- Products
- Learn
- Local User Groups
- Partners
- More
Access Control and Threat Prevention Best Practices
5 November @ 5pm CET / 11am ET
Ask Check Point Threat Intelligence Anything!
October 28th, 9am ET / 3pm CET
Check Point Named Leader
2025 Gartner® Magic Quadrant™ for Hybrid Mesh Firewall
HTTPS Inspection
Help us to understand your needs better
CheckMates Go:
Spark Management Portal and More!
Hi
netstat -r shows this:
Gateway-ID-7FB7C2DC> netstat -r
Kernel IP routing table
Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface
default         ua-113-13-192- 0.0.0.0         UG        0 0          0 WAN
90.254.144.124  *               255.255.255.255 UH        0 0          0 vpnt10
192.168.3.0     *               255.255.255.0   U         0 0          0 LAN1
192.168.4.10    *               255.255.255.255 UH        0 0          0 vpnt10
113.113.192.0   *               255.255.224.0   U         0 0          0 WAN
I need 90.254.144.124 to be my default gateway, I don't know how to configure that! I used, add static route and, set static route and this is what I got:
show static-routes table
id   disabled   destination          source               service   ipv4-address     monitored-server-1monitored-server-2monitored-server-3monitoring-mode  interface   logical          metric    priority   comment
1    false                                                          90.254.144.124                                                      off                                           102       0
2    false      90.254.144.124/32                                                                                                       off              vpnt10      vpnt10           10        0
My SMB is connected to a central office via a VTI and the central office external IP needs to be the default gateway of SMB. SMB IP is dynamic, the 113.113.* IP is the dynamic IP of my SMB
Still when I do i traceroute I don't see my central office IP, it shows directly the default gateway of my dynamic IP (my ISP router)
The community is configured like this:
any ideas!
You probably want to do a couple of things here
1. Ensure the VPN peer IP (and any break glass IP etc) is routed/reachable outside the tunnel.
2. Configure your default route e.g.
add static-route destination 0.0.0.0/0 nexthop gateway ipv4-address W.X.Y.Z
3. If you still encounter problems try disabling the default use of the Internet connection as the default gateway. As I recall this is controlled via:
| 
 | 
add static-route destination 0.0.0.0/0 nexthop gateway ipv4-address W.X.Y.Z, you need to add a metric between 101-200, giving 101 to this command is rejected
"Could not set static route metric: the metric of a default route must be unique, and cannot be same as of an existing internet connection priority " 
I get that message even if internet connection route-traffic-through-default-gateway is disabled?!
adding priority example 102 then the command is accepted but the gateway looses internet connection
Deleting the internet connection and adding new one, It seems to be not allowed to add a default gateway to an internet connection when it is type "DHCP"
so what should be done here?
Do I need to configure the DDNS to be able to set the default gateway as needed?
If you type ? mark at the end of that command, should give you options available.
If your WAN IP is DHCP, then, yes, it will control the default route by design.
You can create multiple more specific routes that point to the VTI.
For example:
0.0.0.0/1 seems to work fine beside the default route to the ISP
I still got 2 problems:
SMS is unreachable on SMB! but still fetch policy works fine?!
+
The other problem is that my PC behind SMB does not get internet, it is connected to port 1 (192.168.3.1) on SMB. My PC has SMB as its default gateway, My PC is getting 192.168.3.2.
Maybe do some basic captures to see why mgmt server is not reachable.
Andy
By default, traffic related to SIC does not go over VPN.
This requires several changes to accomplish and is generally NOT recommended.
Based on your current routing configuration, it's probably trying to do that...and failing.
You might need to create a static route towards your SMS public IP that goes out your regular default route.
As far as other troubleshooting, I would suggest using fw monitor with the -F option to specify appropriate filters (to account for traffic in both directions): https://support.checkpoint.com/results/sk/sk30583 
This will at least give us an idea of where we need to look next.
Sorry that I wasn't specific enough in my earlier reply and references to break glass subnets and such. 
Management should also be routed outside the VPN and would need to be externally accessible via a NAT.
Is there any way to "save config" on SMBs, or it does not need to manually save?
There is not and no need either.
Andy
this SMB device is working correctly now, but still on SMS shows red cross, I wonder why?
would be hulpfull to share the full error message of the red cross.
That is the problem: There is no error message but still red cross!
This is not uncommon for DAIP Spark gateways in my experience.
Will see if I can find the reference or SK that discusses it and share it here.
Why are DAIP gateways never really shown as connec... - Check Point CheckMates
Maybe TAC can confirm, but it could be expected, since its DAIP.
Known Limitation:
 
					
				
				
			
		
Leaderboard
Epsum factorial non deposit quid pro quo hic escorol.
| User | Count | 
|---|---|
| 4 | |
| 3 | |
| 2 | |
| 2 | |
| 2 | |
| 1 | |
| 1 | |
| 1 | |
| 1 | 
Wed 22 Oct 2025 @ 11:00 AM (EDT)
Firewall Uptime, Reimagined: How AIOps Simplifies Operations and Prevents OutagesTue 28 Oct 2025 @ 11:00 AM (EDT)
Under the Hood: CloudGuard Network Security for Google Cloud Network Security Integration - OverviewWed 22 Oct 2025 @ 11:00 AM (EDT)
Firewall Uptime, Reimagined: How AIOps Simplifies Operations and Prevents OutagesTue 28 Oct 2025 @ 11:00 AM (EDT)
Under the Hood: CloudGuard Network Security for Google Cloud Network Security Integration - OverviewTue 28 Oct 2025 @ 12:30 PM (EDT)
Check Point & AWS Virtual Immersion Day: Web App ProtectionAbout CheckMates
Learn Check Point
Advanced Learning
YOU DESERVE THE BEST SECURITY