This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Andrew25
Collaborator
‎2021-12-04 04:48 AM
Jump to solution

Identity awareness does not work, routing problem. What are the options for solving the problem?

We plan to use authentication on the FW-B for Internet access and Mobile Access connections

Description of the problem

FW-B uses an external IP (2.2.2.2) address for requests (Identity Avareaness) to DC-1. DC-1 sends a response in the wrong direction, according to routing

Identity.jpg

Is it possible to configure the FW-B so that it sends requests (Identity Avareaness) using its local IP address as the source interface?

0 Kudos
1 Solution

Accepted Solutions
Andrew25
Collaborator
‎2021-12-08 09:47 AM
Jump to solution

You could do a hide NAT on the traffic from FW-B when it passes through FW-A to go to the DC-1 

View solution in original post

0 Kudos
8 Replies
the_rock
MVP Diamond
MVP Diamond
‎2021-12-04 05:05 AM
Jump to solution

What do you see if you issue ip route get and then IP of the DC1? just run ip r g 192.168.0.1 on expert mode of firewall B. 

Best,
Andy
"Have a great day and if its not, change it"
0 Kudos
Andrew25
Collaborator
‎2021-12-04 05:47 AM
In response to the_rock
Jump to solution

192.168.0.1 via 2.2.2.1 dev eth1 src 2.2.2.2

0 Kudos
the_rock
MVP Diamond
MVP Diamond
‎2021-12-04 05:50 AM
In response to Andrew25
Jump to solution

Well, if you want it to take different path, just change the route to reflect different interface. It seems at this point its using 2.2.2.2 interface IP with gateway of 2.2.2.1.

Best,
Andy
"Have a great day and if its not, change it"
0 Kudos
Andrew25
Collaborator
‎2021-12-04 05:54 AM
In response to the_rock
Jump to solution

I don’t understand, you can learn more?

0 Kudos
the_rock
MVP Diamond
MVP Diamond
‎2021-12-04 06:03 AM
In response to Andrew25
Jump to solution

What Im saying is, it does not sound logical to use external interface to access something internal from the firewall itself. Just change it to reflect internal interface of the firewall, as long as topology is right.

Best,
Andy
"Have a great day and if its not, change it"
0 Kudos
Andrew25
Collaborator
‎2021-12-04 06:07 AM
In response to the_rock
Jump to solution

Yes, it is not logical, I agree. How to change it to reflect internal interface of the firewall?

0 Kudos
the_rock
MVP Diamond
MVP Diamond
‎2021-12-04 10:56 AM
In response to Andrew25
Jump to solution

From web UI or clish. Just change it via web UI in the browser, it takes 15 seconds literally.

Best,
Andy
"Have a great day and if its not, change it"
0 Kudos
Andrew25
Collaborator
‎2021-12-08 09:47 AM
Jump to solution

You could do a hide NAT on the traffic from FW-B when it passes through FW-A to go to the DC-1 

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events