Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Chris_W23
Participant

How to create a remote SMB cluster behind 3rd party NAT with central mgmt behind another cluster?

Hello all,

I am looking for some guidance with creating a new Checkpoint cluster using 1530 SMB appliances.

I have an existing OpenServer cluster at our HQ site (R81.10) with a central SMS (also R81.10) and I need to deploy the 1530 cluster at a remote site across the Internet and centrally manage it. These new appliances are also R81.10.

The remote site is behind a 3rd party firewall/NAT  with a single public IP. 

This new cluster will be establishing a VPN tunnel to the HQ site.

The SMS is behind the HQ firewall with its own NAT'd public IP.

What is the best practice with respect to interface and gateway/cluster object IPs? For the new cluster and member objects, would I use the single remote public IP for all, or would I use the actual assigned physical private IPs, even though they aren't routable from the SMS? Do I need to try and obtain 3 public IPs for the remote site instead of just the one that have given me now? I'm not sure if that will be possible.

We use SmartConsole etc to manage the environment, we don't use any Checkpoint cloud management.

Here's my attempt at a diagram of the environment:

 

Drawing1.jpg

 

Thanks!

 

0 Kudos
5 Replies
G_W_Albrecht
Legend Legend
Legend

Why the 3rd party FW ? This makes things rather complicated...

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
Chris_W23
Participant

The remote site is a partner's network and their current design has us implementing our appliance behind their firewall.

Is it too complex to do it this way? I can see if it can be installed along side their firewall instead of behind but that definitely wasn't their first choice.

Thanks!

0 Kudos
G_W_Albrecht
Legend Legend
Legend

It is more complex than a HA Cluster facing internet. Why not do the VPN between 3rd party FW and HQ firewall ? Using a HA Cluster for VPN behind a single FW does not make much sense in regards to security for me...

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
Chris_W23
Participant

Our corporate policies and requirements won't allow it.

I might just have to arrange for a separate ISP connection into that site and use it instead. Might be the best idea.

 

0 Kudos
G_W_Albrecht
Legend Legend
Legend

Should be possible using NAT-T:

https://support.checkpoint.com/results/sk/sk32664

https://support.checkpoint.com/results/sk/sk177823

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events