This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
begeegs
Explorer
‎2020-04-27 04:32 AM

Problem with Internet Router installation

Hi All

 

We had an issue last week with a new internet router installation. In our current set up, we have two L2 connections off of a switch which consists of their Checkpoint FW and the current legacy internet router. What we did to introduce the new internet router was plug it into a different port on the same switch with the same ip as the legacy internet connection while unplugging the legacy connection (which is the default gateway of the Checkpoint Firewall).

Once this was in place and the legacy connection was disabled, some of the traffic recovered which is routing over the Checkpoint (notably the public ip space which was over the L2 connection along with their VPN which routes through the Checkpoint), however the internet traffic which traverses the default gateway outbound does not. I can see the correct ARP entries in Checkpoint as well as on the routing/switching. The new INET router has connectivity, but the traffic is not forwarded for internet connections with the exception of the local VPN (which is situated like a DMZ).

Once we rolled back, the connectivity reverted immediately without any issues. 

Any ideas on this? It was a strange one that left us scratching our heads.

 

Many thanks

0 Kudos
4 Replies
PhoneBoy
Admin
Admin
‎2020-04-27 11:10 PM

Did you verify packets were leaving the gateway on the correct interface with tcpdump or similar?
0 Kudos
begeegs
Explorer
‎2020-04-28 01:45 AM
In response to PhoneBoy

We didn't at the time, but the fact that the DMZ was working would suggest that at the very least that traffic was leaving the default GW. I plan on having another crack at it with tcpdump, however I was hoping that there was something obvious that I overlooked.

We were constantly getting errors like the following - 'Firewall - Domain resolving error. Check DNS configuration on the gateway (0);Blocking request as configured in engine settings of Firewall'

However I thought that this was what it was saying - a connectivity issue rather than DNS. Even despite this, I couldn't ping 8.8.8.8 or by ip from the inside.
0 Kudos
Maarten_Sjouw
Champion
Champion
‎2020-04-27 11:54 PM

this sounds like the provider is not advertising the connection network between router and firewall into the internet from the new router.
Regards, Maarten
0 Kudos
begeegs
Explorer
‎2020-04-28 01:41 AM
In response to Maarten_Sjouw

Unfortunately, that wasn't the case. Both subnets worked - one went through the CP FW and the other via the new router to another device in the the other public subnet. 😞

Thanks for your reply
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events
    li.common.scroll-to.top