This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
David_Mosca
Explorer
‎2019-10-25 02:15 AM

Routing config for Checkpoint 750 and MPLS

Hi all,

I have a customer with a new MPLS network and a Checkpoint 750 in place as per the diagram below. A few notes:

1. MPLS acts as a private network for the customer

2. Internet access for Branch office has to go through HO

- I've configured the DMZ port for the private network and have full connectivity between HO and the branch network. However, the branch PCs can't access the Internet. I have (I think) all the correct routes and policies in place. When I try to browse the web from the branch office, I can see DNS and HTTPS activity from the branch office in the firewall logs (all allowed), but the web sessions never connect. There are no proxies in use and PC firewall is off. ICMP also fails from the branch PC to the web (but is ok for HO LAN).

The other option would be to go straight from the MPLS to our network switch at HO, but we want to have the option to restrict branch traffic and investigate logs. Is this a firewall issue, or an MPLS routing issue? Any and all help/suggestions appreciated

Thanks,

David

network.jpg

0 Kudos
4 Replies
PhoneBoy
Admin
Admin
‎2019-10-26 05:13 PM

Have you verified (with tcpdump or similar) the traffic is going out the correct interface?
If it is, then it's possible the issue is upstream from your gateway.
0 Kudos
David_Mosca
Explorer
‎2019-11-05 05:23 PM
In response to PhoneBoy

Thanks Phone Boy. Unfortunately the issue became urgent to fix so we had to bypass the firewall for now. If I get a chance, I'll setup a test environment and re-test this...

0 Kudos
Blason_R
Leader
Leader
‎2019-11-05 06:46 PM

So your internet is terminated on Router? And I understood correctly to go internet it will come to router then down to firewall and NAT it and route it back to internet i.e. to the same router?

 

Thanks and Regards,
Blason R
CCSA,CCSE,CCCS
0 Kudos
David_Mosca
Explorer
‎2019-11-05 06:55 PM
In response to Blason_R

Correct. One router with both Public and Private network split across virtual circuits. I could see web traffic from the remote branch hitting the firewall (and being allowed), but then timing out on the PC. I suspect it's an issue on the router, but upstream provider suggests otherwise. Would love to sort it out as that design is our preferred one (bypasing firewall even for the Private Network adds some risk).

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events