- Products
- Learn
- Local User Groups
- Partners
- More
Check Point Jump-Start Online Training
Now Available on CheckMates for Beginners!
Why do Hackers Love IoT Devices so Much?
Join our TechTalk on Aug 17, at 5PM CET | 11AM EST
Welcome to Maestro Masters!
Talk to Masters, Engage with Masters, Be a Maestro Master!
ZTNA Buyer’s Guide
Zero Trust essentials for your most valuable assets
The SMB Cyber Master
Boost your knowledge on Quantum Spark SMB gateways!
As YOU DESERVE THE BEST SECURITY
Upgrade to our latest GA Jumbo
CheckFlix!
All Videos In One Space
Hi Team,
We are planning to use a topology given below.
I am planning to use Check Point default gateway as 1.2.3.5 which is LB. Server 10.10.10.30 is statically manually natted with 1.2.3.7
Proxy ARP added on firewall.
From Check Point perspective I wanted to understand the routing part in the below scenario
Once it reached to Check Point
OR
My strong feeling is it would definitely be sent it back to 1.2.3.4 since routing is not stateful and I would need to add PBR on CP for source IP
Please advise?
I was right as it would definitely refers the route.
Please clarify the diagram further by specifying subnet masks and is the LB itself performing any NAT?
Generally the most specific route will be followed.
You can consider those all are in same network. Lets say /27
Nope Static nat will be configured on Check Point. So that Incoming traffic for Application server will be natted on Check Point firewall and will be forwarded to the server. While Outbound traffic from hosts which is a hide nat will be configured on LB. So the default gateway for Check Point is LB.
Remember connected/specific routes are preferred over the default, so the source you mention probably will have a different behavior in this case if it's part of a /27.
Yes that I agree and in this scenario - There are no specific routes. I agree least routes will match first and before that even PBRs are matched. However in this scenario; no specific routes are added and only a default gateway is pointed to LB. I am wondering if reverse traffic for statically natted IPs which is a part of established session will it be routed to LB or Router since it know that traffic is received from R1 through eth0
Are you NATing the source IP too? Does internet host's source IP change when traversing environment via R1?
If not, then I am pretty sure you will have an asymmetric routing issue if your default gateway points to LB, whereby the return traffic from 10.10.10.30 will flick to LB from CP.
Nope I am not natting Source IP. Source IP is gone be = Original. And I am pretty sure it would cause asymmetric routing issue however wanted to confirm once. Thanks though.
You could test on R1 NATing source IP to an R1 source to force reply back to R1. Obviously subject to testing as unsure of environment specifics 🙂
I was right as it would definitely refers the route.
About CheckMates
Learn Check Point
Advanced Learning
YOU DESERVE THE BEST SECURITY