Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Ulysses_Almeida
Explorer

Management with multiple external IPs

Hi,

  Today I have my management in a private 172.16. network and it is hidden through NAT, configured on its object, behind a 4400 firewall.

  I also have two ISPs with two differents IP range. I want to configure fault tolerance between ISPs for my VPN infrastructure. But on tests I have made I realized every time ISP1 is out (the one which IP is configured to NAT management), my VPN connections stop work due to lack of CRL checks, once management IP is out.

  Considering I can't configure the management object to be hidden behind two differents IPs at the same time, I was wondering if is it safe to put the management connected directly to the Internet, than fully implementing fault tolerance between ISPs.

  If not, can you suggest any other alternatives to implement fault tolerance between ISPs?

  Besta regards,

3 Replies
Danny
Champion Champion
Champion

What you could do:

1 - Create another management object with an external IP address from your secondary ISP (don't establish SIC, as this will just be a dummy object), then create a manual static NAT rule that is translating traffic from your Gateways to this external IP to your real management server's internal IP.

2 - Put your management in the cloud. Create a gateway in front of it for firewall infrastructure security.

3 - Slap your ISPs if your internet connection goes down for such long time frames that CRL checking start to fail and VPN goes down (Default: 24 hours).

4 - Ask your Check Point Partner / Managed Service Provider (MSP) to host your firewall management within their NOC/NSOC.

5 - Configure Pre-Shared Secret based VPNs that don't require CRL checking.

6 - and many other alternatives....

0 Kudos
Ulysses_Almeida
Explorer

Hi Danny, thanks for your answer,

  I tried the first one. Now an error appear in my SmartConsole "Failed to communicate with peer 'name_of_dummy_object'. Also, no logs were received during a teste wich I disconnected ISP1 (something that I also want to prevent). And more than half of my 60 remote offices came down, almost instantly, with the lack of Management Server IP up.

  Thanks anyway, I'll keep looking for a solution and come back here if find any.

Houssameddine_1
Collaborator

In addition to what Danny said you can do the following:

- if the vpns between checkpoint gateways managed by the same management server you can't use pre-shared secret. you can use 3rd part CA like Godday or others or you can use your Owen CA where the FW will use DNS to figure out how to reach the CRL distribution point (When using the checkpoint ICA, the gws don't use DNS , it uses the Database to resolve the ip of the mgr to retrieve the CRL).

- Another option if you control your gws and the management server and they are physically secured you can disable CRL fetch mechanism in guidbedit.

Thanks

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events