This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
andree_b
Participant
‎2020-03-21 03:44 AM

MEP - Migrate clients to new Gateway but still with the option to select preferred Gateway.

We use MEP and have now 3 gateways enabled and would like to remove one gateway.


Gateway A
Located in south of Europe, we don't want to use anymore for Mobile access because it has no good ISP lines to our other locations. (This firewall has VPN tunnels to remote locations we will keep here).
Old URL = vpnSouth.company.com

Gateway B
Located in north of Europe and this we will use also in future. It has Mobile access license for 200 concurrent users.
URL: = vpnNorth.company.com

Gateway C are located near Gateway A but with better ISP and more powerful hardware and also have license for Unlimited license for Remote access.
URL = vpnSouth.company.com (taken over from Gateway A).


Due to the high amount of remote access users we decided to move the main gateway to one with better performance and more central in our WAN network, also added an Unlimited license for Mobile access.

Problem 1:

If we disable Remote access in Gateway A, no clients are redirected to any other gateway, They can't connect anymore. 
If we change the MEP priority mode, all clients are just redirected to Gateway C, clients that prefer Gateway B because it's closer can't anymore manually choose this site because they are redirected to Gateway C.

We would like to have redundancy between Gateway C & B and from B to C only if the first one doesn't respond.
How can this be done?

Problem 2:
We changed the DNS entry so the URL used in mobile access client now goes to new firewall. 
This didn't change anything on client side, they are still connecting to old gateway using it's old IP.
This result in that the licenses isn't enough, and users cannot login anymore when the 200 users are exceeded.
Only in a few cases they are redirected to another gateway B or C.

Is it possible to steer all clients who connected against Gateway A to Gateway C without doing anything on client side? 

All firewalls using same RAS Encryption domain.
Management and gateways are using R80.30 with latest jumbo hotfix.

Any ideas how this can be done?

Thanks in advance

0 Kudos
2 Replies
_Val_
Admin
Admin
‎2020-03-23 04:52 AM

Normally, this should be resolved by appropriate edit of GW side trac_client_1.ttmbut the faster solution is to re-create VPN site with C being primary GW.

To understand what's going wrong (I assume topology is still pointing to A as a single and only GW), look at client side ttm, MEP section. 

Here is the twist. DNS redirection only works if GW ttm has FQDN and not IP addresses set up. You need to do this manually anyway. Even if you define the site by DNS name, a GW with that name will send you IP addresses, unless you change this in the file on GW/MGMT. 

Details about ttm file config are here, just in case: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

0 Kudos
_Val_
Admin
Admin
‎2020-03-23 04:55 AM

In addition, just to make sure which parameters you want to change/verify:

 

1. 

Attribute Sub-Category = MEP
Attribute name on the client Attribute type Attribute meaning Valid Values Default Value Available from Client Version

automatic_mep_topology

string

Enable/disable the implicit (automatic) MEP method. "False" = manual MEP method.

true / false

true

R75
ips_of_gws_in_mep vector of strings A list of the gateways IPs participating in the MEP. In "primary_backup" mode, the gateway order is important. (Gateway IP addresses for clients to connect to.) Applied only if automatic_mep_topology is "false". Addresses are separated by "&#", and the list is terminated by a final "&#": NNN.NNN.NNN.NNN&#MMM.MMM.MMM.MMM&# list of IP addresses "" R73
mep_mode string The decision function the client uses, in order to determine to which gateway to connect. Can be one of the following: dns_based, first_to_respond, primary_backup, load_sharing. This is in the Admin guide.
MEP mode, priority of gateways defined in ips_of_gws_in_mep. Applied only if automatic_mep_topology is "false". Valid values: dns_based, first_to_respond, primary_backup, load_sharing		 dns_based, first_to_respond, primary_backup, load_sharing "dns_based" R73
mep_prefer_chosen_gw_grace_period integer Preferred gateway, when working in MEP (first to respond). This is in the Admin guide. grace period in milliseconds 0

E75.20

 

 

 

 

2. 

Attribute Sub-Category = DNS Resolving
Attribute name on the client Attribute type Attribute meaning Valid Values Default Value Available from Client Version

enable_gw_resolving

string

Should the client do DNS resolving every time it connects. Enable/disable DNS resolution on each connection. Used for MEP.

true / false

true

R73
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events