Create a Post
Blason_R
Advisor

How do I NAT multiple hosts on port 443 or80 behind cloud guard azure firewall?

Hi Team,

 

As a standard practice I am deploying vsec firewall in Azure with 1 Vnet and 4 subnets

10.1.1.0/24 Frontend

10.1.2.0/24 backend

10.1.3.0/24 Web Servers

What I understood from documents is 

I need to put a route for 10.1.3.0 on Firewall and define UDR on Azure portal for outbound traffic. Now since I have around 4 web servers in 10.1.3.x network; I guess we are natting all those servers behind 10.1.1.x subnet or behind firewall IP address.

In this case my original destination would 10.1.1.10 [Firewall external IP] and xlate destination IP is 10.1.3.10 [web server]

If the next server then can I use 10.1.1.20:443 [virtual IP from pool] and nat with 10.1.3.20:443 by adding proxy arp for 10.1.1.20 on firewall?

0 Kudos
5 Replies
Nir_Shamir
Employee
Employee

Hi,

look at the Cluster HA for Azure admin guide:

https://sc1.checkpoint.com/documents/IaaS/WebAdminGuides/EN/CP_CloudGuard_IaaS_HighAvailability_for_...

from step 6.

you need to use the External LB to publish applications / web sites.

it involves some NAT rules and also allows you to have multiple Public IP addresses which can be used per application.

0 Kudos
348282net
Explorer

Nir,

 

Related to this question, the Frontend-lb, and its Public IP, if we are not doing any publishing is there any reason they cannot be deleted, from studying the HA guides and SK's the only purpose is for inbound publishing?

 

Thanks.

0 Kudos
Nir_Shamir
Employee
Employee

Hi,

If you are not publishing any applications or using the Frontend-LB then you can remote it.

0 Kudos
Blason_R
Advisor

Hi Nir,

Customer has a external WAF which is pointed to CNAME or IP address of the servers. I am little confused how CG Cluster would fit here for Inbound filtering for those servers? If in case Inbound traffic is routed through CG Azure cluster?

0 Kudos
Nir_Shamir
Employee
Employee

you can put the application Gateway / WAF in front of the Cluster instead of the Frontend LB. 

I did it one time and the Application Gateway monitored the Servers through the Cluster.

I don't really like this design because the WAF does all the work with HTTP/S traffic and we are only seeing HTTP/S traffic coming from it, after it was already scanned by the WAF so we are only doing access control.

0 Kudos