do you need to add the external IP of the cluster to the LoadBalancerFrontend IP configuration?
we're setting up CloudGuard Iaas High Availability in Azure (R80.30)
I can access the two firewall members when using their respective external IPs. But connectivity using the cluster-vip external IP doesn't seem to work. Trying to establish a VPN tunnel or just pinging doesn't work. I'm not seeing anything on the Active firewall with fw monitor
do you need to add the cluster-vip external IP to the LoadBalancerFrontend IP configuration?
This is the NSG attached to the frontend subnet
AllowAllInbound Any Any Any Any Allow
AllowVnetInbound Any Any VirtualNetwork VirtualNetwork Allow
AllowAzureLBInbound Any Any AzureLoadBalancer Any Allow
DenyAllInbound Any Any Any Any Deny
AllowVnetOutbound Any any VirtualNetwork VirtualNetwork Allow
AllowInternetOutbound Any Any Any Internet Allow
DenyAllOutbound Any Any Any Any Deny
to your specific question, no, you don't need it, the VIP for VPN purposes on the CG IaaS HA Template is a "floating IP" attached as secondary to the NIC of the active member, this job is done by a service principal deployed by the template if selected (this is by default); attached image.
If you selected "NO" that can cause the no modification of this IP to the active member also.
So. The IP for cluster was assigned but to the standby member. We've been able to fix that with https://community.checkpoint.com/t5/CloudGuard-IaaS/Vsec-Cluster-in-Azure-anyone-know-how-to/m-p/796...
So now we can ping the vip and see it's being directed to the proper active member. We still can't establish a VPN tunnel but that might need another post...