This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
lorenzolramirez
Participant
yesterday

Setting up Checkpoint 5800 appliances behind a Residential AT&T modem/router

Hell, 

 

Let me first start off by making it known that I am not a Network guy buy far. I am more Infrastructure but do dabble and have some skill in quite a few areas. The more you know the better, right? lol.

So here is the scenario, I have Residential internet from AT&T, 1 Dynamic IP and a set of 5 Static IPs behind that, the modem/router is in IP Passthrough mode. I recently migrated from my Palo Alto PA-3050 where this setup "Just Worked". I now have 2 Checkpoint 5800's running Gaia R80.40 in a cluster and cannot for the life of me seem to get things back the way they were.

First attempt, give each Security Gateway a dynamic Internal IP from the modem/router on the 192.168.1.X/24 network. Configure the VIP and then select Gateway 1 to forward the traffic to from the modem/router. This works and i get internet, but can only use the Public Dynamic IP, cant use any of the static IPs behind that. 

Second attempt, give each Security Gateway a Public IP, assign the Cluster VIP. This does not work, i dont get internet at all. 

Third attempt, forward the traffic to Gateway 1, allow it to receive the Public Dynamic IP. Cant create the Cluster VIP as not both Gateways are in the same subnet, thus no internet. 

Has anyone ever successfully configure a Checkpoint cluster behind a residential AT&T router/modem? Am I doing something wrong? I am missing something? Any help or guidance is greatly appreciated. 

0 Kudos
15 Replies
PhoneBoy
Admin
Admin
yesterday

R80.40 is End of Support, FYI.
You may have to use NAT to use the static IPs.

lorenzolramirez
Participant
yesterday
In response to PhoneBoy

Yes, I know it is EoS, I just need to hold off for a few more weeks until I receive my SMS then I can upgrade all to R82. I had to downgrade them to R80.40 due to the current SMS which is a bit older and only supports up to R80.40. Can you provide an example of a good working NAT, theoretically that is?  I have tried a few different NAT scenarios and none seem to yield the required result. At the end of the day i just need to be able to use the Static IPs as a lot of my services are pointed to them. 

 

0 Kudos
the_rock
MVP Gold
MVP Gold
yesterday
In response to lorenzolramirez

What kind of nat did you try? hide or static?

Best,
Andy
0 Kudos
lorenzolramirez
Participant
yesterday
In response to the_rock

I have tried both Hide and Static with no luck. Although, I will say that it is completely possible that the NAT rule wasn't setup correctly to begin with. I pretty much got lost with trying to translate Original and Translated with the Dynamic IP and one of the Static IPs, along with using Hide and Static.

0 Kudos
the_rock
MVP Gold
MVP Gold
yesterday
In response to lorenzolramirez

Just try hide nat, hide behind att's router.

Best,
Andy
0 Kudos
lorenzolramirez
Participant
yesterday
In response to the_rock

Im assuming this is where that change would be made??

 

image.png

the_rock
MVP Gold
MVP Gold
yesterday
In response to lorenzolramirez

Yup.

Best,
Andy
0 Kudos
lorenzolramirez
Participant
yesterday
In response to the_rock

UPDATE - After some more tinkering I have come to believe its a Checkpoint thing, whether a missed setting or misconfiguration. I assigned the Gateways Static IPs, configured the cluster, installed Policy and now the only IP that works is the statically assigned IP to gateway #1. I tried with IP Passthrough both on and off and got the same result. Are there any good Youtube videos out there that would cover the cluster configuration?

0 Kudos
PhoneBoy
Admin
Admin
13 hours ago
In response to lorenzolramirez

Please provide screenshots of the exact configurations you've made here (hide the sensitive details).
You might also want to check that those IPs are being routed to the active gateway from the AT&T router by checking with tcpdump.

0 Kudos
lorenzolramirez
Participant
8 hours ago
In response to PhoneBoy

Nothing has changed on the AT&T side, previously with my Palo Alto, this just worked. I just configured one of the interfaces for DHCP and it received the IP. I was then able to use the Dynamic IP and the Static IPs behind that with no issue. Im sure Checkpoint does things a bit different than Palo Alto, thus my predicament. Just not sure what Im missing or misconfigured. 

Preview file
4 KB
Preview file
5 KB
Preview file
19 KB
Preview file
18 KB
Preview file
26 KB
0 Kudos
the_rock
MVP Gold
MVP Gold
8 hours ago
In response to lorenzolramirez

You tried doing nat on the object, right?

Best,
Andy
0 Kudos
lorenzolramirez
Participant
7 hours ago
In response to the_rock

Well, I have now. Seems to have cleared the issue on some objects but not all. So it seems that I am just not familiar enough with Checkpoint. Thank you for the info and responses, truly appreciated. 

0 Kudos
the_rock
MVP Gold
MVP Gold
10 hours ago
In response to lorenzolramirez

https://www.youtube.com/watch?v=hcFytXkl6QM

Best,
Andy
0 Kudos
juergen_wollert
Participant
5 hours ago
In response to the_rock

Top info!

0 Kudos
the_rock
MVP Gold
MVP Gold
5 hours ago
In response to juergen_wollert

Yea, there are lots of great videos on that topic online.

Best,
Andy
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events