You have great potential in teaching, Tendai . It would be great if you made a video about VPN setup between Checkpoint on aws and check point on-prem .
Dear Tendai , One more question is if we have VM bastions in the Public subnet area, how can we let them go outside or inside the private subnet by passing through the check point firewall. Is there any way we can do that?
Hi, need advise, I have configured VPN as described, tunnel is UP, I see traffic towards AWS in logs as encrypted but still cant access AWS server? What cloud be the problem? Any idea?
Hello ,do you have the route back towards VGW in AWS for VPN traffic ,also did you add the static route on the actual vpn tunnel back to checkpoint , also take note if the server you are testing with is windows only test with RDP since windows firewall drops the other protocols . you can also add flow logs to confirm traffic in AWS and let me know what you see . you can also test traffic in the opposite direction and see if there any decrypts as another of verifying route back to checkpoint form AWS
@@tendaimusonza9547 Hi, we dont have access to AWS site, AWS is build by 3rd party. From checkpoint we have static route towards Azure routed via tunnel interface. I can ask if they see traffic in AWS, not sure if I can do something more on checkpoint. Just wanted to by 100% sure that traffic is leaving checkpoint FW, all I see is logs that traffic towards Azure is hitting VPN community with description Encrypted in community AWS-xxxxx. We testing only HTTPS traffic.
On 7:08, you mentioned about the auto-created GatewayLoadBalancer Endpoint, however on my end, it isn't auto created and I can't seem to be able to create the Endpoint as I am unsure what Service Name to select. I have 2 VPCs, in one - it auto-created, in another one - it didn't auto-create. Not too sure why. The only thing that was auto-created is the Gateway Endpoint with service name '.....s3'.
Hello ,Thanks for reaching out to me . Please note that the AWS Network Firewall is powered by the AWS Gateway loadBalancer behind the scene and its not you who set this endpoints up but AWS process does it for you since this is a managed service. after you create the AWS Network firewall you go search under endpoints and should see a gateway loadbalancer endpoints whose ID's you can use as next hop for your routing .adding the next hop use using the ENI or endpoint ID has the same effect .You do not need to create an endpoints as you mentioned ,all you do is to provision the firewall and that will do endpoints for you.
@@tendaimusonza9547 Stupid me! Now the Endpoint popped up after I created the firewall. The order of setting up I did for my other VPC was wrong; Subnet/RTB > Firewall instead of Firewall > Subnet/RTB. Tysm for the clarification nonetheless.
@@tendaimusonza9547 Also, an additional question - I am used to Cisco Firewall stateful way of listing permitted ports/traffic on the top and just ending it with deny tcp any any to ensure other than eg. 5 permitted ports/traffic allowed, the others will be denied. However in AWS case for Stateful rules, the rule groups get rather confusing as first, only 3 rules are allowed in each group and secondly I then have to group the ports accordingly. So in each group, do I have to put tcp deny any any? And in my case the only egress and ingress traffic I am allowing is only email-related ports (25, 465, 587) and internet access to websites. No SSH,RDP, FTP, etc. allowed in or out as only my email server resides in public subnet. Other than these, the other communications are between EC2s in the private subnets (other than needing to go internet via NAT Gateway), communications to Managed AD and SSM which I don't think is required to be put in Network Firewall as its internal communications. How would you then suggest I implement my rules/rule groups? Sorry for the very long question. Tried to read AWS documentations, but it ain't that helpful to me. Appreciate any help you can give. Thank you.
Hi, This is Pure GOLD!! Can you please post an video on Checkpoint Cluster especially with the application being on different VPC/subnet. This will help in gaining an better understanding of the routing/next-hop and so on.. Thanks for the great stuff.
Hello, one question - So does it mean that if I have an Existing VPC with 2 Public & 2 Private Subnets, IGW, NatGW, and have EC2s already setup on these private subnets, I'll have setup everything back from scratch due to the Firewall Subnets?
Hi Yoominbi ,thanks for reaching out ,my suggestion is that if you do not have available subnet ranges for these extra ones required you can extend your VPC with a secondary CIDR rather than destroying your setup , checkout this link aws.amazon.com/about-aws/whats-new/2017/08/amazon-virtual-private-cloud-vpc-now-allows-customers-to-expand-their-existing-vpcs/ . hope you will find this handy.
@@tendaimusonza9547 Thanks for the prompt reply! So if I have available subnets that can be used (as current VPC only using 10.x.x.x subnet), I do not need to destroy my current setup? Then how do you suggest I proceed - Create a new Firewall subnet, change the RTB to point existing IGW to Firewall Subnet, etc. ? (ie. play around with RTB)
excellent video, many thanks for sharing with us. one thing which is bugging me is route-table entry for "GWLB-Subnet", why we have to provide two transit gateway entry for both spoke vpc? is it really required for E-W traffic.
I provided the TGW as the next hop for both Spoke CIDRS since it is the TGW which knows route back for both spokes in this centralized config ,thank you for your comment , hope i managed to answer your question
Greetings excellent overview thank you.. I'm building a proof of concept 3 Pairs of Fortigate Firewalls in HA mode Active/Active, across 3 Availability Zones, with AWS load balance, Transit Gateway, FortiManager for centralised management and a FortiAnalyzer as part of the SIEM. (APP VPC, SEC VPC, TRANS VPC)
Hi Rohit , if you have worked with Terraform you may find my configs here useful for VPC and subnet config , github.com/tendai-lino/training/tree/main/GWLB-DEMO ,i used this kind of setup in ru-vid.com/video/%D0%B2%D0%B8%D0%B4%D0%B5%D0%BE-2g59ihFy5HU.html , Let me know if you require any further assistance
i can assist if you have a specific questions , Kindly note that i only share info here and there voluntarily and not a full time youtuber. its just to help people for free and not for a fee . feedback much appreciated
Hello Abdo , you do not need forti HA when using the gateway loadbalancer , the GWLB is doing HA for you in a way and you need to make sure the security VPC attachment is in appliance mode to avoid asymmetrical routing . See link : docs.aws.amazon.com/vpc/latest/tgw/transit-gateway-appliance-scenario.html . with a GWLB your Fortis can be in multiple AZ however use fortimanager to make sure your rules are in sync than adding rules manually on each device .hope i answered your question.
Hello Bernard ,unfortunately there is no other way that i am aware of except recreating new CRT and key , hopefully you still have your CA server intact
Hi Tendai how about Cloudguard VPN S2S to other firewall is it same setup as AWS VPN FW and will i still able to download the configuration file on my AWS dashboard to provide to remote site?
Hi Lee ,Thanks for reaching out. Plz note that VPN config download for sharing with remote site is only an AWS feature ,as for Cloudguard to other VPN device you will need to agree and share common parameters .Let me know if I have answered your question
I searched whole internet but couldn't find a proper video explaining the GWLB in detail and how to use it with Appliances. This video is far most the best today and thank you for the help
Ho we can create 100 VPN tunnels at once (which include onprem and AWS) for DR activities?? thanks this video is explaining nicely keep doing more please.
Thank you for the kind words ,I am encouraged if the content is helpful ,as for creating multiple resources with terraform you may use functions like for_each .I saw some good material on this link and hopefully it can be of help: developer.hashicorp.com/terraform/tutorials/configuration-language/for-each
This checkpoint firewall is behind a NAT device and the public IP you see is NAT IP of the firewall hence does not show up on interface ip settings ,thanks for checking. l see you observed clearly .when you provision a checkpoint in aws assigning an Elastic IP to it is the same as putting a NAT device in front and that's effectively configuring a NAT address to it to be used as a public IP. let me know if l have managed to answer you clearly.
@@tendaimusonza9547 Can i still able to create tunnel between Remote site to AWS . I have public reachable ip address on remote site but my firewalls not NAT for this public ip address.
Very nice step by step walk through.. keep it up. Any idea on how the set up will look like if we have muti AZ Fortigate HA deployment.. I have issues with LB and endpoints when i have multi AZ and the application VPC are in different VPC, it creates issue.. I am checking further on the set up but with Primary works but failover doesn't.
Thank you Hitesh ,I am not sure if HA will work in conjunction with a GWLB since the health checks have no visibility to HA status since works only by probing tcp port ,I have used HA in a central security VPC using partly the steps in on fortinet link although this link is just for general HA setup not specific for central security VPC ;docs.fortinet.com/document/fortigate-public-cloud/7.2.0/aws-administration-guide/229470/deploying-fortigate-vm-active-passive-ha-aws-between-multiple-zones .I used with a transit gateway .hope you will find this helpful
Hello Shravan, l bumped into an article which points out the the tgw supports multicast although l have never tried it to confirm, aws.amazon.com/blogs/networking-and-content-delivery/integrating-external-multicast-services-with-aws/#:~:text=In%202019%2C%20AWS%20announced%20multicast,multicast%20applications%20in%20the%20cloud.
I am new to AWS VPC..can you make a video on what AWS services offer as network and security services and is there any free or trial lab on AWS cloud to test it
Thank you for the feedback ,that will help me in balancing content on my future videos .you may also open an aws free tier account for learning however exercise caution on usage since not everythung is free however aws documentation clearly states how you can stay within free tier
I am beginner to ASA. I googled but no luck. I am facing this error: ciscoasa(config)# crypto ikev1 enable outside ^ ERROR: % Invalid input detected at '^' marker. ciscoasa(config)# Can you help me please? Thanks a lot!
how can we get fortiguar update in this scenario? port1 i have created geneve for data traffic so how i can communicate with fortiguard for update?? can u help?
Hi Zeeshan ,that's a valid point ,to get updates you have to change the routing ,instead of using default route to geneve use specific routes for VPCs cidrs and then default traffic to a different port with route to internet .i used 0.0.0.0/0 just for quick demo