https://community.checkpoint.com/t5/Firewall-and-Security-Management/Identity-awareness-does-not-work-routing-problem-What-are-the/m-p/135514#M20428 <P>I don’t understand, you can learn more?</P> Sat, 04 Dec 2021 13:54:10 GMT Andrew25 2021-12-04T13:54:10Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Identity-awareness-does-not-work-routing-problem-What-are-the/m-p/135509#M20424 <P><EM>We plan to use authentication on the FW-B for Internet access and Mobile Access connections</EM></P><P>Description of the problem</P><P>FW-B uses an external IP (2.2.2.2) address for requests (Identity Avareaness) to DC-1. DC-1 sends a response in the wrong direction, according to routing</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Identity.jpg" style="width: 792px;"><img src="https://community.checkpoint.com/t5/image/serverpage/image-id/14458i3548D354551F4BCB/image-size/large?v=v2&amp;px=999" role="button" title="Identity.jpg" alt="Identity.jpg" /></span></P><P><STRONG>Is it possible to configure the FW-B so that it sends requests (Identity Avareaness) using its local IP address as the source interface?</STRONG></P> Sat, 04 Dec 2021 16:25:45 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Identity-awareness-does-not-work-routing-problem-What-are-the/m-p/135509#M20424 Andrew25 2021-12-04T16:25:45Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Identity-awareness-does-not-work-routing-problem-What-are-the/m-p/135510#M20425 <P>What do you see if you issue ip route get and then IP of the DC1? just run ip r g 192.168.0.1 on expert mode of firewall B.&nbsp;</P> Sat, 04 Dec 2021 13:05:15 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Identity-awareness-does-not-work-routing-problem-What-are-the/m-p/135510#M20425 the_rock 2021-12-04T13:05:15Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Identity-awareness-does-not-work-routing-problem-What-are-the/m-p/135512#M20426 <P>192.168.0.1 via 2.2.2.1 dev eth1 src 2.2.2.2</P> Sat, 04 Dec 2021 13:47:21 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Identity-awareness-does-not-work-routing-problem-What-are-the/m-p/135512#M20426 Andrew25 2021-12-04T13:47:21Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Identity-awareness-does-not-work-routing-problem-What-are-the/m-p/135513#M20427 <P>Well, if you want it to take different path, just change the route to reflect different interface. It seems at this point its using 2.2.2.2 interface IP with gateway of 2.2.2.1.</P> Sat, 04 Dec 2021 13:50:54 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Identity-awareness-does-not-work-routing-problem-What-are-the/m-p/135513#M20427 the_rock 2021-12-04T13:50:54Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Identity-awareness-does-not-work-routing-problem-What-are-the/m-p/135514#M20428 <P>I don’t understand, you can learn more?</P> Sat, 04 Dec 2021 13:54:10 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Identity-awareness-does-not-work-routing-problem-What-are-the/m-p/135514#M20428 Andrew25 2021-12-04T13:54:10Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Identity-awareness-does-not-work-routing-problem-What-are-the/m-p/135515#M20429 <P>What Im saying is, it does not sound logical to use external interface to access something internal from the firewall itself. Just change it to reflect internal interface of the firewall, as long as topology is right.</P> Sat, 04 Dec 2021 14:03:52 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Identity-awareness-does-not-work-routing-problem-What-are-the/m-p/135515#M20429 the_rock 2021-12-04T14:03:52Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Identity-awareness-does-not-work-routing-problem-What-are-the/m-p/135516#M20430 <P>Yes, it is not logical, I agree.&nbsp;How to <SPAN>change it to reflect internal interface of the firewall?</SPAN></P> Sat, 04 Dec 2021 14:07:46 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Identity-awareness-does-not-work-routing-problem-What-are-the/m-p/135516#M20430 Andrew25 2021-12-04T14:07:46Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Identity-awareness-does-not-work-routing-problem-What-are-the/m-p/135518#M20432 <P>From web UI or clish. Just change it via web UI in the browser, it takes 15 seconds literally.</P> Sat, 04 Dec 2021 18:56:53 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Identity-awareness-does-not-work-routing-problem-What-are-the/m-p/135518#M20432 the_rock 2021-12-04T18:56:53Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Identity-awareness-does-not-work-routing-problem-What-are-the/m-p/135856#M20515 <P>You could do a hide NAT on the traffic from FW-B when it passes through FW-A to go to the DC-1&nbsp;</P> Wed, 08 Dec 2021 17:47:13 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Identity-awareness-does-not-work-routing-problem-What-are-the/m-p/135856#M20515 Andrew25 2021-12-08T17:47:13Z