Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
cccode
Explorer

Connecting and Azure Gateway

So here is a question I hope someone can shed some light on.  We have a client who refuses to install any policies on their old server (v77.30).  They have alot of old gateways managed by the server (branches, satellites) and are moving their datacenter to Azure.  We deployed the Checkpoint (88.30) appliance in Azure as per the Azure Architecture and it works fine at protecting the resources in Azure.  Now the problem.  The client wants all on-prem traffic to pass through the Checkpoint in Azure.  Understand I am not allowed to touch their old server or install policies.  So joining these gateways is absolutely out of the question even from a shared secret perspective because that involves touching the old server.  Currently there is a VPN gateway in azure in the virtual network where all the servers sit connected to their MPLS network.  It works fine but of course it bypasses the checkpoint virtual network that is setup based on Azure architecture (Check Point Reference Architecture for Azure)  So any traffic from the on-prem goes directly to the Azure resources and bypasses the firewall.  So, to alleviate that I moved the VPN gateway in Azure to the Checkpoint network.  Then starts all chaos.  The traffic begins to pass through the Azure Checkpoint and has massive Accepts BUT they all stop with

"Connection terminated before detection"

And I get icmp echo replies with "connection does not match a previous connection" and the echo reply is dropped.  I spent hours re-configuring the route tables in Azure and it doesn't resolve the issue.  ("Connection terminated before detection" in log reason for Unified Rulebase (checkpoint.com) 

So given the client will not allow the old server to be touched, is there any possible solution to getting these firewalls to actually work together and pass traffic.  The VPN clients also won't route traffic between the Azure environment and the on-prem when connected via VPN.  If I remote into an Azure VM I can get anywhere in the network (on-prem, satellites, Branches).  Anyway, I have alot more detail but just wondering if anyone has run into this issue.

0 Kudos
1 Reply
PhoneBoy
Admin
Admin

Sounds like you've got some asymmetric routing going on there.
The fact you can't touch the existing R77.30 gateway--an End of Support version, FYI--makes this entire exercise...problematic.

0 Kudos