This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
khineminn
Contributor
13 hours ago

Quantum Spark Traffic Management

We configured two manual NATs for one web servers, with one NAT rules is applied for each ISP's public IP.

ISP-1 (WAN) > 10.10.10.100 to 172.16.10.100
ISP-2 (DMZ) > 20.20.20.100 to 172.16.10.100

The primary link is through ISP-1, with Priority 1.
The secondary link is through ISP-2, with Priority 100.
Therefore, the default route preference is set to use ISP-01.

Issue:

When accessing IP address 10.10.10.100, the connection works without any issues.

However, when accessing 20.20.20.100, the connection fails. After capturing and analyzing the traffic, I found that the firewall is responding to packets through ISP-1 (according to the default route) instead of the incoming interface.

Question:

Is this behavior normal, or is it possible for the firewall to respond to packets through the same interface they arrived on?

Preview file
15 KB
0 Kudos
3 Replies
Chris_Atkinson
Employee Employee
Employee
12 hours ago

Without some form of PBR or SD-WAN config, following the routing table is absolutely normal and correct.

Is this R81.10.10 or R81.10.15?

CCSM R77/R80/ELITE
0 Kudos
khineminn
Contributor
12 hours ago
In response to Chris_Atkinson

@Chris_Atkinson   R81.10.15

Traffic may arrive via multiple ISP links due to DNS resolution. Are there any solutions to achieve this type of setup?

Thanks.

0 Kudos
PhoneBoy
Admin
Admin
9 hours ago
In response to khineminn

For regular (non-SMB) gateways, or even if the SMB is centrally managed, you could try: https://support.checkpoint.com/results/sk/sk42636
If locally managed, you can try editing $FWDIR/conf/routing_configload.conv and changing misp_cache_use_srv to true, then do a fw configload to refresh the configuration.
Whether that works is a separate question and if it doesn't suggest a TAC case.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events