| CPUG | |
| The Check Point User Group | |
| A Resource For The Check Point Community. Fast. Useful. Independent. | |
|
| |||||||
![]() |
| | LinkBack | Thread Tools | Display Modes |
| |||
| Hi there How does one configure the checkpoint firewall to route for eg smtp traffic out to a certain interface only. I know Checkpoint on the rule base has only permit , deny , traffic classification. But there is no where, to specify on what interface the traffic should go out or come in Please help |
| |||
| Check Point doesn't do (or really care about) routing. That's up to the OS. Check Point enforces policy in terms of what is allowed, not how to route it. You'll need to look into what's possible with whatever OS your firewall is running on. |
| |||
| Policy routing based on source IP can be done on SmartPlatform, however, Check Point provide no support for doing this so you need to figure out how from Linux documentation and manually issue the appropriate commands in rc.local. Any policy routing that would require tagged packets is not possible on SPLAT because NetFilter is not installed. |
| |||
| I've asked about this on Nokia IPSO and was told that it wasn't supported - by IP address, so I would assume that it certainly wouldn't do so based on protocol. If you're trying to get SMTP to route one direction, you might put a relay server in a DMZ and have your internal SMTP servers point to it. Just a thought, this might not cover what you're trying to do. |
| |||
| If your platform is Linux (including Crossbeam/Resilience/SecurePlatform/Redhat...), you can do whatever you want, for Linux support advaned routing, so you can configure the Policy-Based routing using 'ip rule' and 'ip route', good luck! |
| |||
| The way to do this is with the use of all of the policy including NAT and a little bit of what is called in the Cisco world PAT. Since you are only asking tcp port 25 (SMTP) to go out the other interface you will need to set up a NAT rule before you overload traffic. on the Original Packet Side: Source: the network, group or host Destination: you can set as any (if you do this you may need to build a no nat between your own networks rule prior to this) Service: SMTP (TCP 25) Translated Packet Side: Source: the ip nat ip you want all smtp traffic coming from (has to be on the inteface side you want traffic to go out) Destination: any Service: SMTP After that you will need a rule allowing traffic outbound you will then most likely want to reverse this for incoming traffic and set your mx to the nat ip you specified above. If you this isn't clear enough please let me know and I can give examples! |
| |||
| Quote:
|
| |||
| you are correct, you will either need to at a static route for the host (mail server) or add 2 equal cost default routes out if you are hiding networks. Through use of NAT you can get the traffic to route back correctly. In our case we use dynamic routing (OSPF) between the border routers and the nokia firewalls in area 2 and OSPF internal as well internal in backbone area 0 Although your internal routing table can either be static as well. |
| |||
| equal cost default routes is going to do load sharing for all traffic - it's not going to achieve the stated goal of routing SMTP traffic via one interface only. If you want to ensure certain traffic doesn't swamp other traffic, it's probably better to achieve it with a traffic management solution - e.g Packeteer, Floodgate. |
![]() |
| Thread Tools | |
| Display Modes | |
| |