Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
reloadin5
Explorer

use CIDR in firewall rules from Cloud datacenter objects

Hey everyone,

 

I have configured a datacenter object for Azure (R81.10 HF66 on MDS  + GWs).

 

The datacenter object is retrieving correctly the subscription.

 

Looking at "Network by Subscriptions, Virtual Networks, subnets", the CIDR for networks are shown in the "Note" field.

However it seems that when one of these objects is used in a rule, only the discovered IPs ("IP" field) are actually used to populate the firewall rule. This is a problem because the discovery finds VMs but not other type of objects (e.g. private endpoints).

 

Is it possible to use these objects as plain subnets and not as a list of discovered IPs?

 

Thanks

0 Kudos
3 Replies
Chris_Atkinson
Employee Employee
Employee

Note Private Endpoint support for Azure was added with R81.20.

https://sc1.checkpoint.com/documents/r81.20/webadminguides/en/cp_r81.20_cloudguard_controller_adming...

 

CCSM R77/R80/ELITE
0 Kudos
reloadin5
Explorer

Hi Chris,

thanks for your reply. 

 

Reading here  it looks like this should work on R81.10 HF66 (Azure R81.10 – minimum requirements: Jumbo hotfix Take 14)

I have added "azure.enableAsgAndPep=true" in $MDSDIR/conf/vsec.conf (both mdsenv global and on the domain that is running cme) as described here 

Restarted both vsec and cme, however we still do not see the private endpoint object types.

 

Do you have any advice on how to debug this (to check if this is a permissions issue, maybe)?

 

And other than including private endpoint in the discovery, is there any way to just get the CIDR and use it in the firewall rule?

 

Thanks

0 Kudos
Chris_Atkinson
Employee Employee
Employee

If it's not working as expected please take it to TAC for investigation.

If you need the CIDR manual objects can be created as a workaround.

My assumption being we don't interpret things this way for security reasons so things aren't blindly allowed unexpectedly but I could be mistaken. Having the choice for different behaviour is likely an RFE to be discussed with your local SE.

CCSM R77/R80/ELITE
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.