Create a Post
abihsot__
Advisor

Cloudguard Network FW - egress NAT

Jump to solution

Hello,

Before I reach out to TAC for an official answer, maybe someone already knows the answer

 

Is this supported? Cloudguard Network Firewall used via Gateway Load Balancer in transit GW setup

 

Two-arm mode: As shown in figure 5b below, the firewall is deployed in two-arm mode and performs both inspection as well as NAT. Some AWS partners provide firewall with NAT functionality. GWLB integrates seamlessly in such deployment mode. You don’t need to do any additional configuration changes in the GWLB. However, the firewall networking differs – one network interface is on the private subnet and the other is on public subnet. This mode requires software support from the firewall partner. Some of the GWLB partners (Palo Alto Networks, Valtix) support this feature, however consult with an AWS partner of your choice before using this mode.

 

source:

https://aws.amazon.com/blogs/networking-and-content-delivery/best-practices-for-deploying-gateway-lo...

0 Kudos
1 Solution

Accepted Solutions
Roman_Kats
Employee
Employee

Hi @abihsot__
Unfortunately NAT is not supported on Check Point Gateways behind Gateway Load balancer 
You have to use NAT Gateway
 

View solution in original post

0 Kudos
6 Replies
Vladimir
Champion
Champion

I did not have a chance to try this myself, (use of public IPs on firewall interfaces in AWS), but it should work just fine, as this is basic functionality of CheckPoint gateways.

Last time I was working with CloudGuard in AWS, I was using NAT between private and public segments, but I had to associate AWS public EIP to the external interface, so there was one more NAT step being performed by AWS Internet Gateway.

 

0 Kudos
Nir_Shamir
Employee
Employee

Hi,

From what I know this should work , although the GWLB in TGW template we usually use have NAT Gateways for outbound NAT do deal with all the routing .

0 Kudos
abihsot__
Advisor

Yes, I know, template deploys AWS NAT gateways automatically, however I was thinking if I already have checkpoint gateways, why not use them to NAT outgoing traffic. This might be interesting to try. Thank you for replies!

0 Kudos
Roman_Kats
Employee
Employee

Hi @abihsot__
Unfortunately NAT is not supported on Check Point Gateways behind Gateway Load balancer 
You have to use NAT Gateway
 

0 Kudos
abihsot__
Advisor

Thank you for confirmation. Any idea if this limitation could be changed in the future?

0 Kudos
Roman_Kats
Employee
Employee
0 Kudos