This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Andrew25
Collaborator
‎2021-12-04 04:48 AM
Jump to solution

Identity awareness does not work, routing problem. What are the options for solving the problem?

We plan to use authentication on the FW-B for Internet access and Mobile Access connections

Description of the problem

FW-B uses an external IP (2.2.2.2) address for requests (Identity Avareaness) to DC-1. DC-1 sends a response in the wrong direction, according to routing

Identity.jpg

Is it possible to configure the FW-B so that it sends requests (Identity Avareaness) using its local IP address as the source interface?

0 Kudos
1 Solution

Accepted Solutions
Andrew25
Collaborator
‎2021-12-08 09:47 AM
Jump to solution

You could do a hide NAT on the traffic from FW-B when it passes through FW-A to go to the DC-1 

View solution in original post

0 Kudos
8 Replies
the_rock
Legend
Legend
‎2021-12-04 05:05 AM
Jump to solution

What do you see if you issue ip route get and then IP of the DC1? just run ip r g 192.168.0.1 on expert mode of firewall B. 

0 Kudos
Andrew25
Collaborator
‎2021-12-04 05:47 AM
In response to the_rock
Jump to solution

192.168.0.1 via 2.2.2.1 dev eth1 src 2.2.2.2

0 Kudos
the_rock
Legend
Legend
‎2021-12-04 05:50 AM
In response to Andrew25
Jump to solution

Well, if you want it to take different path, just change the route to reflect different interface. It seems at this point its using 2.2.2.2 interface IP with gateway of 2.2.2.1.

0 Kudos
Andrew25
Collaborator
‎2021-12-04 05:54 AM
In response to the_rock
Jump to solution

I don’t understand, you can learn more?

0 Kudos
the_rock
Legend
Legend
‎2021-12-04 06:03 AM
In response to Andrew25
Jump to solution

What Im saying is, it does not sound logical to use external interface to access something internal from the firewall itself. Just change it to reflect internal interface of the firewall, as long as topology is right.

0 Kudos
Andrew25
Collaborator
‎2021-12-04 06:07 AM
In response to the_rock
Jump to solution

Yes, it is not logical, I agree. How to change it to reflect internal interface of the firewall?

0 Kudos
the_rock
Legend
Legend
‎2021-12-04 10:56 AM
In response to Andrew25
Jump to solution

From web UI or clish. Just change it via web UI in the browser, it takes 15 seconds literally.

0 Kudos
Andrew25
Collaborator
‎2021-12-08 09:47 AM
Jump to solution

You could do a hide NAT on the traffic from FW-B when it passes through FW-A to go to the DC-1 

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    In-Person

    Tue 18 Mar 2025 @ 09:30 AM (EET)

    CheckMates Live Greece
    In-Person

    Tue 25 Mar 2025 @ 09:00 AM (EDT)

    Canada In-Person Cloud Security with Hands-On CloudGuard Workshops!
    In-Person

    Tue 25 Mar 2025 @ 12:00 PM (MDT)

    Salt Lake City: CPX 2025 Recap
    In-Person

    Tue 08 Apr 2025 @ 12:00 PM (MDT)

    Denver: CPX 2025 Recap
    CheckMates Events
    Top