This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
fxschaefer
Explorer
‎2023-05-11 10:13 AM

Replacing SonicWall with CheckPoint and keep SonicWall as a Client VPN Gateway

Hello all,

I must confess that I am still completely new to the CheckPoint environment. Please forgive me if some information is missing. This is simply due to my inexperience.
We will soon replace our existing firewall solution (SonicWall Nsa 2650) with a CheckPoint 6600. To take some load off the CheckPoint and make the switch a little easier, we would like to keep our SonicWall cluster running as a client VPN gateway (HomeOffice etc.).
The required networks (i.e. the client VPN network and the internal network to be reached) and access rules have already been created on the CheckPoint side. On the SonicWall side, all rule sets etc. still exist anyway.
For my understanding, it should be sufficient if we simply plug the LAN interface of the SonicWall onto an interface of the CheckPoint and connect the two components (SonicWall as client VPN gateway and the CheckPoint as FireWall) with each other. This way, the VPN gateway (SonicWall) would practically be "in front" of the CheckPoint. The incoming client VPN traffic would then be received on the SonicWall side and routed to the CheckPoint via the target interface.

Are there any possible stumbling blocks here that you can see directly, or how would you proceed if you want to continue to operate an old firwall cluster as a vpn gateway? I am grateful for any help.

 

Thanks

Felix

Labels
0 Kudos
3 Replies
PhoneBoy
Admin
Admin
‎2023-05-11 10:57 AM

A simple diagram of the proposed connectivity would help.
I see a couple of scenarios:

  1. Have both gateways connected externally with the LAN interface of the Sonicwall connected to either a dedicated or DMZ interface on the Check Point (not your internal LAN). This will prevent the "encrypted" VPN traffic from passing through the Check Point while giving you complete visibility over what the Remote Access users do.
  2. Put the Sonicwall behind the Check Point on a dedicated interface. This protects the Sonicwall gateway itself (if you're running IPS, etc), but places extra load on the Check Point gateway.
(1)
fxschaefer
Explorer
‎2023-05-11 11:47 AM
In response to PhoneBoy

Hi PhoneBoy,

Got it. Yes, both scenarios should work. I would prefer option 1 first though and understand the point of better visibility if I terminate the tunnel prematurely on the SonicWall and then route it into the CheckPoint on a dedicated interface. That sounds good from my perspective.
We can still provide a public IP for the SonicWall, so nothing should block the implementation here.
From your point of view, are there any other points that I would have to take into account here on the CheckPoint side? Apart from the access rules and the setup of the other interfaces?

Thanks

Felix

0 Kudos
the_rock
Legend
Legend
‎2023-05-11 11:01 AM

I think 2nd scenario Phoneboy gave would probably work in your case.

Andy

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events