https://community.checkpoint.com/t5/Spark-Firewall-SMB/Check-Point-790-NAT-problem/m-p/164297#M7903 <DIV class=""><DIV class=""><DIV><DIV class=""><DIV class=""><DIV class=""><DIV class=""><SPAN>Hi!</SPAN></DIV></DIV><DIV class=""><DIV class=""><SPAN>So first things first our setup is two Check Point 790 Appliance, the main is FW1, the secondary is FW2! This two is set in High Availability mode. Both Firewall has </SPAN><SPAN>R77.20.87</SPAN><SPAN> version which is the latest what i found.</SPAN></DIV></DIV><DIV class=""><DIV class=""><SPAN>We have a problem with the Check Point FW1 firewall! When we on FW1, we cant reach the internet from internal network, and we can't get any data from the Check Point Firewall with monitoring tools also. Our ISP says that they cant see any problem at all, they can reach their own modem they see traffic on it. So we tried to reach internet from internal network, with browsers and with ICMP, no response at all. From inside we can reach the gateway, with browsers and with ping also, we can reach the servers etc, </SPAN><SPAN>so the internal network works!</SPAN><SPAN> We tried "Ping or Trace an IP Address |&nbsp; Host name or IP address:" on the Check Point FW1, the Check Point can reach the internet through ICMP protocol, </SPAN><SPAN>so the Check Point can reach the internet!</SPAN><SPAN> The physical layer was checked, no problem was found! The switches and the cables was tried out and works fine! So we pulled out the FW1 WAN cable, and because the High Availability the FW2 became the gateway, and everything works fine! Internal network can reach the internet, VPN's works etc... We tried to switch it back to FW1, so we plugged back the WAN cable, and pulled out the FW2 WAN cable. The FW1 become the gateway. The problem was the same as I mentioned. So we changed back to FW2! It seems like a NAT problem, but I didn't found anything that is incorrect. IP address and DNS etc, it is well set. </SPAN></DIV></DIV><DIV class=""><DIV class=""><SPAN>I'm still getting to know the checkpoint so maybe it is something obvious. Thanks a lot!</SPAN></DIV></DIV></DIV></DIV></DIV></DIV></DIV> Tue, 06 Dec 2022 09:01:30 GMT r0kika 2022-12-06T09:01:30Z https://community.checkpoint.com/t5/Spark-Firewall-SMB/Check-Point-790-NAT-problem/m-p/164297#M7903 <DIV class=""><DIV class=""><DIV><DIV class=""><DIV class=""><DIV class=""><DIV class=""><SPAN>Hi!</SPAN></DIV></DIV><DIV class=""><DIV class=""><SPAN>So first things first our setup is two Check Point 790 Appliance, the main is FW1, the secondary is FW2! This two is set in High Availability mode. Both Firewall has </SPAN><SPAN>R77.20.87</SPAN><SPAN> version which is the latest what i found.</SPAN></DIV></DIV><DIV class=""><DIV class=""><SPAN>We have a problem with the Check Point FW1 firewall! When we on FW1, we cant reach the internet from internal network, and we can't get any data from the Check Point Firewall with monitoring tools also. Our ISP says that they cant see any problem at all, they can reach their own modem they see traffic on it. So we tried to reach internet from internal network, with browsers and with ICMP, no response at all. From inside we can reach the gateway, with browsers and with ping also, we can reach the servers etc, </SPAN><SPAN>so the internal network works!</SPAN><SPAN> We tried "Ping or Trace an IP Address |&nbsp; Host name or IP address:" on the Check Point FW1, the Check Point can reach the internet through ICMP protocol, </SPAN><SPAN>so the Check Point can reach the internet!</SPAN><SPAN> The physical layer was checked, no problem was found! The switches and the cables was tried out and works fine! So we pulled out the FW1 WAN cable, and because the High Availability the FW2 became the gateway, and everything works fine! Internal network can reach the internet, VPN's works etc... We tried to switch it back to FW1, so we plugged back the WAN cable, and pulled out the FW2 WAN cable. The FW1 become the gateway. The problem was the same as I mentioned. So we changed back to FW2! It seems like a NAT problem, but I didn't found anything that is incorrect. IP address and DNS etc, it is well set. </SPAN></DIV></DIV><DIV class=""><DIV class=""><SPAN>I'm still getting to know the checkpoint so maybe it is something obvious. Thanks a lot!</SPAN></DIV></DIV></DIV></DIV></DIV></DIV></DIV> Tue, 06 Dec 2022 09:01:30 GMT https://community.checkpoint.com/t5/Spark-Firewall-SMB/Check-Point-790-NAT-problem/m-p/164297#M7903 r0kika 2022-12-06T09:01:30Z https://community.checkpoint.com/t5/Spark-Firewall-SMB/Check-Point-790-NAT-problem/m-p/164376#M7907 <P>Did you follow&nbsp;<A class="cp_link sc_ellipsis" href="https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&amp;solutionid=sk121096&amp;partition=Basic&amp;product=Quantum" target="_blank">sk121096: How to configure a <STRONG>cluster</STRONG> between locally managed SMB appliances</A>?</P> Tue, 06 Dec 2022 20:59:25 GMT https://community.checkpoint.com/t5/Spark-Firewall-SMB/Check-Point-790-NAT-problem/m-p/164376#M7907 G_W_Albrecht 2022-12-06T20:59:25Z https://community.checkpoint.com/t5/Spark-Firewall-SMB/Check-Point-790-NAT-problem/m-p/164380#M7908 <P>With reference to&nbsp;<SPAN>sk153433 which specific build of R77.20.87 is deployed here?</SPAN></P> Tue, 06 Dec 2022 21:55:25 GMT https://community.checkpoint.com/t5/Spark-Firewall-SMB/Check-Point-790-NAT-problem/m-p/164380#M7908 Chris_Atkinson 2022-12-06T21:55:25Z https://community.checkpoint.com/t5/Spark-Firewall-SMB/Check-Point-790-NAT-problem/m-p/164410#M7912 <P><SPAN>Thanks everyone for the answers, we found out the problem is with the ISP modem.</SPAN><BR /><SPAN>Clearing ARP cache on the modem solved the problem!</SPAN><BR /><SPAN>Because when the firewalls switch between primary and secondary in the ARP cache the trafic goes to the secondary, ARP cache clears automatically after a hour in default, we changed it to 3 minutes and it works fine. It takes 5 minutes to the two Checkpoint to change which is primary member.&nbsp;</SPAN></P> Wed, 07 Dec 2022 09:33:53 GMT https://community.checkpoint.com/t5/Spark-Firewall-SMB/Check-Point-790-NAT-problem/m-p/164410#M7912 r0kika 2022-12-07T09:33:53Z