topic Re: I need help with routing in Spark Firewall (SMB)

I need help with routing

kb1 — Thu, 21 Nov 2019 19:33:09 GMT

So i need to configure routing on my 1100 firewall and below is the information i have for the configuration-

Site subnet: 10.40.3.X/24

Eth LAN2 (vlan20 –secured): 10.40.3.21/29; dgw= 10.40.3.20/29 (int Gi0/2)

Eth LAN5 (vlan 10 - unsecured): 10.40.3.11/29, dgw = 10.40.3.10/29 (int Gi0/1)

Source network:

216.152.218.X/32

Destination networks:

Checkpoint Portal/Blade - https://10.169.90.4/sslvpn

149.122.13.X/32

So what would be the command on cli since i only have console access to configure routing?

Fo reference below is the routing configuration for another 1100 appliance and i was told that the routing should be similar to this one-

# Static routes
delete static-routes
add static-route service Any destination 10.0.0.X/8 nexthop gateway ipv4-address 10.43.1.20" metric 0
set static-route 2 service Any destination 10.0.0.X/8 nexthop gateway ipv4-address 10.43.1.20 metric 0 disabled false
add static-route service Any destination "216.152.218.X/32" nexthop gateway ipv4-address "10.43.1.X" metric "0"
set static-route 3 service Any destination "216.152.218.X/32" nexthop gateway ipv4-address "10.43.1.X" metric "0" disabled "false"
add static-route service Any destination "149.122.0.X/16" nexthop gateway ipv4-address "10.43.1.X" metric "0"
set static-route 1 service Any destination "149.122.0.X/16" nexthop gateway ipv4-address "10.43.1.X" metric "0" disabled "false"

I cannot figure out what the destination network should be as is shown for above configuration, just keeps showing error and so whenever i try out something.

Re: I need help with routing

kb1 — Thu, 21 Nov 2019 23:19:58 GMT

maybe the destination network has to be any or something?

Re: I need help with routing

G_W_Albrecht — Fri, 22 Nov 2019 08:19:17 GMT

Can you rather draw a network plan ? I seem not to be able to figure it out from what you wrote...

Re: I need help with routing

mdjmcnally — Fri, 22 Nov 2019 10:18:33 GMT

add static-route service Any destination "149.122.13.X/32" nexthop gateway ipv4-address "X.X.X.X" metric "1"

Obviously need to replace the X with actual number required which obviously we don't have.

We won't know the next hop address on your network so cannot tell you what the X need to be

Re: I need help with routing

kb1 — Fri, 22 Nov 2019 16:16:16 GMT

so the next hop is the dgw specified in my post

Re: I need help with routing

kb1 — Fri, 22 Nov 2019 16:17:26 GMT

The firewall is on version R77.20 by the way.

Re: I need help with routing

kb1 — Fri, 22 Nov 2019 16:24:43 GMT

so the config that you see is what i received from the telecom team, and this firewall is connected to a switch where the lan 2 port of the firewall is connected to the gi0/2 port of the switch and the lan5 pot is connected to gi0/1 of the switch as shown in the config below, i know that the writing is a bit confusing but yeah thats the info i received-

Eth LAN2 (vlan20 –secured): 10.40.3.21/29; dgw= 10.40.3.20/29 (int Gi0/2)

Eth LAN5 (vlan 10 - unsecured): 10.40.3.11/29, dgw = 10.40.3.10/29 (int Gi0/1)

All i need to configure is the routing for this firewall based on the above info, i tried the add static-route.....

command yesterday but it showed some kind of error, i will try out something today as well to see if it works or not,

so what i beleive is there should be 2 statements for the routes based on the above info. What im planning to implement today is the below commands hopefully they should work-

set static-route 1 service any destination any source 10.40.3.21/29 nexthop gateway ipv4-address 10.40.3.20 disabled false metric 0
set static-route 2 service any destination any source 10.40.3.11/29 nexthop gateway ipv4-address 10.40.3.10 disabled false metric 0

And as i mentioned for reference you can look at the routing config for the other 1100 firewall that i shared in the op which does have specific destinations by the way for the static routes.

Re: I need help with routing

kb1 — Fri, 22 Nov 2019 16:29:48 GMT

And this part here below i implemented it as a rule in a policy-

Source network:

216.152.218.X/32

Destination networks:

Checkpoint Portal/Blade - https://10.169.90.4/sslvpn

149.122.13.X/32

Re: I need help with routing

kb1 — Fri, 22 Nov 2019 17:45:51 GMT

So those commands that i mentioned do not work apparently, maybe there is something wrong with what i chose for the source,dest,next hop ip values.