This website uses cookies. By clicking OK, you consent to the use of cookies. Click Here to learn more about how we use cookies.
OK
ABOUT CHECKMATES & FAQ
Create a Post
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Help
Dmitry_Novikov
Participant
‎2018-09-13 05:18 AM

Access to internet from FW

Hi there!

I'm trying to get access to internet from Checkpoint FW. I can't even ping something from cli of my FW.

So here is my configuration.

We are using BGP peering with ISP. To announce our AS to ISP I use static blackhole route with AS network.

I configured NAT police to get access to internet for our users. So it's work nice.

What else I need to configure to get access to internet from CP FW.

Thanks in advance and sorry for my english.My config

Reply
6 Replies
Danny
Champion
Champion
‎2018-09-13 06:30 AM

HI Dmitry,

within your GAiA WebUI besides Advanced Routing > BGP you also need to have Route Aggregation, Inbound Route Filters and Route Redistribution properly configured.

Reply
Dmitry_Novikov
Participant
‎2018-09-13 06:43 AM
In response to Danny

I'm using Inbound route Filters to filter inbound routes and it works correct. As I said everething is okay for users, they have any access what they want and NAT works perfect, the only problem with access to internet from FW... I can't check for updates or even ping internet resources.

0 Kudos
Reply
Jerry
Leader
Leader
‎2018-09-13 07:13 AM
In response to Dmitry_Novikov

can you not make yourself a static route out for the cp-host?

what about the dns resolution? in order to access CPUSE you need name resolution on the cp host itself, are you aware of that? what about NTP on the box as bgp relies on it?

Jerry
Reply
Dmitry_Novikov
Participant
‎2018-09-13 07:45 AM
In response to Jerry

I've already configured DNS servers and they work correct.

The thing is when I'm trying to get updates, Checkpoint uses external interface as source interface. In my case it has ip address 10.1.1.1/30, as you know it's a private address. I would like it to look like public address from my AS address range. How to do it?

 
0 Kudos
Reply
PhoneBoy
Admin
Admin
‎2018-09-13 11:26 AM
In response to Dmitry_Novikov

Do you have a public IP address you can assign to the firewall?

If so, maybe a NAT rule is in order.

Something like:

  • Original
    • Source: Firewall object (assuming it is the 1.1.1.1 IP)
    • Destination: Any
    • Service: Any
  • Translated:
    • Source: Host object with public IP
    • Destination: Original
    • Service: Original
0 Kudos
Reply
Jerry
Leader
Leader
‎2018-09-13 06:52 AM

you simply need to configure BGP by GAiA clish/webUI and allow certain traffic to get routed out from the host (cp) itself.

that isn't too complicated isn't it? route reflection on isp bgp peer? have you got as number properly set on CP host?

if you need to access certain fqdn's from the cp shell you also need name resolution (dns) to be configured accordingly with the CP as well as the ntp (bgp dependant).

that's it

Jerry
Reply