This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
orion_son30
Contributor
‎2024-09-22 04:26 AM

ISP ClusterXL connection

 

Hi all,

I've a problem to solve that is turning my head around for the last couple of weeks. Maye someone have a simple solution for this, since I've tried some different approaches but none has worked as expected.

So, basically I've a couple of 9100 boxes in ClusterXL that I need to connect to the ISP in a particular customer. The ISP connection is delivered through a media coverter and an optional router. Logically, the ISP uses a network in the Carrier Grade NAT space (100.64.x.y/30) and the deliver a public network A.B.C.D/29 through that CGNAT. 

Right now we have the optional Router receiving the CGNAT network and then Public Network delivered to the ClusterXL through a Private network (192.168.255.0/24). I would like to remove the Router, since it's a single device (lacks redundancy) and it's not quite entrerprise material (lacks performance). I was able to easily remove the router and use the CGNAT network on the ClusterXL. The problem is that the IP on the CGNAT network used on ClusterXL side does not have Internet, which is a big problem, since the Gateways need to connect to the Internet to update IPS, App Control, etc. Also, the Management is a Smart-1 Cloud license :).

So, anyone has had some kind of a related issue? Am I able to remove the router? Or I'm destined to use the router?

Any help is much appreciated on this. I've uploaded a simple network diagram to ilustrate the network topology.

Kind regards.

 

Diagrama sem nome.drawio.png
Preview file
48 KB
0 Kudos
21 Replies
the_rock
Legend
Legend
‎2024-09-22 07:22 AM

Just an idea/suggestion...kind of "pondering" here lol. If you say that IP does not have Internet access, can it be NAT-ed to something that does?

Andy

0 Kudos
orion_son30
Contributor
‎2024-09-22 09:24 AM
In response to the_rock

Hi,

The ISP route to the CGNAT IP on the customer side a /29 Public Network with Internet access. I'm able to NAT traffic transversing my Cluster behind those IPs, but I'm not able to NAT self generated traffic on my gateways, since the VIP of the external interface is the CGNAT IP on customer side. I feel that I'm stuck with the sh**ty router. 

the_rock
Legend
Legend
‎2024-09-22 09:28 AM
In response to orion_son30

I hear ya, sorry brother...its sadly catch 22 situation.

Andy

0 Kudos
AkosBakos
Leader Leader
Leader
‎2024-09-22 09:02 AM

Hi @orion_son30 

Nice scenario. 🙂

For the first sight, maybe do you have the opportunity to configure an existing proxy on the gateways? That would be a great workaround.

Maybe?

Akos

----------------
\m/_(>_<)_\m/
the_rock
Legend
Legend
‎2024-09-22 09:04 AM
In response to AkosBakos

Great idea @AkosBakos 

0 Kudos
AkosBakos
Leader Leader
Leader
‎2024-09-22 09:15 AM
In response to the_rock

Thanks, this (proxy) saved my life last time 🙂

----------------
\m/_(>_<)_\m/
0 Kudos
orion_son30
Contributor
‎2024-09-22 09:32 AM
In response to AkosBakos

Hi, 

That have crossed my mind. However, one of the purposes for this new cluster is to remove from the network an old machine running an old version of Squid. I kinda feel a little bit stupid asking the customer to keep the Squid so the Firewalls can have Internet to keep the services up to date and to connect to the Smart-1 Cloud. 

0 Kudos
AkosBakos
Leader Leader
Leader
‎2024-09-22 09:49 AM
In response to orion_son30

This is really a catch 22. Install a Cloudguard GW for proxy 🙂

----------------
\m/_(>_<)_\m/
0 Kudos
the_rock
Legend
Legend
‎2024-09-22 10:03 AM
In response to AkosBakos

Well, I think whole issue here is how to get an actual IP that can connect to an external world...

orion_son30
Contributor
‎2024-09-23 07:13 AM
In response to the_rock

Yep, that is the issue.

Regards

0 Kudos
the_rock
Legend
Legend
‎2024-09-23 07:16 AM
In response to orion_son30

Since Im not even 5% genius compared to @AkosBakos and @PhoneBoy , lets see if they have any other ideas. Im just giving my suggestions based on what you are providing here. To me, again, just based on pure logic, unless there is a way to get NAT working to get the routable IP, not sure what else can be done...

Andy

0 Kudos
orion_son30
Contributor
‎2024-09-23 07:17 AM
In response to the_rock

Yup, that's it. I'm also out of ideas now. 🙂

Regards

0 Kudos
the_rock
Legend
Legend
‎2024-09-23 07:19 AM
In response to orion_son30

Dont lose hope, Im hopeful someone will have a "light bulb moment" 🙂

Andy

0 Kudos
PhoneBoy
Admin
Admin
‎2024-09-23 06:47 AM

With the router in place, what IPs are configured on the external interfaces of the cluster members?
When you try to eliminate the router, what IPs do you use for the gateways?

I suspect the router is doing some sort of NAT. 

0 Kudos
orion_son30
Contributor
‎2024-09-23 07:13 AM
In response to PhoneBoy

Hi,

When we use the router in place we use a network(192.168.255.0/24) dedicated to connect the router to the Firewalls. The router is the 192.168.255.1 and we have the .251 on FW1, .252 on FW2 and the .254 on the Custer IP VIP.

When we don't have the router, we need to use the CGNAT network to connect to the ISP, which is a /30 network. So, we use a "dummy" network for the physical IPs on the gateways and the IP on the CGNAT network as the Cluster IP, with the proper link local route to have connectivity with the ISP.

And yes, the router is doing NAT when it is in place. The problem is that the CGNAT network does not have Internet, so when we configure that network directly on the Cluster, the Firewalls don't have access to the Internet, since all the traffic generated by the gateways are NATed behind the Cluster IP of the External Interface.

 

Kind regards

0 Kudos
PhoneBoy
Admin
Admin
‎2024-09-23 12:00 PM
In response to orion_son30

I assume the /30 is on the far side of the router.
That means you only have one valid IP address (assuming the other end is your ISP Default Route).
That means you need to need to use that other IP for your Cluster IP using something like: https://sc1.checkpoint.com/documents/R81.20/WebAdminGuides/EN/CP_R81.20_ClusterXL_AdminGuide/Content... 

Note that only the active cluster member will be able to reach the Internet directly with this configuration.

0 Kudos
orion_son30
Contributor
‎2024-09-24 02:04 AM
In response to PhoneBoy

Hi,

Sorry, maybe I was not clear. I'm aware of the feature "Cluster IP Addresses on Different Subnets", in fact I've used to configure the /30 on my side. The problem is that the /30 CGNAT network don't have access to the Internet. So, the cluster IP don't have access to the Internet. And that is my issue. The ISP routes a /29 public network to the customer side through the /30, but as far as I know, I cannot NAT the self generated traffic behind that routed network. 

Regards

0 Kudos
Timothy_Hall
Legend Legend
Legend
‎2024-09-24 06:51 AM
In response to orion_son30

but as far as I know, I cannot NAT the self generated traffic behind that routed network. 

Actually you can but cluster hide/fold which is enabled by default will interfere with your attempts to do so with a rule 0 NAT that takes precedence: sk34180: Outgoing connections from cluster members are sent with cluster Virtual IP address instead ...

So you'll need to disable cluster hide/fold.  This will cause the two members to use their dedicated/fixed CGNAT addresses to initiate connections to the Internet.  Now you need to add two manual NAT rules at the top like this, making sure that ExternalZone is properly associated with the outside interface:

CGNAT Member 1 Ext CGNAT IP        ExternalZone    Original       /29_Addr_1 (Hide)     Original     Original     Member1

CGNAT Member 2 Ext CGNAT IP        ExternalZone    Original       /29_Addr_2 (Hide)     Original     Original     Member2

It is possible to NAT firewall-initiated traffic because source NAT happens on the server side between o and O.  It is not possible to NAT the destination IP of firewall-initiated traffic as that happens on client side between i and I.  You might be able to get away with using a single /29 Internet-routable address for both members as the hide but try using two separate ones first.

Attend my online "Be your Own TAC: Part Deux" CheckMates event
March 27th with sessions for both the EMEA and Americas time zones
0 Kudos
orion_son30
Contributor
‎2024-09-24 07:02 AM
In response to Timothy_Hall

Hi Timothy,

I had a kind of supect that something like that was possible to do. It's Check Point, so everything is possible :D. And it seems at least a possibility to proceed.

I just have a little problem scratching my head with that solution. My Management is a Smart-1 Cloud. So, when I make those changes and push the policy to the gateway. Don't you think that I can have a little problem in the middle of the Installation. Do you think that the install will go until de end? Or it will fail because somewhere it that install it will loose access to the Internet?

Kind Regards.

0 Kudos
Timothy_Hall
Legend Legend
Legend
‎2024-09-25 06:27 AM
In response to orion_son30

In the case of Smart-1 Cloud those two NATs should probably static rather than hide so the Smart-1 Cloud can initiate to the gateways.  But yes, you may run into a situation where these NATs will interfere with management coming in from the Internet as opposed to the inside when you first install policy.  If the traffic is dropped inappropriately by your policy a fw unloadlocal will not help since that will kill the NATting you are relying on too.  Also control connections between the SMS and gateways sometimes seem to have their own rule 0 NATs that may interfere as well.  Sounds like you need to schedule a nice long maintenance window to give it a shot and see what happens.

Attend my online "Be your Own TAC: Part Deux" CheckMates event
March 27th with sessions for both the EMEA and Americas time zones
0 Kudos
orion_son30
Contributor
‎2024-09-25 06:43 AM
In response to Timothy_Hall

Hi,

Yep, I will need to check and see. It will be one of those situations that I will only know if it works, if it works when I try.  I will need to propose that to my customer and see what happens.

Anyway, many thanks for your input with the cluster hide/fold tip. I will try and let everyone knows the answer.

Kind regards.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    In-Person

    Tue 18 Mar 2025 @ 09:30 AM (EET)

    CheckMates Live Greece
    In-Person

    Tue 25 Mar 2025 @ 09:00 AM (EDT)

    Canada In-Person Cloud Security with Hands-On CloudGuard Workshops!
    In-Person

    Tue 25 Mar 2025 @ 12:00 PM (MDT)

    Salt Lake City: CPX 2025 Recap
    In-Person

    Tue 08 Apr 2025 @ 12:00 PM (MDT)

    Denver: CPX 2025 Recap
    CheckMates Events
    Top