Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
demirdag
Participant
Jump to solution

Network Objects and DNS.

Hello and Good afternoon,

 

I'm currently managing a cluster of two 6000 series Appliances and a number of 1575 Gateways that are connected to the main 6000 appliances with an IPsec VPN.

At the moment the remote locations are reliant on the DHCP and DNS servers in our headquarters. We want to change this so that the remote office is independent when the IPsec VPN fails. This means DHCP must be done on the remote firewall for each VLAN and something must be done about DNS.

Moving DHCP to the Firewall is not a problem. divide the scopes between the two firewalls and go! Works...

At the moment we have one location where we have a delegated DNS instance in our central DNS servers. We defined the DNS suffix in the firewall as location-1.company.local.

Only when I register an Access Point on the locations firewall as a network object, can I ping it from headquarters. What I want to reach is that devices will register themselves in the DNS on the firewall so they become network objects. One can imagine that registering devices manually is not a job anyone would want to do. All those laptops......Also when I travel to that location I would have to register my device in the network objects db so I can be pinged/found by my hostname. This is not done....

The question is, how do I make this work automatically? How do I make sure:

  • Devices get an IP from their local FW? ---done---
  • Devices register themselves in the firewalls DNS database?
  • When the IPsec fails, the DNS requests should be forwarded to a public DNS server by the firewall.

so far my explanation....If there are questions let me know. My first message here and not super experienced with CheckPoint.

 

0 Kudos
1 Solution

Accepted Solutions
PhoneBoy
Admin
Admin

Just to clarify: you want a device to register itself to the DNS server inside the 1575?
This may be possible by hacking the dnsmasq configuration, with the configuration file in /pfrm2.0/etc/dnsmasq.conf
"When IPsec fails" the only way you can achieve that is by specifying a public DNS as a backup, as far as I know.

View solution in original post

0 Kudos
2 Replies
PhoneBoy
Admin
Admin

Just to clarify: you want a device to register itself to the DNS server inside the 1575?
This may be possible by hacking the dnsmasq configuration, with the configuration file in /pfrm2.0/etc/dnsmasq.conf
"When IPsec fails" the only way you can achieve that is by specifying a public DNS as a backup, as far as I know.

0 Kudos
demirdag
Participant

Yes, that is what we would like to accomplish. I have been looking for dnsmasq configuration options and found some examples. Looking into it....

 

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events