topic Re: Checkpoint Firewall for ISP provider in Firewall and Security Management

Checkpoint Firewall for ISP provider

TRajkumar — Tue, 02 Dec 2025 13:34:05 GMT

Hi Everyone,

I'm going to deploy a checkpoint firewall to ISP provider. 2 connections as considered as uplink(external) and some other interfaces as down link (LAN - it also the public IP addresses). We have access the internet from the down link public IP addresses.

I have configured the interfaces and topology as 2 external and 1 internal with specified network. In this setup we don't require a NAT, since we already using the public IP addresses. Also policy configured with allow action.

Now I try to ping 8.8.8.8 there is no response, even there is accept log on firewall logs & no drops in fw ctl. When during the tcpdump

I notice the arp issue. ( 8.8.8.8 learned by my external interfaces and also try to learn on my internal interfaces

Can some guide me how to deploy a checkpoint to ISP providers with topology details.

Do let me know if any other details required.

Thanks

Rajkumar T

Re: Checkpoint Firewall for ISP provider

Chris_Atkinson — Tue, 02 Dec 2025 14:08:51 GMT

What routing is configured on the firewall at present?

I assume 8.8.8.8 is just an example IP and you aren't actually seeing an ARP on a local segment for the google DNS server?

Re: Checkpoint Firewall for ISP provider

the_rock — Wed, 03 Dec 2025 03:56:10 GMT

Can you send a screenshot of how you have topology configured? Please blur out any sensitive data.

Re: Checkpoint Firewall for ISP provider

TRajkumar — Wed, 03 Dec 2025 04:13:15 GMT

Hi Chris

Routing: Configured the default route as next hop is external router IP address. Moreover we enabled the ISP redundancy (Active/backup).

I did ping -I <INTERFACE NAME> 8.8.8.8 and there is no replay for the ICMP request. When i check the arp -a, i noticed arp messages on external interfaces and incomplete arp for google.dns on all other interfaces interfaces.

In addition, if i try ping -I <EXTERNAL INTERFACE> 8.8.8.8 i got the response.

Thanks

Rajkumar T

Re: Checkpoint Firewall for ISP provider

TRajkumar — Wed, 03 Dec 2025 04:16:57 GMT

Hi Rock,

Attached the topology here. Hope it gives required details.

Thanks
Rajkumar T

Re: Checkpoint Firewall for ISP provider

the_rock — Wed, 03 Dec 2025 04:20:21 GMT

Not really. I will send what I was referring to Wednesday morning.

Re: Checkpoint Firewall for ISP provider

Martijn — Wed, 03 Dec 2025 08:21:27 GMT

Hi,

Can it be the ICMP reply is routed back to the other external interface?
Can you check with fw monitor or tcpdump?

A simple network diagram might help.

Martijn

Re: Checkpoint Firewall for ISP provider

Ruan_Kotze — Wed, 03 Dec 2025 09:49:11 GMT

Hi Rajkumar

Not sure if I am missing something basic, but why are you expecting to see an ARP entry for Google's DNS? ARP resolves MAC address to IP on your local L2 network. Do you have your respective ISP router's addresses (gateway's default gateway(s)) in your ARP table and vice versa?

If not try doing a gratuitous arp: "arping -c 4 -A -I eth1 100.100.100.2"

If the IPs are not physically assigned do the following:

Expert# echo 1 > /proc/sys/net/ipv4/ip_nonlocal_bind
Expert# arping -c 4 -A -I eth1 100.100.100.2

Ruan

Re: Checkpoint Firewall for ISP provider

the_rock — Wed, 03 Dec 2025 13:07:40 GMT

Hey @TRajkumar

This is what I was referring to.

Re: Checkpoint Firewall for ISP provider

TRajkumar — Fri, 05 Dec 2025 06:29:20 GMT

Hi Raun,

I got the respective router (Nexthop) ARP messages and can able to ping without issue.

But the problem is i can't able to reach internet from internal interface (Public IP address configured) Since i deploying checkpoint firewall for ISP provider.

Thanks
Rajkumar T

Re: Checkpoint Firewall for ISP provider

TRajkumar — Fri, 05 Dec 2025 06:35:39 GMT

Hi Martijn,

From my external interfaces i can able to reach internet(Request and response). But from my internal Interface i can't get the response. When i doing an tcpdump i noticed interface not now to forward the packet( APR issue).

Here im deploying checkpoint for ISP provider, So my external and internal interfaces have public IP address only.

I attached the simple diagram here, My major doubt is checkpoint will work for ISP providers ?

Thanks
Rajkumar T

Re: Checkpoint Firewall for ISP provider

TRajkumar — Fri, 05 Dec 2025 06:39:03 GMT

Hi Rock,

In the topology im using Specific option, and i specified the Network object there.

Since i'm using Public IP address (LAN pool IP addresses of ISP) which is /29 network.

Thanks

Rajkumar T

Re: Checkpoint Firewall for ISP provider

Martijn — Fri, 05 Dec 2025 07:39:37 GMT

Hi,

You can reach the internet from the external interface so you should have a MAC address in your ARP table.
You cannot reach the internet from the internal interface. What do you mean by that? Are you testing from a internal host of the internal interface?

I would test again with a real internal host, check the logs and do a trace on the internal and external interface if you still are unable to reach the internet from the internal networks.

Martijn

Re: Checkpoint Firewall for ISP provider

emmap — Fri, 05 Dec 2025 07:50:29 GMT

The topology must contain all the networks that are behind the interface, not just the local subnet. Set the topology as indicated above for your internal facing interface and you'll have more success. Make sure the internet facing ones are set as External.

Re: Checkpoint Firewall for ISP provider

TRajkumar — Wed, 10 Dec 2025 04:25:06 GMT

Hi Martijn,

What i expect is my internal network should reach the internet. but in my case its not happening. Logs shows accepted by the correct rule, No drops on fw ctl.

My query is is that checkpoint will handle the public IP address on the internal interfaces or not.

Thanks

Rajkumar T

Re: Checkpoint Firewall for ISP provider

TRajkumar — Wed, 10 Dec 2025 04:28:05 GMT

Hi Emmap,

Yes, i tried with networks behind the interfaces no luck. And external interfaces are internet facing interfaces.

There is a only network (/20) behind the interface so i used specified option.

Thanks

Rajkumar T

Re: Checkpoint Firewall for ISP provider

emmap — Wed, 10 Dec 2025 05:08:04 GMT

Set it to 'Network defined by routes' as the_rock suggested with those screenshots. It's the most reliable option.

Re: Checkpoint Firewall for ISP provider

Wolfgang — Wed, 10 Dec 2025 09:22:52 GMT

@TRajkumar you wrote "In this setup we don't require a NAT, since we already using the public IP addresses."

Are you sure you don't need NAT? You're using official IP-addresses in your internal network, right?

If yes, how about the return traffic to your internal networks from the internet. Maybe these coming back via the wrong ISP provider.

If you are using private IPs internal, you definitly need NAT.