This website uses cookies. By clicking OK, you consent to the use of cookies. Click Here to learn more about how we use cookies.
OK
ABOUT CHECKMATES & FAQ
Create a Post
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Help
HristoGrigorov
Mentor
Mentor
‎2020-03-07 09:01 PM

Interconnect two CheckPoint appliances

May be it is me having issue with search engines but I was unable to find clear answer about this question:

Assume I have SMB cluster that acts as internal firewall and say 3600 appliance as an external one. What is the recommended way to interconnect them? Do I need to use WAN port on the SMB for that or it can be any of the LAN ports as well ?

I will apparently do this via switch device but I wonder if I have to use the WAN port then I need one more port on the switch and I am trying to avoid that. On the contrary not using WAN port is may be going to confuse SMB about the topology ?

Reply
5 Replies
PhoneBoy
Admin
Admin
‎2020-03-07 10:40 PM

It depends on the topology you're looking to build.
Regardless, I've used it both ways and you can make it work either way.
Reply
HenrikJ
Participant
‎2020-03-07 10:58 PM

I think by guessing your topology, I would keep the WAN port as the interconnecting port to your external FW.

Mostly because this is its way up, just makes sense.

Will the WAN port always have to go through your 3600 appliance to reach the internet?

If so, have the WAN ports of your SMB appliances be connected to the same VLAN (access port in switch). And just get this VLAN up to your 3600 appliance by switching it in your switch environment.

Then have a new interface set up on the 3600 which the SMB appliances use as default gateway.
This can either be done by new physical interfaces and connecting cables into a switch into the same VLAN,
OR by having an internal trunk port (recommended) on the 3600 where you just add this VLAN as a subinterface.

In the 3600, route all the traffic which is behind the SMB appliances to its VIP address on this segment.

Reply
HristoGrigorov
Mentor
Mentor
‎2020-03-08 01:28 AM
In response to HenrikJ

Thanx for your comments. I will most certainly do as @HenrikJ suggested. I even recall there is a limitation on SMB that default gateway can only be set on WAN and DMZ ports. Kind of forgot about this....

Reply
Maarten_Sjouw
Champion
Champion
‎2020-03-08 05:29 AM
In response to HristoGrigorov

Yep that is your main issue, the Default route cannot be set to a LAN port, only with a trick you can get around that. When you need the IP information on the external FW do not forget to disable NAT on the SMB FW.
Regards, Maarten
Reply
HristoGrigorov
Mentor
Mentor
‎2020-03-08 08:15 AM
In response to Maarten_Sjouw

Hey Maarten, good point about that NAT. I forgot about it. Think, I should start writing down some plan... 😀

0 Kudos
Reply