Checkpoint Gateway Proxy Mode Configuration

Harmesh_Yadav · ‎2018-05-08

We have ad environment and checkpoint is in cluster OS Gaia R80.10.

We wanted to configure ad authentication and also enable checkpoint gateway as a non-transparent proxy .

I found below SK sk123673 :- Redirection to Captive Portal is not working when Security Gateway is configured as proxy

How can I configure Proxy with authentication or single sign on

Harmesh Yadav

Harmesh_Yadav · ‎2018-05-08

Also we wanted to user SSL VPN so in this case gateway mode and proxy mode both mode is require

Harmesh Yadav

G_W_Albrecht · ‎2018-05-08

I do not fully understand your question - sk123673 tells us that for customers who want to use R80.10 GW as a non-transparent proxy and UserCheck needs a special Hotfix from CP.

But i also have to add that using the GW as a proxy can have side effects (and it has a lot of other things to do ;-), so i always prefer squid on a server as a proxy!

CCSE CCTE CCSM SMB Specialist

Harmesh_Yadav · ‎2018-05-08

Exact need is below From COMPANY A without disturbing topology of Company B

Checkpoint Gateway In Proxy Mode (Explicit Proxy )
AD authentication
SSL VPN
IP based Internet and MPLS Connectivity .

Present Setup

-------------------------------------------------------------------

MPLS A and MPLS B is connected with L3 Switch

Presently Users Of Company B and Company A are using internet through MPLS B

== LAN USER configured with Proxy à L3 Switchà MPLS B à Internet of Company B ( Different GEO Location )

== LAN User Who wanted to use Application behind mpls A à L3 à MPLS Aà Application Server

In lan side user which is behind l3 Switch (some users is related to Company A and Some users are Company B ) In same lan connectivity .

-------------------------------------------------------------------

Scenario after checkpoint comes in topology

User A want internet from checkpoint = User Company A -à L3 Switch -à Checkpoint Firewall -à Internet (ISP)

User B want internet from MPLS B = User company B à L3 Switch à MPLS B -à Internet of Company B ( Different GEO Location )

== LAN User Who wanted to use Application behind mpls A à L3 à MPLS Aà Application Server

------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

This all we need in one cluster (Two Checkpoint Gateway ) With R80.10 OS and MGMT IN VM

So, I'm thinking to do proxy for Company A because we cannot forward default traffic to checkpoint firewall from L3 Switch to entering default route. We can user specific host route and achieve proxy setup

Harmesh Yadav

Harmesh_Yadav · ‎2018-05-09

Please help me to solve this issue .

Harmesh Yadav

G_W_Albrecht · ‎2018-05-09

You could use CP Professional Services to do the configuration.

CCSE CCTE CCSM SMB Specialist

PhoneBoy · ‎2018-05-09

This is a situation where you'd probably want to use VSX.

Each company would be provided a virtual firewall, each of which could have a different default route without using a proxy.

The authentication piece should probably be done with Identity Awareness (specifically Identity Collector) without using Captive Portal, especially if AD is involved.

More info here: Identity Awareness R80.10 Administration Guide

Are you a member of CheckMates?

Checkpoint Gateway Proxy Mode Configuration