Thank you for the motivating words ,much appreciated

@@tendaimusonza9547 He's right :) You do a great job!

Thank you for your comments , i am glad you liked it

Thank you , that motivates me to keep sharing

Thanks ,once l make a plan for a proper clusterxl lab l will deliver the presentation.

@@tendaimusonza9547 waiting for you

@@networksecurity4182 ,my apologies. l know ,however l do not have a perfect environment to run clusterxl since that can't be simulated in Aws but only a beef VM or physical firewalls .the only difference is that you will need to use vti ip assigned to checkpoint by AWS as the cluster IP under topology and make up your own node vti addresses as in link supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk100726&t=1631037086301 .l be will glad to assist if you encountered any issues once you connect with me via LinkedIn

Its a pleasure Lenilson

Glad to hear , thank you for the feedback.

Can you help me understand the same for the check point configured in high availability

Thank you for your support .glad you liked the video, you may hit the subscription button to avoid missing any future presentations

Hello ,do you have the route back towards VGW in AWS for VPN traffic ,also did you add the static route on the actual vpn tunnel back to checkpoint , also take note if the server you are testing with is windows only test with RDP since windows firewall drops the other protocols . you can also add flow logs to confirm traffic in AWS and let me know what you see . you can also test traffic in the opposite direction and see if there any decrypts as another of verifying route back to checkpoint form AWS

@@tendaimusonza9547 Hi, we dont have access to AWS site, AWS is build by 3rd party. From checkpoint we have static route towards Azure routed via tunnel interface. I can ask if they see traffic in AWS, not sure if I can do something more on checkpoint. Just wanted to by 100% sure that traffic is leaving checkpoint FW, all I see is logs that traffic towards Azure is hitting VPN community with description Encrypted in community AWS-xxxxx. We testing only HTTPS traffic.

Thank you for the encouraging comment

Hello Shravan, l bumped into an article which points out the the tgw supports multicast although l have never tried it to confirm, aws.amazon.com/blogs/networking-and-content-delivery/integrating-external-multicast-services-with-aws/#:~:text=In%202019%2C%20AWS%20announced%20multicast,multicast%20applications%20in%20the%20cloud.

Hello , Let verify few things here , 1. did you disable nat within the vpn tunnel , 2. on clish run : lets say your ec2 IP is 10.10.10.10 (just example) on clish run command "show route destination 10.10.10.10" whilst tunnel is up ,does it show that it is routed to the VTI , 3. Are you using route propagation and if so do you see the on premise routes on AWS subnet , 4 . Is your VPC cidr not overlapping with on premise network ,5. Do VPC flow logs on the EC2 6 . test with something like icmp and do a tcpdump on EC2 if a linux one (tcpdump -ni any icmp ) ,above all if this a windows EC2 remember that windows firewall will drop traffic except only for RDP ,if all this is right you may connect with me via linkeldn for a quick check ,we can work out time that suits both of us. During the week I am available roughly from 18:00 GMT+2

@@tendaimusonza9547 Hello Tendia, 1) Yes I did 2) Yes I have route to EC2 3) Yes I have route propagaiton and I see the route on AWS. 4) No it is not overlapping. AWS is 172.31.X.X,Checkpoint site is 192.168.40.X 5) I tried VPC log 5 days ago I did not see any traffic from Checkpoint site.6) I tested but I cant see any traffic from Checkpoint site. The AWS site is Linux and Checkpoint site is Windows and the firewall is off on the Windows. Thank your very much. I added you from Linkeldn

This checkpoint firewall is behind a NAT device and the public IP you see is NAT IP of the firewall hence does not show up on interface ip settings ,thanks for checking. l see you observed clearly .when you provision a checkpoint in aws assigning an Elastic IP to it is the same as putting a NAT device in front and that's effectively configuring a NAT address to it to be used as a public IP. let me know if l have managed to answer you clearly.

@@tendaimusonza9547 Can i still able to create tunnel between Remote site to AWS . I have public reachable ip address on remote site but my firewalls not NAT for this public ip address.

1 .have you tried vpc flow logs on aws and if the instance on aws is windows test with rdp and not ping since windows firewall will block pings. if its Linux you can do tcpdump on destination ec2. if you test reverse traffic from aws towards checkpoint side do you see it in cplogs.

@@tendaimusonza9547 Hi Tendai, interestingly enough. The reverse test reaches the internal server that is inside the cpfw. I've done tcpdump on both ends. The internal server receives the pings and replies. The ec2 instance does not receive the pings at all...

@@thereelremedy7295 check if you disabled nat on the VPN community. maybe the ping is reaching with a different ip .and did you do the flow logs and select capture for all traffic. hope your traffic is not being natted behind your vpnt tunnel interface.at least the reversed traffic confirms your routing is ok

@@tendaimusonza9547 SOLVED!!! It was the combination of "Disable NAT inside the VPN Community" for the VPN Community settings and I also had to add the SUBNET CIDR as a static route instead of the VPC CIDR. Does this mean I have to add a static route for each subnet? I thought the VPC CIDR for the static route would've covered all subnets within that VPC.

@@thereelremedy7295 from the checkpoint side the VPC cidr is good enough .and on AWS side make sure each subnet has a route if using different route tables either via propagation or adding manually (your choice). Great its working the most common mistake is the NAT part.

Hello Joel ,thank you for reaching out . lets say you have a cluster and in this case AWS provides a single VTI ip address for your gateway , e.g 169.254.111.150 .You will need to use this allocated IP as your cluster IP for VTI interfaces on the dashboard under topology and then come up with any two more ip addresses for your cluster nodes to be configured as local VTI interface IP addresses e,g 169.254.111.148 and 169.254.111.249 (these will have local significance and AWS only sees your cluster IP. all the other steps are similar as a for single node configuration. Hope this answers your question. See checkpoint sk100726 for the steps i have just summarized. let me know if i have answered your question.

@@tendaimusonza9547 i will try! Thanks you!

​@@tendaimusonza9547 thanks for the awesome video! Do we define the Cluster IP for VTI interfaces in the Gateway/Cluster object settings or the Interoperable Device object​? I also have a cluster but this part of the sk100726 is a little unclear.

@@thereelremedy7295 ,Yes that is correct ,define the cluster IP for the VTI under gateway object and make sure the cluster ip is the exact IP that is is generated for you in AWS and then the nodes IP you make them up out of your mind since they are just locally significant .for example if the IP provided to you is 169.x.x.45 thats the one you define as the cluster IP .then you make up 2 more addresses for the cluster members e.g 169.x.x.47 and .48.hope this clarifies your question .just remember this is done on cluster object not interoperable object

@@tendaimusonza9547 Awesome, thank you so much for clarifying. Your video is the most concise and informative set of instructions that I have found.

thanks, much appreciated