This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
JackPrendergast
Advisor
Advisor
‎2021-05-26 12:06 AM

Dynamic IP on WAN interface. Managed on its local static…

Hi,

 

Can anyone add some clarity over the proposed options and best practice over this scenario please?

 

I have 2 interfaces - WAN and LAN.

WAN is DHCP. LAN is Static.

 

The gateway is managed via its LAN address

 

NAT is ticked to hide all internal networks behind this gateway.


When that WAN IP changes, how does the topology in smart dashboard update? Also, what would happen to the NAT? Would it fail?

 

Note - I have NOT ticked DAIP gateway as the Main IP of the gateway object is the LAN address which is indeed static.

 

thank you.

0 Kudos
4 Replies
G_W_Albrecht
Legend Legend
Legend
‎2021-05-26 12:14 AM

How did you define the topology ? I would assume that your LAN IP is the external IP as all internal IPS are NATed behind it, and the WAN IP an internal interface. As you can not tick DAIP for your WAN IF, the IP change would never propagate anywhere, i think. So what in fact does happen in your scenario ?

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
JackPrendergast
Advisor
Advisor
‎2021-05-26 03:11 AM
In response to G_W_Albrecht

Hi.

 

Topology is

 

Modem - CP - LAN Router - Users.

 

CP has eth1 attached to Modem. 

eth1 has obtain ip automatically, with custom dhcp options configured in dhclient and recieves public IP from ISP.

 

DHCP for the LAN is done on the CP. 

Local traffic via the LAN router routes to the CP and CP hides local traffic behind the public IP assigned to eth1.

 

eth2 attached to LAN router is static. Fixed 192.168.0.0/24 address

eth1, attached to ISP modem is dynamic (ISP wont give fixed IP) 

 

Gateway is managed locally via eth2. DAIP is NOT enabled as gateway is managed on LAN via static IP.

 

So, the question is, when the public IP attached to eth1 changes, how do these changes apply to the rest of the process?

 

How can the topology in SC update automatically? Otherwise, traffic will stop and fail. Traffic will try be hide nat behind the old public IP as topology hasnt updated.

 

There must be a way for this?

0 Kudos
JackPrendergast
Advisor
Advisor
‎2021-05-26 03:18 AM
In response to JackPrendergast

Screenshot 2021-05-26 at 11.17.21.png

Screenshot 2021-05-26 at 11.17.13.png

  

0 Kudos
PhoneBoy
Admin
Admin
‎2021-05-26 07:59 AM

Marking the gateway as DAIP is really only necessary if you manage the gateway via the interface that is dynamic.
Marking the gateway DAIP imposes some significant limitations: https://supportcenter.checkpoint.com/supportcenter/portal?action=portlets.SearchResultMainAction&eve...

Without checking that box, if WAN address actually changes, it would require a policy install (with config changes) to restore all functionality, most likely.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events