This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Rui_Pereira1
Contributor
Contributor
3 weeks ago
Jump to solution

VSX as Web proxy using IP different from the interface

Hi.

 

I'm trying to put in operation an explicit Web proxy within a VS (on a VSX cluster).

This VS only has 2 interfaces, external (the default route), and the internal (RFC 1918 route).

It works ok, PC have the VS internal IP address as proxy, and the outbound traffic leaves the VS with the external IP address.

However, If I want to use as proxy address an IP address from the VS internal interface, I can't put it to work.

I've tried IP address in the network as the internal interface (with NAT rule and proxy ARP entry), but it didn't work.

Tried with an IP from a different network (with a NAT rule for VS internal IP), but no luck.

The traffic arrives in the VS, but nothing happens after.

 

Also, a second issue is to change the outbound IP address based on the source PC.

But no luck also, just created a simple NAT hide rule, but it isn't taken in account... it always use the external interface IP.

Maybe I can do it for the destination, but then the rule will be applied to all sources...

 

And as far as I know, loopback or secondary addresses are not permitted in VS.

 

Anybody succeeded in putting a Web proxy working in VS but using IP different from the interface IP (or internal IP, or external IP, or both)?

 

This deals with a proxy migration, where I would like to keep the old proxy address (and it is an IP and not a FQDN), and the old outbound public address, but the same can't be assigned directly to the VS interfaces.

 

Thanks

0 Kudos
1 Solution

Accepted Solutions
Chris_Atkinson
Employee Employee
Employee
3 weeks ago
Jump to solution

Please review sk165672 and see if it helps with the NAT portion of your issue.

You may however need to consult TAC regarding the VS specific granularity of the same if required.

CCSM R77/R80/ELITE

View solution in original post

0 Kudos
7 Replies
PhoneBoy
Admin
Admin
3 weeks ago
Jump to solution

In an explicit proxy configuration, traffic always originates from the gateway itself.
This is why explicit proxy traffic is F2F and will definitely lead to an increase in CPU utilization.

It's also likely why NAT rules involving the source IP don't work, since I believe that's done on the inbound chains only.
Having said that, unchecking "Translate Destination on Client Side" under Manual NAT rules in global properties might help here (or possibly create other issues):

 image.png

Otherwise, you're likely looking at an RFE.

0 Kudos
Rui_Pereira1
Contributor
Contributor
3 weeks ago
In response to PhoneBoy
Jump to solution

As this a VSX I do not want to uncheck "Translate Destination on Client Side", due to implications in other VS.

0 Kudos
Chris_Atkinson
Employee Employee
Employee
3 weeks ago
Jump to solution

Please review sk165672 and see if it helps with the NAT portion of your issue.

You may however need to consult TAC regarding the VS specific granularity of the same if required.

CCSM R77/R80/ELITE
0 Kudos
Bob_Zimmerman
Authority
Authority
3 weeks ago
In response to Chris_Atkinson
Jump to solution

That should definitely work for the proxy-to-server leg of the connection.

As for the client-to-proxy leg, I've been trying to find out more about that, myself. My company merged with another which uses the firewalls as proxies like this. I don't see any process listening on the proxy port, but connections to the proxy port work. I suspect it's getting handled by the multi-portal feature or something like it, but I haven't had time to really dig into what the proxy process is or how it receives traffic.

0 Kudos
Rui_Pereira1
Contributor
Contributor
3 weeks ago
In response to Chris_Atkinson
Jump to solution

Applied sk165672 on the VS and it worked.

On the log we have an outbound source IP different from the interface IP  and it is accordingly with the NAT policy.

However in the log, the original source is the VS funny IP, we do not have any reference to the original source user IP (as in the old mode), nor any way to correlate the two logs.

But now it is possible to control the source outbound IP address.

Thanks

Wolfgang
Authority
Authority
3 weeks ago
Jump to solution

It‘s VSX, maybe you can build another VS around your existing one and do the NAT there. Use the VS only as router or maybe s bridge, a rule with any any allow and your NAT rules. Doing no deep inspection need not so much CPU utilization.

0 Kudos
Rui_Pereira1
Contributor
Contributor
3 weeks ago
In response to Wolfgang
Jump to solution

That could be a solution, but need to connect both VS by an external VLAN to take advantage of VSLS, and it is traffic passing twice on the same switches.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events