Hands on demo on how to configure a VPN between AWS and Checkpoint firewall clearly showing configurations done on AWS end and also on-premise firewall then running test traffic across the tunnel.
You have great potential in teaching, Tendai . It would be great if you made a video about VPN setup between Checkpoint on aws and check point on-prem .
@@networksecurity4182 ,my apologies. l know ,however l do not have a perfect environment to run clusterxl since that can't be simulated in Aws but only a beef VM or physical firewalls .the only difference is that you will need to use vti ip assigned to checkpoint by AWS as the cluster IP under topology and make up your own node vti addresses as in link supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk100726&t=1631037086301 .l be will glad to assist if you encountered any issues once you connect with me via LinkedIn
Hi, need advise, I have configured VPN as described, tunnel is UP, I see traffic towards AWS in logs as encrypted but still cant access AWS server? What cloud be the problem? Any idea?
Hello ,do you have the route back towards VGW in AWS for VPN traffic ,also did you add the static route on the actual vpn tunnel back to checkpoint , also take note if the server you are testing with is windows only test with RDP since windows firewall drops the other protocols . you can also add flow logs to confirm traffic in AWS and let me know what you see . you can also test traffic in the opposite direction and see if there any decrypts as another of verifying route back to checkpoint form AWS
@@tendaimusonza9547 Hi, we dont have access to AWS site, AWS is build by 3rd party. From checkpoint we have static route towards Azure routed via tunnel interface. I can ask if they see traffic in AWS, not sure if I can do something more on checkpoint. Just wanted to by 100% sure that traffic is leaving checkpoint FW, all I see is logs that traffic towards Azure is hitting VPN community with description Encrypted in community AWS-xxxxx. We testing only HTTPS traffic.
Hello Shravan, l bumped into an article which points out the the tgw supports multicast although l have never tried it to confirm, aws.amazon.com/blogs/networking-and-content-delivery/integrating-external-multicast-services-with-aws/#:~:text=In%202019%2C%20AWS%20announced%20multicast,multicast%20applications%20in%20the%20cloud.
Hi Tendai. Thank you for your sharing. It is perfect excercise for me. I did everything same and the tunnel is OK but I cant telnet to AWS site. When I telnet from the Checkpoint site, the traffic is going through to the tunnel but I cant telnet. I watched your video maybe 10 times but I cant find problem. I installed a new EC2 with different Security Group but again I failed. Can you help me about the where the problem is?
Hello , Let verify few things here , 1. did you disable nat within the vpn tunnel , 2. on clish run : lets say your ec2 IP is 10.10.10.10 (just example) on clish run command "show route destination 10.10.10.10" whilst tunnel is up ,does it show that it is routed to the VTI , 3. Are you using route propagation and if so do you see the on premise routes on AWS subnet , 4 . Is your VPC cidr not overlapping with on premise network ,5. Do VPC flow logs on the EC2 6 . test with something like icmp and do a tcpdump on EC2 if a linux one (tcpdump -ni any icmp ) ,above all if this a windows EC2 remember that windows firewall will drop traffic except only for RDP ,if all this is right you may connect with me via linkeldn for a quick check ,we can work out time that suits both of us. During the week I am available roughly from 18:00 GMT+2
@@tendaimusonza9547 Hello Tendia, 1) Yes I did 2) Yes I have route to EC2 3) Yes I have route propagaiton and I see the route on AWS. 4) No it is not overlapping. AWS is 172.31.X.X,Checkpoint site is 192.168.40.X 5) I tried VPC log 5 days ago I did not see any traffic from Checkpoint site.6) I tested but I cant see any traffic from Checkpoint site. The AWS site is Linux and Checkpoint site is Windows and the firewall is off on the Windows. Thank your very much. I added you from Linkeldn
This checkpoint firewall is behind a NAT device and the public IP you see is NAT IP of the firewall hence does not show up on interface ip settings ,thanks for checking. l see you observed clearly .when you provision a checkpoint in aws assigning an Elastic IP to it is the same as putting a NAT device in front and that's effectively configuring a NAT address to it to be used as a public IP. let me know if l have managed to answer you clearly.
@@tendaimusonza9547 Can i still able to create tunnel between Remote site to AWS . I have public reachable ip address on remote site but my firewalls not NAT for this public ip address.
Hi Tendai, what are some things we should check if the Tunnel is up, traffic is being routed through the VPN community (according to the CP logs) but I'm still not able to connect to the instance. The following are things I have checked 1. Subnet Route Table 2. Subnet Security Group 3. VPC Access Control List Whats the best way to view logs on the AWS side to see whats preventing the connection?
1 .have you tried vpc flow logs on aws and if the instance on aws is windows test with rdp and not ping since windows firewall will block pings. if its Linux you can do tcpdump on destination ec2. if you test reverse traffic from aws towards checkpoint side do you see it in cplogs.
@@tendaimusonza9547 Hi Tendai, interestingly enough. The reverse test reaches the internal server that is inside the cpfw. I've done tcpdump on both ends. The internal server receives the pings and replies. The ec2 instance does not receive the pings at all...
@@thereelremedy7295 check if you disabled nat on the VPN community. maybe the ping is reaching with a different ip .and did you do the flow logs and select capture for all traffic. hope your traffic is not being natted behind your vpnt tunnel interface.at least the reversed traffic confirms your routing is ok
@@tendaimusonza9547 SOLVED!!! It was the combination of "Disable NAT inside the VPN Community" for the VPN Community settings and I also had to add the SUBNET CIDR as a static route instead of the VPC CIDR. Does this mean I have to add a static route for each subnet? I thought the VPC CIDR for the static route would've covered all subnets within that VPC.
@@thereelremedy7295 from the checkpoint side the VPC cidr is good enough .and on AWS side make sure each subnet has a route if using different route tables either via propagation or adding manually (your choice). Great its working the most common mistake is the NAT part.
Hello Joel ,thank you for reaching out . lets say you have a cluster and in this case AWS provides a single VTI ip address for your gateway , e.g 169.254.111.150 .You will need to use this allocated IP as your cluster IP for VTI interfaces on the dashboard under topology and then come up with any two more ip addresses for your cluster nodes to be configured as local VTI interface IP addresses e,g 169.254.111.148 and 169.254.111.249 (these will have local significance and AWS only sees your cluster IP. all the other steps are similar as a for single node configuration. Hope this answers your question. See checkpoint sk100726 for the steps i have just summarized. let me know if i have answered your question.
@@tendaimusonza9547 thanks for the awesome video! Do we define the Cluster IP for VTI interfaces in the Gateway/Cluster object settings or the Interoperable Device object? I also have a cluster but this part of the sk100726 is a little unclear.
@@thereelremedy7295 ,Yes that is correct ,define the cluster IP for the VTI under gateway object and make sure the cluster ip is the exact IP that is is generated for you in AWS and then the nodes IP you make them up out of your mind since they are just locally significant .for example if the IP provided to you is 169.x.x.45 thats the one you define as the cluster IP .then you make up 2 more addresses for the cluster members e.g 169.x.x.47 and .48.hope this clarifies your question .just remember this is done on cluster object not interoperable object
