Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
r0kika
Explorer
Jump to solution

Check Point 790 NAT problem

Hi!
So first things first our setup is two Check Point 790 Appliance, the main is FW1, the secondary is FW2! This two is set in High Availability mode. Both Firewall has R77.20.87 version which is the latest what i found.
We have a problem with the Check Point FW1 firewall! When we on FW1, we cant reach the internet from internal network, and we can't get any data from the Check Point Firewall with monitoring tools also. Our ISP says that they cant see any problem at all, they can reach their own modem they see traffic on it. So we tried to reach internet from internal network, with browsers and with ICMP, no response at all. From inside we can reach the gateway, with browsers and with ping also, we can reach the servers etc, so the internal network works! We tried "Ping or Trace an IP Address |  Host name or IP address:" on the Check Point FW1, the Check Point can reach the internet through ICMP protocol, so the Check Point can reach the internet! The physical layer was checked, no problem was found! The switches and the cables was tried out and works fine! So we pulled out the FW1 WAN cable, and because the High Availability the FW2 became the gateway, and everything works fine! Internal network can reach the internet, VPN's works etc... We tried to switch it back to FW1, so we plugged back the WAN cable, and pulled out the FW2 WAN cable. The FW1 become the gateway. The problem was the same as I mentioned. So we changed back to FW2! It seems like a NAT problem, but I didn't found anything that is incorrect. IP address and DNS etc, it is well set.
I'm still getting to know the checkpoint so maybe it is something obvious. Thanks a lot!
0 Kudos
1 Solution

Accepted Solutions
r0kika
Explorer

Thanks everyone for the answers, we found out the problem is with the ISP modem.
Clearing ARP cache on the modem solved the problem!
Because when the firewalls switch between primary and secondary in the ARP cache the trafic goes to the secondary, ARP cache clears automatically after a hour in default, we changed it to 3 minutes and it works fine. It takes 5 minutes to the two Checkpoint to change which is primary member. 

View solution in original post

0 Kudos
3 Replies
G_W_Albrecht
Legend Legend
Legend

Did you follow sk121096: How to configure a cluster between locally managed SMB appliances?

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
Chris_Atkinson
Employee Employee
Employee

With reference to sk153433 which specific build of R77.20.87 is deployed here?

CCSM R77/R80/ELITE
0 Kudos
r0kika
Explorer

Thanks everyone for the answers, we found out the problem is with the ISP modem.
Clearing ARP cache on the modem solved the problem!
Because when the firewalls switch between primary and secondary in the ARP cache the trafic goes to the secondary, ARP cache clears automatically after a hour in default, we changed it to 3 minutes and it works fine. It takes 5 minutes to the two Checkpoint to change which is primary member. 

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events