topic Re: DNS Resolution Issue for Spoke Firewalls over MPLS (Using External IP Instead of Internal) in Firewall and Security Management

DNS Resolution Issue for Spoke Firewalls over MPLS (Using External IP Instead of Internal)

sandeepsutar — Wed, 22 Apr 2026 08:32:09 GMT

Hi Team,

We have a hub-and-spoke MPLS setup where:

DNS server is located at the hub site
Spoke locations connect via MPLS
DNS server is configured to allow queries only from internal network ranges

🔹 Issue:

Spoke Check Point firewalls (Gaia& SMBmodels) are unable to resolve DNS for updates (IPS, AV, URL Filtering, etc.).

On investigation:

Firewalls are sending DNS queries using their MPLS WAN (external) IP
DNS server blocks these requests since only internal IP ranges are allowed
As a result, update services are failing

🔹 Constraints:

At spoke, Only two interfaces are in use (Internal + External)
Management interface is not currently used
We want to avoid NAT configuration

🔹 Questions:

Why does the firewall use the external interface IP for DNS queries instead of internal, is there a way to make it initiate using internal interface ip?
In Gaia, there is an option:
- Network Management → Network Interfaces → Management Interface
- What exactly does this control?
- If we assign the internal interface as the management interface, will DNS queries originate from the internal IP?
This option is not available on SMB:
- Is there an alternative way to control DNS source IP on SMB devices?
What is the recommended approach in such MPLS deployments?

🔹 Goal:

Ensure firewall-originated DNS queries use internal IP, so they are allowed by the DNS server.

Regards,

@emmap

Any guidance or best practices would be appreciated.

Re: DNS Resolution Issue for Spoke Firewalls over MPLS (Using External IP Instead of Internal)

CheckPointerXL — Wed, 22 Apr 2026 09:24:42 GMT

i think you are asking sonething that it would trigger local antispoofing

probably only nat is the solution

Re: DNS Resolution Issue for Spoke Firewalls over MPLS (Using External IP Instead of Internal)

Chris_Atkinson — Wed, 22 Apr 2026 09:54:37 GMT

Source address is based on routing, it will take the interface address nearest to the destination.

MPLS with external IPs would be considered unusual here given IPv4 conservation efforts.

Re: DNS Resolution Issue for Spoke Firewalls over MPLS (Using External IP Instead of Internal)

PhoneBoy — Wed, 22 Apr 2026 14:42:48 GMT

By default, traffic originating from the gateway itself uses the source address of the egress interface per the routing table.
SMB appliances do have an option to use the internal IP per sk119415.
Not aware of how to achieve this on non-SMB devices.