This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES & FAQ
Create a Post
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
cdav
Contributor
‎2024-04-03 03:52 AM
Jump to solution

Policy not matching AWS Data Center Objects

Hi CheckMates,

I am experiencing an issue where one set of gateways is not matching access rules where AWS DataCenter objects are used but another set of gateways with a separate policy are matching traffic and permitting against AWS DataCenter objects.

I have a AWS deployment where an Cross AZ Cluster, Auto Scaled Gateways and EC2 Manager all reside in separate VPCs and are peered via transit gateway. Identity Awareness is configured as per admin guide yet only one set of gateways (autoscaled) are matching traffic for the objects. The clustered gateways fail to permit traffic where AWS DC objects are used - if i replace the AWS object with a standard address object the traffic is permitted.

Can anyone advise on how I can troubleshoot/debug this?

 

0 Kudos
1 Solution

Accepted Solutions
Nir_Shamir
Employee Employee
Employee
‎2024-04-04 01:03 AM
In response to cdav
Jump to solution

Yes, check :

https://sc1.checkpoint.com/documents/R81.20/WebAdminGuides/EN/CP_R81.20_CloudGuard_Controller_AdminG...

# In version R81.20 with Jumbo HFA Take 26 and higher:
# Send Data Center updates from the CloudGuard Controller to the main IP address of Active member
# on the Management Plane instead of the cluster VIP address on the Data Plane
updateClusterMemberAndNotVip=true
            
I think this can help you here

 

View solution in original post

(1)
8 Replies
Gil_Sudai
Employee
Employee
‎2024-04-03 05:21 AM
Jump to solution

Look in $FWDIR/log/cloud_proxy.elg on the mgmt server - do you see updates being sent to the cluster gw?

0 Kudos
(1)
cdav
Contributor
‎2024-04-03 07:21 AM
In response to Gil_Sudai
Jump to solution

Hi @Gil_Sudai 

Yes i can see that it is failing to send the updates to the clusters EIP. Is it possible for these updates to go to the private addresses of the Cross AZ cluster and not the EIP? I do not wish for the communication between manager and gateways to go via the internet. 

 

Thanks

Chris

0 Kudos
Nir_Shamir
Employee Employee
Employee
‎2024-04-03 08:42 AM
Jump to solution

what IP address is configured on the Cluster object ? is it the Cluster EIP ?

updates are send to the GW/Cluster object IP address.

you can change it , check sk60701

0 Kudos
cdav
Contributor
‎2024-04-04 12:19 AM
In response to Nir_Shamir
Jump to solution

Yes the IP in the cluster object is the public EIP. Am i able to change it in the database for one or both of the cross-az gateways? I would like this communication to happen privately not via public internet.

0 Kudos
Nir_Shamir
Employee Employee
Employee
‎2024-04-04 01:03 AM
In response to cdav
Jump to solution

Yes, check :

https://sc1.checkpoint.com/documents/R81.20/WebAdminGuides/EN/CP_R81.20_CloudGuard_Controller_AdminG...

# In version R81.20 with Jumbo HFA Take 26 and higher:
# Send Data Center updates from the CloudGuard Controller to the main IP address of Active member
# on the Management Plane instead of the cluster VIP address on the Data Plane
updateClusterMemberAndNotVip=true
            
I think this can help you here

 

(1)
Gil_Sudai
Employee
Employee
‎2024-04-04 02:01 AM
In response to Nir_Shamir
Jump to solution

Which version is your mgmt server?

If R81.20 , look for PRJ-43926 in https://sc1.checkpoint.com/documents/Jumbo_HFA/R81.20/R81.20/R81.20-List-of-all-Resolved-Issues.htm?... .

From take 26 you can update the CloudGuard Controller config option to push the updated to the cluster member and not to the VIP.

(1)
cdav
Contributor
‎2024-04-04 02:30 AM
In response to Gil_Sudai
Jump to solution

Hi @Nir_Shamir @Gil_Sudai 

 

Thank you both for you input. I am running R81.20 for management. I will check the above inline with what you've mentioned/referenced and see if I can resolve.

 

Thanks

0 Kudos
cdav
Contributor
‎2024-04-04 04:28 AM
In response to Nir_Shamir
Jump to solution

@Nir_Shamir @Gil_Sudai 

Its working for me now. Added the config line to vsec.conf and upgraded to the jumbo 53 anyway.

Thank you again!

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
UPCOMING CLOUDMATES EVENTS
    Sort by:
    All CloudMates Events