This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
akurtasanov
Contributor
a month ago

Identity propagation ClusterXl members

It became necessary to establish a connection between PDP and PEP in Identity Sharing mode from the interfaces of ClusterXL members. In short, the analogue of the cause of sk63264.
Is it possible?
The need is that some of the equipment must work via Route-Based IPsec, and, as it turned out, NAT is not possible with vti/vpnt.
Maybe there is an option to set a source IP to establish a connection?

0 Kudos
6 Replies
emmap
MVP Gold CHKP MVP Gold CHKP
MVP Gold CHKP
a month ago

You want to change the IP address being used for ID sharing? We can do that: https://support.checkpoint.com/results/sk/sk60701

 

0 Kudos
akurtasanov
Contributor
a month ago
In response to emmap 

I saw this SK. Ithink It doesn't quite fit. The following is required.
There is an Identity Sharing Gateway.
A cluster with a VIP main IP of 172.21.56.1 connects to it. NAT is created. When accessing through regular interfaces via the backup ethxx channel, everything is fine. But when accessing via IPsec, the traffic doesn't follow the NAT rule. Traffic from the VPN simply ignores the NAT and goes from the VPN's src IP (let's say 192.168.1.1 ClusterMemberA, 192.168.1.2 ClusterMemberB). And the output I get is the situation described in sk63264 - Identity Sharing GW with two Incoming sessions from 192.168.1.1 and 192.168.1.2.

 

0 Kudos
emmap
MVP Gold CHKP MVP Gold CHKP
MVP Gold CHKP
a month ago
In response to akurtasanov

Does your VTI have a VIP configured in SmartConsole?

0 Kudos
akurtasanov
Contributor
a month ago
In response to emmap

Yes. Explicit Hide rule. NAT doesn't work.

There is a backup plan to simply connect directly to the collector becasue it initiates connection, but I would like to try to make the current configuration work.

0 Kudos
emmap
MVP Gold CHKP MVP Gold CHKP
MVP Gold CHKP
a month ago
In response to akurtasanov

This might be a job for TAC, I don't have the setup to test this at the moment. I'm not aware of any reason why it should or should not work but I also haven't tried it before.

0 Kudos
akurtasanov
Contributor
a week ago
In response to emmap

According to latest tests, R82.10 supports NAT for vpnt interfaces. But tested only single device.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    In-Person

    Thu 07 May 2026 @ 01:30 PM (AEST)

    CheckMates Live Sydney
    In-Person

    Thu 07 May 2026 @ 11:30 AM (CDT)

    Nashville: Humans & AI: A Real Conversation
    In-Person

    Tue 19 May 2026 @ 08:00 AM (EDT)

    Montreal: P’tits déj Cyber! | Cyber Breakfasts!
    In-Person

    Tue 02 Jun 2026 @ 09:00 AM (CEST)

    CheckMates Live Denmark - Aarhus
    In-Person

    Wed 03 Jun 2026 @ 09:00 AM (CEST)

    CheckMates Live Denmark - Copenhagen
    CheckMates Events