This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
sandeepsutar
Participant
3 weeks ago

DNS Resolution Issue for Spoke Firewalls over MPLS (Using External IP Instead of Internal)

Hi Team,

We have a hub-and-spoke MPLS setup where:

  • DNS server is located at the hub site
  • Spoke locations connect via MPLS
  • DNS server is configured to allow queries only from internal network ranges

🔹 Issue:

Spoke Check Point firewalls (Gaia& SMBmodels) are unable to resolve DNS for updates (IPS, AV, URL Filtering, etc.).

On investigation:

  • Firewalls are sending DNS queries using their MPLS WAN (external) IP
  • DNS server blocks these requests since only internal IP ranges are allowed
  • As a result, update services are failing

🔹 Constraints:

  1. At spoke, Only two interfaces are in use (Internal + External)
  2. Management interface is not currently used
  3. We want to avoid NAT configuration

🔹 Questions:

  1. Why does the firewall use the external interface IP for DNS queries instead of internal, is there a way to make it initiate using internal interface ip?
  2. In Gaia, there is an option:
    • Network Management → Network Interfaces → Management Interface
    • What exactly does this control?
    • If we assign the internal interface as the management interface, will DNS queries originate from the internal IP?
  3. This option is not available on SMB:
    • Is there an alternative way to control DNS source IP on SMB devices?
  4. What is the recommended approach in such MPLS deployments?

🔹 Goal:

Ensure firewall-originated DNS queries use internal IP, so they are allowed by the DNS server.

Regards,

@emmap 

Any guidance or best practices would be appreciated.

0 Kudos
3 Replies
CheckPointerXL
Advisor
Advisor
3 weeks ago

i think you are asking sonething that it would trigger local antispoofing

probably only nat is the solution

0 Kudos
Chris_Atkinson
MVP Platinum CHKP MVP Platinum CHKP
MVP Platinum CHKP
3 weeks ago

Source address is based on routing, it will take the interface address nearest to the destination.

MPLS with external IPs would be considered unusual here given IPv4 conservation efforts.

CCSM R77/R80/ELITE
0 Kudos
PhoneBoy
Admin
Admin
3 weeks ago

By default, traffic originating from the gateway itself uses the source address of the egress interface per the routing table.
SMB appliances do have an option to use the internal IP per sk119415.
Not aware of how to achieve this on non-SMB devices.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    In-Person

    Tue 19 May 2026 @ 08:00 AM (EDT)

    Montreal: P’tits déj Cyber! | Cyber Breakfasts!
    In-Person

    Tue 02 Jun 2026 @ 09:00 AM (CEST)

    CheckMates Live Denmark - Aarhus
    In-Person

    Wed 03 Jun 2026 @ 09:00 AM (CEST)

    CheckMates Live Denmark - Copenhagen
    CheckMates Events