This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Rob_Shears
Contributor
‎2022-04-30 06:26 PM

ICMP to Checkpoint on all available BGP ranges?

I have a Checkpoint ClusterXL distributing a BGP range.

If I assign an interface to one of the IPs in that range, it will respond to ICMP (as ICMP requests are allowed in Global settings).

But since ClusterXL does not support aliases, how do I enable ping on the ENTIRE range without NAT'ing it to something behind the Checkpoint?

I thought about making ICMP request NAT rules but since it's not a TCP/UDP service, I can't use it in a NAT rule.

Proxy ARP alone doesn't seem to work either for this purpose.

I don't like the suggestion of creating a wide NAT rule to cover ALL and then excluding what I don't want in the firewall. It would get messy and confusing when I want real NATs on the same IP to actual servers behind the checkpoint in the future.

Is there another option?

0 Kudos
4 Replies
Chris_Atkinson
MVP Platinum CHKP MVP Platinum CHKP
MVP Platinum CHKP
‎2022-05-01 02:06 AM

Why is this configuration desirable unless there is actually an active host/hosts for those addresses?

 

CCSM R77/R80/ELITE
0 Kudos
Rob_Shears
Contributor
‎2022-05-01 05:39 AM
In response to Chris_Atkinson

Because I'm essentially terminating all the ips in that range on the checkpoint. No hosts behind the Checkpoint are being assigned these public IPs. The checkpoint will be NAT'ing to them.

I therefore want to be able to monitor all the IPs externally, whether or not they have real "interesting" traffic on them.

 

0 Kudos
Timothy_Hall
MVP Gold
MVP Gold
‎2022-05-01 09:12 AM

This is possible to do on your firewall, but I would not recommend it as it almost certainly not supported and may cause some unexpected behavior.  First off, you'll need an Access Control rule permitting ICMP echo requests to a network object representing your BGP prefix/network.  Let's assume it is 192.0.2.0/24.  This will let the echo request traffic reach the IP driver in Gaia where we can employ some trickery with the loopback interface.

Now in Gaia you need to add a "local" static route via the loopback interface to the BGP network. From clish this command is accepted syntactically but does not actually add the needed loopback route to the live routing table because it is not added as a "local" route:

set static-route 192.0.2.0/24 nexthop gateway logical lo on

However from expert mode this command will successfully add the needed local route to the live routing table, and now the Gaia IP driver will respond to all pings bound for this subnet:

ip route add local 192.0.2.0/24 dev lo

Needless to say a route added in this way from expert mode will not "stick" across a reboot, and there doesn't seem to be any way to add a "local" route from clish that I can find.  This local route loopback trick is handy on honeypot boxes that need to respond to all IP addresses on a network which is how I knew about it.

Gaia 4.18 (R82) Immersion Tips, Tricks, & Best Practices Video Course
Now Available at https://shadowpeak.com/gaia4-18-immersion-course
0 Kudos
Rob_Shears
Contributor
‎2022-05-01 01:17 PM
In response to Timothy_Hall

Wow, thanks for the explanation. The not surviving a reboot thing is problematic however.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events