This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Andrey_Korobko
Contributor
‎2017-10-05 06:31 AM
Jump to solution

Management behind NAT

Good day.
Help me to solve the following problem:
1. We have a dedicated management server (M) with a local IP address (10.1.0.100)
2. In the local network, there are several firewalls A and B (HW 5000) (10.1.1.200 and 10.2.1.200)
3. Outside the local network, we have branches in which the firewalls C, D, E (HW 1400), etc. are located. (1.1.1.1,2.2.2.2,3.3.3.3)

During the configuration of this topology, the problem of adding firewalls of branches (C, D, E) to the management server.

In order for the branch firewalls to see the management server from the outside(internet) and be able to interact with it, an automatic static rule was made (ext IP 5.5.5.5) and the function "Apply for SG control connections" is enabled

In this configuration, the branch firewalls work fine, but the local firewalls do not interact with the management server since they attempt to establish a connection with mng server (M) to an external address configured with a static nat.

How to be in this situation?

1 Solution

Accepted Solutions
Nader_Assi__Old
Contributor
‎2017-10-05 08:33 AM
Jump to solution

Have you checked the sk100583 - Troubleshooting "SmartCenter behind NAT" issues?

If not, look at the Scenario 4.

View solution in original post

3 Replies
Nader_Assi__Old
Contributor
‎2017-10-05 08:33 AM
Jump to solution

Have you checked the sk100583 - Troubleshooting "SmartCenter behind NAT" issues?

If not, look at the Scenario 4.

Danny
Champion Champion
Champion
‎2017-10-05 09:22 AM
Jump to solution

Hello Andrey,

this is a very common issue, you have done everything correctly.

In order to have your local firewalls to talk to your management server on its local IP address (10.1.0.100), simply replace the external IP with the local one of your management within the $FWDIR/conf/masters file of each affected gateway (sk40090) and prevent it from being overwritten on policy install (sk102712). That's it.

emreturkmenler
Contributor
‎2020-05-14 05:23 AM
In response to Danny
Jump to solution

Hi,

Thank you for the solution as I did as the SK asked and the gateways are able to send from the internal interfaces.

But the thing is it is still trying to communicate with the external interfaces as in means on there is 2 connection from each gateway one from the internal ( as established) , still one from the external (syn_recv) on the netstat table.

I tried to cpstop/cpstart but didn't disappear and it is continuously sending the traffic from both interfaces as this is causing to log locally.

Couldn't see any details on the SK's , has anyone had this issue?

 

Thank you

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events