Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted

Interconnect two CheckPoint appliances

May be it is me having issue with search engines but I was unable to find clear answer about this question:

Assume I have SMB cluster that acts as internal firewall and say 3600 appliance as an external one. What is the recommended way to interconnect them? Do I need to use WAN port on the SMB for that or it can be any of the LAN ports as well ?

I will apparently do this via switch device but I wonder if I have to use the WAN port then I need one more port on the switch and I am trying to avoid that. On the contrary not using WAN port is may be going to confuse SMB about the topology ?

5 Replies
Highlighted
Admin
Admin

It depends on the topology you're looking to build.
Regardless, I've used it both ways and you can make it work either way.
Iron

I think by guessing your topology, I would keep the WAN port as the interconnecting port to your external FW.

Mostly because this is its way up, just makes sense.

Will the WAN port always have to go through your 3600 appliance to reach the internet?

If so, have the WAN ports of your SMB appliances be connected to the same VLAN (access port in switch). And just get this VLAN up to your 3600 appliance by switching it in your switch environment.

Then have a new interface set up on the 3600 which the SMB appliances use as default gateway.
This can either be done by new physical interfaces and connecting cables into a switch into the same VLAN,
OR by having an internal trunk port (recommended) on the 3600 where you just add this VLAN as a subinterface.

In the 3600, route all the traffic which is behind the SMB appliances to its VIP address on this segment.

Highlighted

Thanx for your comments. I will most certainly do as @HenrikJ suggested. I even recall there is a limitation on SMB that default gateway can only be set on WAN and DMZ ports. Kind of forgot about this....

Highlighted

Yep that is your main issue, the Default route cannot be set to a LAN port, only with a trick you can get around that. When you need the IP information on the external FW do not forget to disable NAT on the SMB FW.
Regards, Maarten
Highlighted

Hey Maarten, good point about that NAT. I forgot about it. Think, I should start writing down some plan... 😀

0 Kudos