This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
pnobels
Explorer
‎2022-10-31 06:14 AM

R81.10 and dual internet uplinks

Hi,

 

currently running R81.10 JHF 66 on VSX platform.  One of the instances is an internet uplink.  So one internal interface, one public interface and acting as a gateway to INETA.

Challenge : upgrade the internet uplink to INETB with as less downtime as possible

Need to new uplink to be on another interface as fibre requirement.  Catch : a block of public ip's is routed to the public ip of the interface leading to INETA.  I need some time to migrate these to public ip's of INETB.

Is it possible to have two uplinks active?  And i don't mean isp redundancy.  One to INETA and one to INETB. 

Default gateway will be to INETB.  This will cover internet access for internal users.

Access to the block of public ip's for INETA also needs to be active.  This is basically only for those specific devices.  This boils down to : there are two seperated nat translation tables needed for this to work.  Each tied to their respective INET interface.   Or perhaps one global nat translation table which also keeps record of which public interface trafic came in.

I'm not sure if this is possible.

 

A picture always says more ...

2022-10-31_14h26_07.png

0 Kudos
2 Replies
PhoneBoy
Admin
Admin
‎2022-10-31 06:41 AM

Yes, the main thing is making sure the routing is configured correctly. 

There is only a single NAT rulebase and it doesn't factor in the interface the traffic came in on.
SecureXL does track this, so it might work the way you want.
If it's at all possible to lab this up, I'd do it to validate this configuration works the way you'd expect. 

0 Kudos
emmap
Employee
Employee
‎2022-10-31 06:05 PM

It would work ok except that reply packets from servers NAT'd to INETA IPs would go via INETB. Not necessarily a problem but if it causes issues could be resolved with some creative PBR. 

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events