Troubleshooting

Symptom

Cause

Solution

  • Untagged subnet traffic does not reach the Internet Gateway

  • Untagged a subnet but IRE enforcement is not removed

When you tag a subnet that shares a route table with an untagged subnet, the route table sends all outgoing traffic through the Gateway Load Balancer Endpoint (GWLBe). This occurs because at minimum one subnet is tagged.

  • Make sure that the route table for the untagged subnet is not also associated with a tagged subnet.

  • Check if the subnet's route table is the VPC's main route table. The main route table may be associated with a tagged subnet.

    When you create a new subnet in AWSClosed Amazon® Web Services. Public cloud platform that offers global compute, storage, database, application and other cloud services., it automatically associates with the VPC main route table.

    Make sure your subnet is not associated with the main route table if that table is associated with a tagged subnet. This association causes IRE enforcement on all subnet associations (both explicit and automatic).

Health Checks for Auto Scaling Group instances fail

The fwkern.conf file in the Security GatewayClosed Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources. is not correctly configured to handle health probe packets from the required IP address range.

  1. Set the health check IP range flag in the fwkern.conf file with autoprov_cfg to handle Health Probe packets from the required IP address range.

    Run this command:

    autoprov_cfg set template -tn "<TEMPLATE-NAME>" -hc "ip1,ip2"

    ("ip1" and "ip2" are the first and last IP addresses in the range.

    For example: autoprov_cfg set template -tn "my-template" -hc "10.0.0.0,10.0.255.255")

  2. Open the fwkern.conf file and validate these health check IP range parameters:

    cloud_balancer_ip1

    cloud_balancer_ip2

Note - The health check IP range in fwkern.conf is in hexadecimal format. For example:

cloud_balancer_ip1=0x0a000a00

cloud_balancer_ip2=0x0a0014ff

Software Blades malfunction in Auto Scaling Group Gateways

The eth0 interface of each Security Gateway is not set to "Internal" to work with Bridge ModeClosed Security Gateway or Virtual System that works as a Layer 2 bridge device for easy deployment in an existing topology..

  1. Install the latest Cloud Management Extension (CME) version on your Management ServerClosed Check Point Single-Domain Security Management Server or a Multi-Domain Security Management Server.. See sk157492.

  2. Make sure that the Auto Scaling Group has these tags:

    • Key Tag: x-chkp-topology

    • Key Value: internal