, depending on your configuration.

0 Kudos
giesseffe
Explorer
‎2023-11-03 01:24 AM
In response to PhoneBoy

The problem is that the calls come from different ip aws that change randomly. As you can see in the image attatched, I receive different request from different ip AWS and the flows works properly. My need is to avoid all these requests and collect everything in the same domain. Can this be done by Checkpoint or by the service on AWS?

flow_aws.jpg
Preview file
80 KB
0 Kudos
PhoneBoy
Admin
Admin
‎2023-11-03 12:01 PM
In response to giesseffe

Is the stuff in AWS in your control or not?

0 Kudos
giesseffe
Explorer
‎2023-11-04 02:47 AM
In response to PhoneBoy

Unfortunately not and this is the real problem. The great difficulty lies in making the third-party technicians understand the need to receive a call from one domain and not from several random IPs. Could you confirm that I can do almost nothing at the side checkpoint?

0 Kudos
PhoneBoy
Admin
Admin
‎2023-11-06 02:59 PM
In response to giesseffe

Keep in mind that none of the AWS IP addresses will have a "domain" associated with them, at least one that uniquely identifies the application in question.
If you had access to the AWS Data Centers and could connect the CloudGuard Controller, you can actually create objects based on objects in AWS and create rules that your on-premise gateways would enforce.

0 Kudos
StackCap43382
Collaborator
Collaborator
‎2023-11-04 03:51 AM

If the incoming connectivity is to a static IP on the firewall cant you just SRC NAT it and then create an internal DNS entry to point it back to the NAT address on the firewall?

This is the kind of situation where a LB like an F5 or a Citrix is ideal.

 

If you need the traffic to hit the firewall from a single IP you'll need to condense it before it arrives.

You'll need to deploy a LB in Azure etc and point the AWS resources to it.

It will use SNAT to forward the traffic to the firewall behind its external Address.

As previous a DNS entry can be attached.

 

CCSME, CCTE, CCME, CCVS
0 Kudos
giesseffe
Explorer
‎2023-11-06 02:52 AM
In response to StackCap43382

Thanks a lot @StackCap43382

Do you think this nat+dns solution could prevent aws public ip change from blocking the flow to the internal server?

FLOW:

(Source) Random Public IP AWS -> Destination (public Ip CP)  

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events
    li.common.scroll-to.top