Can't agree more, either go with HA site approach so you have a primary and backup sites or stretch L2 and make firewalls part of cross-site load sharing cluster. 

Or "learn" each server's default gateway and have path statically configured on R1  

You don't want to not redistribute specific routes, you should only have a difference in weight/priority which should be defined in the Router 3 level.

This way if either of the 2 site paths is interrupted it will still know how to get to the servers.

Hi Maarten Sjouw

Can I make the firewalls announce the network ranges with priority on each site using OSPF? or we can only achieve this at Router 3 level.

Thanks in advance

You should only do this on the Router 3 level, run OSPF from top to bottom and start at the beginning to make sure to accept and forward the weight of the routes through the whole path.

Make sure to set the weight of the mpls link between routers 2 at a uninteresting level, so the traffic will always take the route straight up/down, preventing the return traffic from router 3 Site B to take the MPLS path back to Site A again.

An alternative way to accomplish this, when you do not want to mess with Dynamic routing, is making use of tracking in the routers and statics based on tracking also here you need to have a second static that will take over when the tracking fails. Be sure to not set the tracking times to short.

Why is this question marked as a solution ? Or is: Is this information about redistribution true? if now, how can one ensure that routes are only advertised on specific interfaces instead of on all interfaces? a solution ? To which issue ?

Hi Ricardo

Thanks for your help.

Could you please elaborate more on the text bellow, specially when you say "different area for the firewall".

"It could help to have 2 areas, running zero between Router 1 and 2 for example and running different  area for the firewall to avoid having loops with the IBGP link if the area 0 gets broken."

Thanks in advance.

Well there are three ways to deal with this asymmetry:

1) While this asymmetric routing situation can be made to work by disabling the "Drop out of state TCP packets" checkbox under Stateful Inspection in Global Properties, this will defeat a major security feature of Check Point firewalls and the asymmetric flow of packets can cause some really odd-looking performance issues if one of the paths (A vs. B) gets heavily congested.

2) While not ideal, you can force symmetry in this situation regardless of the server's default gateway by performing a Hide NAT on the inbound traffic from the offices/stores behind the INTERNAL interface IP of the firewall.  So if the offices/stores traffic comes in through Firewall A, prior to leaving Firewall A the source IP is NATted to the INSIDE IP address of Firewall A.  The return traffic will come back to Firewall A regardless of what the server's default gateway is.  If the offices/stores traffic comes in through Firewall B, prior to leaving Firewall B the source IP is NATted to the inside IP address of Firewall B.  This will force the symmetry you desire with the following impacts:

• Use of Hide NAT assumes that connections are initiated from the offices/stores to the servers at the bottom of your diagram.
• If there are any kind of ACLs on Router2/Router3/Servers leveraging certain source IP addresses for access control, those will no longer work because all traffic from the offices/stores will look like it is coming from a single IP address, that of the firewall's inside interface.
• Extra overhead will be incurred on the firewall to perform these NAT operations, and if there are a very large number of connections from all the offices/stores to a particular server destination IP address, there is a 50k concurrent connection limit per destination IP address when Hide NAT is involved that might get exceeded. 
• You'll probably need to use Manual NAT rules to obtain the granularity needed to make this work.

3) Use of OSPF as discussed previously - this will take much more planning and setup time but in the long run will give you a lot of extra flexibility to automatically deal with full or partial site failures, and even allow some load-sharing & balancing of traffic between the two sites.

--

CheckMates Break Out Sessions Speaker

CPX 2019 Las Vegas & Vienna - Tuesday@13:30

Thank you very much. The second option which was also suggested by Ricardo Gros seems to be a quick win, and to overcome the 50k limitation, I can follow the Manual NAT configuration described in your book and mentioned above.

Once again Thank you.

Right, just wanted to mention the NAT approach again but also include the limitations you might run into.  Good luck!

--

CheckMates Break Out Sessions Speaker

CPX 2019 Las Vegas & Vienna - Tuesday@13:30

Hi Tim

I got your point. Thank you very much, I will update this thread after the implementation.

Regards

Dialungana Malungo

Hi again Tim,

Just a question, do I also need to create ARP entries when doing Hide NAT to the Internal LAN as done when doing it to the public network (Internet).

Kind regards

As long as you are hiding it behind the actual internal firewall LAN IP (or CIP/VIP), no you don't need a proxy ARP.  If you are plucking an arbitrary address from that internal VLAN and hiding behind that one via a manual NAT rule then yes you will need a proxy ARP entry for it.

--

CheckMates Break Out Sessions Speaker

CPX 2019 Las Vegas & Vienna - Tuesday@13:30

Hi Tim

Taking this opportunity that we talking about Manual NAT,  I wanted to share the issue that I am facing in my Remote Access VPN.

I am trying to NAT the IP addresses of my Office Pool for Remote Access VPN into a range, I have done all the configuration, and created the Manual NAT rules, when I connect to the VPN, I can see the traffic and the NAT happening in smartview tracker, but the connection is not successful. For example, ping times out. 

When I remove the NAT configuration, the office pool address is being NATed to the IP address allocated in the firewall interface, and it works fine; hence users can access everything.

Regards

To add on this, when I check on the wireshark, I can see that the traffic from one of the IPs in the range that is being used for Hide NAT is sending the request, but no reply from the machine in our local network.

Are the addresses you are manually NATting the Office Mode addresses into being plucked from the same subnet/VLAN as the firewall's internal interface?  If so you need proxy ARPs for all of those addresses, see sk30197.  Are you seeing constant ARP requests with Wireshark on the firewall's internal interface when replies are not coming back after sending the NATted traffic into the network?  Also check the output of fw ctl arp, this will tell you what IP addresses the firewall thinks it needs to proxy ARP for.

--

CheckMates Break Out Sessions Speaker

CPX 2019 Las Vegas & Vienna - Tuesday@13:30

Hi Tim

The issue was found. There was a change the needed to be made on the Global Property "Merge manual proxy ARP configuration" that was not checked. After enabling it, it started working perfectly.

Kind regards

Dialungana Malungo

Hi Timothy Hall 

I would like to take this thread to ask you another question.

I quote from your book on page 299  with regards to IPS Protection Scope "Also consider the positioning of the subject firewall in your network; the correct setting is likely to be different for a firewall deploayed on the perimeter of your organization, as opposed to another firewall buried deep inside your internal network with no direct Internet access."

We currently have this situation where we have an external Firewall with direct access to the Internet, and an Internal Firewall Firewall with no direct Intenet Access. Based on your experience which IPS Protection Scope would you recommend for each Firewall.

For example: External Firewall -> Perform IPS Inspection on all Traffic, and Internal Firewall -> Protect Internal Hosts Only

Thanks in advance

This setting is only relevant for an R77.30 or earlier gateway; using it in conjunction with IPS exceptions is a bit clumsy.  For an R80.10+ gateway you can explicitly define what IPS profile you want to apply to certain traffic right in your main TP policy; you can even have different IPS profiles of varying strictness applied to different types of traffic.

--
"IPS Immersion Training" Self-paced Video Class
Now Available at http://www.maxpowerfirewalls.com

Thanks Tim, 

We are still using R77.30, but migrating to R80.20 soon.

Thank you. I will update this thread after the implementation, I will sit with the other teams and discuss the possibilities that we have.

I'd suggest starting a new thread for any future questions such as these, instead of stretching out this old thread.

1) I haven't done much with Maestro yet other than read the briefs/presentations.  Looks very cool for sure though!

2) I think you mean there are 2 SND/IRQ cores and 18 Firewall Worker cores on a 20-core firewall by default, and is that default split acceptable?  It will depend on how much traffic can be fully accelerated by SecureXL and how many high speed (10 Gbps+) LAN interfaces are present and how busy they are.  Since there are 4 SND/IRQ cores allocated byd efault for firewalls with more than 20 cores, I'd say in general adjusting to a 4/16 split on your 20-core firewall would probably be a reasonable starting point. 

If there actually is a split of 18/2, I've never seen anyone get that crazy with the number of SND/IRQ cores.  On R80.10 and earlier the locking and coordination overhead begins to exact a toll when there are more than 6 SND/IRQ instances, and the performance gains as each SND/IRQ core is added above 6 are not quite as linear, but doing so still improves performance if there is a high amount of fully-accelerated traffic.