Our topology is as follows:
10.3.3.4/27 - BackEnd Subnet
Azure Firewall (R80.10)
10.2.2.4/27 - FrontEnd Subnet
|
Azure Check Point Cluster Public IP
|
( Internet )
|
1.2.3.4/29
On-Prem Check Point 5400 Series Appliance Cluster (R80.10)
10.1.1.1/24
|
10.1.1.5/24 (1.2.3.5/29 NAT IP)
SmartCenter/Security Management Server (R80.30)
As you can see our SMS is NATed behind our 5400 series appliances which it also manages. The management object has the private 10.1.1.5/24 defined as the IP in the General Properties tab and then public 1.2.3.5/29 is defined in the NAT tab, set to static IP, install on 5400 series gateway and Apply for Security Gateway control connections ticked.
This works for all of our other physical appliances - logging and CRL checking, all fine. However, this does not work for the Azure gateways as they persistently want to get to the SMS on the private IP, which doesn't work.
Things we've tried:
1. Editing the masters file by replacing the SMS name with the public IP of the management then locking the file changes using the chattr command. We've had limited success with this - if we make the change and restart the FWD service it will start working, but if we push policy again it will start using the private IP again. I'm looking for something more permanent.
2. Creating a dummy object with the IP of 1.2.3.5, tick Logging & Status blade, then select this as the logging server for the Azure gateways. The Azure gateways pick up the change, but they still persist in sending logs to the private IP.
3. Tried adding a NAT rule to the top of the NAT policy for anything from src:10.2.2.4/27 (FrontEnd Subnet) to dst: 10.1.1.5 (private SMS) then translate to dst:1.2.3.5 (public SMS). No luck here either.
I originally thought it was because we were using an older R80.10 template, but I've deployed a new R80.20 cluster in Azure and updated to the latest jumbo and we still get the same issue.
Running out of ideas now, any help/suggestions would be appreciated 🙂