Re: Checkpoint Firewall for ISP provider

TRajkumar

Hi Everyone,

I'm going to deploy a checkpoint firewall to ISP provider. 2 connections as considered as uplink(external) and some other interfaces as down link (LAN - it also the public IP addresses). We have access the internet from the down link public IP addresses.

I have configured the interfaces and topology as 2 external and 1 internal with specified network. In this setup we don't require a NAT, since we already using the public IP addresses. Also policy configured with allow action.

Now I try to ping 8.8.8.8 there is no response, even there is accept log on firewall logs & no drops in fw ctl. When during the tcpdump

I notice the arp issue. ( 8.8.8.8 learned by my external interfaces and also try to learn on my internal interfaces

Can some guide me how to deploy a checkpoint to ISP providers with topology details.

Do let me know if any other details required.

Thanks

Rajkumar T

Chris_Atkinson

What routing is configured on the firewall at present?

I assume 8.8.8.8 is just an example IP and you aren't actually seeing an ARP on a local segment for the google DNS server?

CCSM R77/R80/ELITE

TRajkumar

Hi Chris

Routing: Configured the default route as next hop is external router IP address. Moreover we enabled the ISP redundancy (Active/backup).

I did ping -I <INTERFACE NAME> 8.8.8.8 and there is no replay for the ICMP request. When i check the arp -a, i noticed arp messages on external interfaces and incomplete arp for google.dns on all other interfaces interfaces.

In addition, if i try ping -I <EXTERNAL INTERFACE> 8.8.8.8 i got the response.

Thanks

Rajkumar T

the_rock

Can you send a screenshot of how you have topology configured? Please blur out any sensitive data.

Best,
Andy

TRajkumar

Hi Rock,

Attached the topology here. Hope it gives required details.

Thanks
Rajkumar T

the_rock

Not really. I will send what I was referring to Wednesday morning.

Best,
Andy

the_rock

Hey @TRajkumar

This is what I was referring to.

Best,
Andy

TRajkumar

Hi Rock,

In the topology im using Specific option, and i specified the Network object there.

Since i'm using Public IP address (LAN pool IP addresses of ISP) which is /29 network.

Thanks

Rajkumar T

emmap

The topology must contain all the networks that are behind the interface, not just the local subnet. Set the topology as indicated above for your internal facing interface and you'll have more success. Make sure the internet facing ones are set as External.

Martijn

Hi,

Can it be the ICMP reply is routed back to the other external interface?
Can you check with fw monitor or tcpdump?

A simple network diagram might help.

Martijn

TRajkumar

Hi Martijn,

From my external interfaces i can able to reach internet(Request and response). But from my internal Interface i can't get the response. When i doing an tcpdump i noticed interface not now to forward the packet( APR issue).

Here im deploying checkpoint for ISP provider, So my external and internal interfaces have public IP address only.

I attached the simple diagram here, My major doubt is checkpoint will work for ISP providers ?

Thanks
Rajkumar T

Ruan_Kotze

Hi Rajkumar

Not sure if I am missing something basic, but why are you expecting to see an ARP entry for Google's DNS? ARP resolves MAC address to IP on your local L2 network. Do you have your respective ISP router's addresses (gateway's default gateway(s)) in your ARP table and vice versa?

If not try doing a gratuitous arp: "arping -c 4 -A -I eth1 100.100.100.2"

If the IPs are not physically assigned do the following:

Expert# echo 1 > /proc/sys/net/ipv4/ip_nonlocal_bind
Expert# arping -c 4 -A -I eth1 100.100.100.2

Ruan

TRajkumar

Hi Raun,

I got the respective router (Nexthop) ARP messages and can able to ping without issue.

But the problem is i can't able to reach internet from internal interface (Public IP address configured) Since i deploying checkpoint firewall for ISP provider.

Thanks
Rajkumar T

Martijn

Hi,

You can reach the internet from the external interface so you should have a MAC address in your ARP table.
You cannot reach the internet from the internal interface. What do you mean by that? Are you testing from a internal host of the internal interface?

I would test again with a real internal host, check the logs and do a trace on the internal and external interface if you still are unable to reach the internet from the internal networks.

Martijn

Are you a member of CheckMates?

Checkpoint Firewall for ISP provider