topic Re: How to create a remote SMB cluster behind 3rd party NAT with central mgmt behind another cluster in Spark Firewall (SMB)

How to create a remote SMB cluster behind 3rd party NAT with central mgmt behind another cluster?

Chris_W23 — Fri, 25 Aug 2023 18:34:09 GMT

Hello all,

I am looking for some guidance with creating a new Checkpoint cluster using 1530 SMB appliances.

I have an existing OpenServer cluster at our HQ site (R81.10) with a central SMS (also R81.10) and I need to deploy the 1530 cluster at a remote site across the Internet and centrally manage it. These new appliances are also R81.10.

The remote site is behind a 3rd party firewall/NAT with a single public IP.

This new cluster will be establishing a VPN tunnel to the HQ site.

The SMS is behind the HQ firewall with its own NAT'd public IP.

What is the best practice with respect to interface and gateway/cluster object IPs? For the new cluster and member objects, would I use the single remote public IP for all, or would I use the actual assigned physical private IPs, even though they aren't routable from the SMS? Do I need to try and obtain 3 public IPs for the remote site instead of just the one that have given me now? I'm not sure if that will be possible.

We use SmartConsole etc to manage the environment, we don't use any Checkpoint cloud management.

Here's my attempt at a diagram of the environment:

Thanks!

Re: How to create a remote SMB cluster behind 3rd party NAT with central mgmt behind another cluster

G_W_Albrecht — Mon, 28 Aug 2023 11:32:40 GMT

Why the 3rd party FW ? This makes things rather complicated...

Re: How to create a remote SMB cluster behind 3rd party NAT with central mgmt behind another cluster

Chris_W23 — Mon, 28 Aug 2023 13:24:58 GMT

The remote site is a partner's network and their current design has us implementing our appliance behind their firewall.

Is it too complex to do it this way? I can see if it can be installed along side their firewall instead of behind but that definitely wasn't their first choice.

Thanks!

Re: How to create a remote SMB cluster behind 3rd party NAT with central mgmt behind another cluster

G_W_Albrecht — Mon, 28 Aug 2023 13:56:02 GMT

It is more complex than a HA Cluster facing internet. Why not do the VPN between 3rd party FW and HQ firewall ? Using a HA Cluster for VPN behind a single FW does not make much sense in regards to security for me...

Re: How to create a remote SMB cluster behind 3rd party NAT with central mgmt behind another cluster

Chris_W23 — Mon, 28 Aug 2023 14:01:58 GMT

Our corporate policies and requirements won't allow it.

I might just have to arrange for a separate ISP connection into that site and use it instead. Might be the best idea.

Re: How to create a remote SMB cluster behind 3rd party NAT with central mgmt behind another cluster

G_W_Albrecht — Mon, 28 Aug 2023 14:52:44 GMT

Should be possible using NAT-T:

https://support.checkpoint.com/results/sk/sk32664

https://support.checkpoint.com/results/sk/sk177823