Видео

Thank you, I will

Thank you , that motivates me to keep sharing

Thank you for the motivating words ,much appreciated

@@tendaimusonza9547 He's right :) You do a great job!

Dear Tendai , One more question is if we have VM bastions in the Public subnet area, how can we let them go outside or inside the private subnet by passing through the check point firewall. Is there any way we can do that?

Glad it was helpful!

Glad to hear , thank you for the feedback.

Can you help me understand the same for the check point configured in high availability

Thank you Devon

Hello ,do you have the route back towards VGW in AWS for VPN traffic ,also did you add the static route on the actual vpn tunnel back to checkpoint , also take note if the server you are testing with is windows only test with RDP since windows firewall drops the other protocols . you can also add flow logs to confirm traffic in AWS and let me know what you see . you can also test traffic in the opposite direction and see if there any decrypts as another of verifying route back to checkpoint form AWS

@@tendaimusonza9547 Hi, we dont have access to AWS site, AWS is build by 3rd party. From checkpoint we have static route towards Azure routed via tunnel interface. I can ask if they see traffic in AWS, not sure if I can do something more on checkpoint. Just wanted to by 100% sure that traffic is leaving checkpoint FW, all I see is logs that traffic towards Azure is hitting VPN community with description Encrypted in community AWS-xxxxx. We testing only HTTPS traffic.

Hello ,Thanks for reaching out to me . Please note that the AWS Network Firewall is powered by the AWS Gateway loadBalancer behind the scene and its not you who set this endpoints up but AWS process does it for you since this is a managed service. after you create the AWS Network firewall you go search under endpoints and should see a gateway loadbalancer endpoints whose ID's you can use as next hop for your routing .adding the next hop use using the ENI or endpoint ID has the same effect .You do not need to create an endpoints as you mentioned ,all you do is to provision the firewall and that will do endpoints for you.

@@tendaimusonza9547 Stupid me! Now the Endpoint popped up after I created the firewall. The order of setting up I did for my other VPC was wrong; Subnet/RTB > Firewall instead of Firewall > Subnet/RTB. Tysm for the clarification nonetheless.

@user-ie9nb5nt6b Glad you are sorted ,thanks for the feedback

@@tendaimusonza9547 Also, an additional question - I am used to Cisco Firewall stateful way of listing permitted ports/traffic on the top and just ending it with deny tcp any any to ensure other than eg. 5 permitted ports/traffic allowed, the others will be denied. However in AWS case for Stateful rules, the rule groups get rather confusing as first, only 3 rules are allowed in each group and secondly I then have to group the ports accordingly. So in each group, do I have to put tcp deny any any? And in my case the only egress and ingress traffic I am allowing is only email-related ports (25, 465, 587) and internet access to websites. No SSH,RDP, FTP, etc. allowed in or out as only my email server resides in public subnet. Other than these, the other communications are between EC2s in the private subnets (other than needing to go internet via NAT Gateway), communications to Managed AD and SSM which I don't think is required to be put in Network Firewall as its internal communications. How would you then suggest I implement my rules/rule groups? Sorry for the very long question. Tried to read AWS documentations, but it ain't that helpful to me. Appreciate any help you can give. Thank you.

its only a pleasure , you are welcome Robson

Hi Yoominbi ,thanks for reaching out ,my suggestion is that if you do not have available subnet ranges for these extra ones required you can extend your VPC with a secondary CIDR rather than destroying your setup , checkout this link aws.amazon.com/about-aws/whats-new/2017/08/amazon-virtual-private-cloud-vpc-now-allows-customers-to-expand-their-existing-vpcs/ . hope you will find this handy.

​​@@tendaimusonza9547 Thanks for the prompt reply! So if I have available subnets that can be used (as current VPC only using 10.x.x.x subnet), I do not need to destroy my current setup? Then how do you suggest I proceed - Create a new Firewall subnet, change the RTB to point existing IGW to Firewall Subnet, etc. ? (ie. play around with RTB)

@@yoominbi exactly that should work

I provided the TGW as the next hop for both Spoke CIDRS since it is the TGW which knows route back for both spokes in this centralized config ,thank you for your comment , hope i managed to answer your question

Hi Rohit , if you have worked with Terraform you may find my configs here useful for VPC and subnet config , github.com/tendai-lino/training/tree/main/GWLB-DEMO ,i used this kind of setup in ruclips.net/video/2g59ihFy5HU/видео.html , Let me know if you require any further assistance

i can assist if you have a specific questions , Kindly note that i only share info here and there voluntarily and not a full time youtuber. its just to help people for free and not for a fee . feedback much appreciated

Hello Abdo , you do not need forti HA when using the gateway loadbalancer , the GWLB is doing HA for you in a way and you need to make sure the security VPC attachment is in appliance mode to avoid asymmetrical routing . See link : docs.aws.amazon.com/vpc/latest/tgw/transit-gateway-appliance-scenario.html . with a GWLB your Fortis can be in multiple AZ however use fortimanager to make sure your rules are in sync than adding rules manually on each device .hope i answered your question.

@@tendaimusonza9547 thanks for your reply I will try to make it using TG as I'm trying with GWLB and one fortigate only for now.

Hello Bernard ,unfortunately there is no other way that i am aware of except recreating new CRT and key , hopefully you still have your CA server intact

will owner the request ,thank you for the support . glad you liked the material

Hi Lee ,Thanks for reaching out. Plz note that VPN config download for sharing with remote site is only an AWS feature ,as for Cloudguard to other VPN device you will need to agree and share common parameters .Let me know if I have answered your question

Glad to hear the material is helpful ,thank you for your support.

Thank you for the kind words ,I am encouraged if the content is helpful ,as for creating multiple resources with terraform you may use functions like for_each .I saw some good material on this link and hopefully it can be of help: developer.hashicorp.com/terraform/tutorials/configuration-language/for-each

This checkpoint firewall is behind a NAT device and the public IP you see is NAT IP of the firewall hence does not show up on interface ip settings ,thanks for checking. l see you observed clearly .when you provision a checkpoint in aws assigning an Elastic IP to it is the same as putting a NAT device in front and that's effectively configuring a NAT address to it to be used as a public IP. let me know if l have managed to answer you clearly.

@@tendaimusonza9547 Can i still able to create tunnel between Remote site to AWS . I have public reachable ip address on remote site but my firewalls not NAT for this public ip address.

thanks, much appreciated

Thank you Hitesh ,I am not sure if HA will work in conjunction with a GWLB since the health checks have no visibility to HA status since works only by probing tcp port ,I have used HA in a central security VPC using partly the steps in on fortinet link although this link is just for general HA setup not specific for central security VPC ;docs.fortinet.com/document/fortigate-public-cloud/7.2.0/aws-administration-guide/229470/deploying-fortigate-vm-active-passive-ha-aws-between-multiple-zones .I used with a transit gateway .hope you will find this helpful

Hello Shravan, l bumped into an article which points out the the tgw supports multicast although l have never tried it to confirm, aws.amazon.com/blogs/networking-and-content-delivery/integrating-external-multicast-services-with-aws/#:~:text=In%202019%2C%20AWS%20announced%20multicast,multicast%20applications%20in%20the%20cloud.

Thank you for the feedback ,that will help me in balancing content on my future videos .you may also open an aws free tier account for learning however exercise caution on usage since not everythung is free however aws documentation clearly states how you can stay within free tier

Glad to hear ,Thanks

That's correct its the same logic only that for north south you introduce ingress routing for the internet gateway

@@tendaimusonza9547 thanks sir, keep going with great content, greetings

@@carlosemanuelbonilla904 ,thanks for the support ,much appreciated

Hi Zeeshan ,that's a valid point ,to get updates you have to change the routing ,instead of using default route to geneve use specific routes for VPCs cidrs and then default traffic to a different port with route to internet .i used 0.0.0.0/0 just for quick demo

it's a pleasure, thanks

I feel humbled ,thank you