Traffic Flows

Inbound Traffic

  1. The request traffic arrives from the Internet at the External Load Balancer in the Check Point deployed solution.

  2. The External Load Balancer forwards the request traffic to a VMSS Gateway instance.

  3. The VMSS Gateway instance:

    1. Inspects the request traffic.

    2. Performs Static NAT on the request traffic.

    3. Forwards the request traffic to the Application's Internal Load Balancer.

  4. The Application's Internal Load Balancer forwards the request traffic to the Web Server Host.

Inbound Traffic Reply

  1. The reply traffic arrives from the Web Server Host to the original VMSS Gateway instance.

  2. The VMSS Gateway instance:

    1. Inspects the reply traffic.

    2. Forwards the reply traffic to the External Load Balancer.

  3. The External Load Balancer forwards the reply traffic to the destination on the Internet.

Outbound Traffic

  1. The request traffic arrives from the Web Server Host at the Internal Load Balancer in the Check Point deployed solution.

  2. The Internal Load Balancer forwards the request traffic to a VMSS Gateway instance.

  3. The VMSS Gateway instance:

    1. Inspects the request traffic.

    2. Performs Hide NAT on the request traffic.

    3. Forwards the request traffic to the Internet.

Outbound Traffic Reply

  1. The reply traffic arrives from the Internet at the External Load Balancer in the Check Point deployed solution.

  2. The External Load Balancer forwards the reply traffic to a Check Point Security Gateway instance (Active Cluster Member) in the VMSS.

  3. The Check Point Security Gateway instance:

    1. Inspects the reply traffic.

    2. Forwards the reply traffic to the Internal Load Balancer in the Check Point deployed solution.

East-West Outbound Traffic

  1. The request traffic arrives from the Web Server Host 1 at the Internal Load Balancer in the Check Point deployed solution.

  2. The Internal Load Balancer forwards the request traffic to a VMSS Gateway instance.

  3. The VMSS Gateway instance:

    1. Inspects the request traffic.

    2. Forwards the request traffic to the corresponding Internal Load Balancer of the Web Server Host 2.

  4. The Internal Load Balancer of the Web Server Host 2 forwards the request traffic to the destination Web Server Host 2.

East-West Outbound Traffic Reply

  1. The reply traffic arrives from the Web Server Host 2 at the Internal Load Balancer in the Check Point deployed solution.

  2. The Internal Load Balancer forwards the reply traffic to the same VMSS Gateway instance that processed the request traffic from the Web Server Host 1 to the Web Server Host 2.

  3. The Check Point Security Gateway instance:

    1. Inspects the reply traffic.

    2. Forwards the reply traffic to the corresponding Internal Load Balancer of the Web Server Host 1 in the Check Point deployed solution.

Intra-Subnet Traffic

Traffic travels freely in the subnet without inspection.

Remote Access VPN

  • On each attempt to create a site or connect to the site, the client runs a DNS query to resolve the current active IP addresses and do a load-sharing mechanism on the resolved IP list.

  • When the client initiates the connection, IKE negotiations take place with the configured Gateway on Azure. After the negotiations finish, a Remote Access tunnel is established.

  • As part of the IKE negotiations, the Gateway assigns a special IP called Office Mode to the client. By this assignment, the Gateway can identify the Remote Access client and give it access to the internal resources - derived from the configured Policy in SmartConsole.

  • The Remote Access client can auto-trust a new VMSS Instance Certificate that was issued by the same Management Server.

  • For more information about how Remote Access works with the Check Point Gateway, see the R81 Remote Access VPN Administration Guide.