This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Chris_W23
Participant
‎2023-08-25 11:34 AM

How to create a remote SMB cluster behind 3rd party NAT with central mgmt behind another cluster?

Hello all,

I am looking for some guidance with creating a new Checkpoint cluster using 1530 SMB appliances.

I have an existing OpenServer cluster at our HQ site (R81.10) with a central SMS (also R81.10) and I need to deploy the 1530 cluster at a remote site across the Internet and centrally manage it. These new appliances are also R81.10.

The remote site is behind a 3rd party firewall/NAT  with a single public IP. 

This new cluster will be establishing a VPN tunnel to the HQ site.

The SMS is behind the HQ firewall with its own NAT'd public IP.

What is the best practice with respect to interface and gateway/cluster object IPs? For the new cluster and member objects, would I use the single remote public IP for all, or would I use the actual assigned physical private IPs, even though they aren't routable from the SMS? Do I need to try and obtain 3 public IPs for the remote site instead of just the one that have given me now? I'm not sure if that will be possible.

We use SmartConsole etc to manage the environment, we don't use any Checkpoint cloud management.

Here's my attempt at a diagram of the environment:

 

Drawing1.jpg

 

Thanks!

 

0 Kudos
5 Replies
G_W_Albrecht
Legend Legend
Legend
‎2023-08-28 04:32 AM

Why the 3rd party FW ? This makes things rather complicated...

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
Chris_W23
Participant
‎2023-08-28 06:24 AM
In response to G_W_Albrecht

The remote site is a partner's network and their current design has us implementing our appliance behind their firewall.

Is it too complex to do it this way? I can see if it can be installed along side their firewall instead of behind but that definitely wasn't their first choice.

Thanks!

0 Kudos
G_W_Albrecht
Legend Legend
Legend
‎2023-08-28 06:52 AM
In response to Chris_W23

It is more complex than a HA Cluster facing internet. Why not do the VPN between 3rd party FW and HQ firewall ? Using a HA Cluster for VPN behind a single FW does not make much sense in regards to security for me...

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
Chris_W23
Participant
‎2023-08-28 07:01 AM
In response to G_W_Albrecht

Our corporate policies and requirements won't allow it.

I might just have to arrange for a separate ISP connection into that site and use it instead. Might be the best idea.

 

0 Kudos
G_W_Albrecht
Legend Legend
Legend
‎2023-08-28 07:52 AM
In response to Chris_W23

Should be possible using NAT-T:

https://support.checkpoint.com/results/sk/sk32664

https://support.checkpoint.com/results/sk/sk177823

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events