IP address for Firewall Object

[avilT]

When creating firewall object what IP (internal/external) should we use? I used external interface IP, but when I select get IP address, it acquires internal IP? FW running on a wndows PC with dual NIC, to which IP address the hostname will be bound? Thanks

[pop_alex]

Hi,

Normally, we use internal IP and it is recommended to do so. Is your license bind to internal IP or external?

Regards,

Al

[avilT]

Its bound to external IP. Is there any specfic guidelines on this?

[pop_alex]

Hi,

No. But it is recommended to bind license to internal rather public IP. If you want to change the existing IP to new internal IP, you may do so by accessing Check Point's usercenter and change it online. It will generates a new license for you with new IP.

Regards,

Al

[Tetaworx]

Hello,

are you using site2site VPN's with a FW-1 gateway with an internal ip defined?

We're, too, using the internal IP für the firewall(-cluster-)object and had no problems with that until now.

But now we've a problem with a remote site2site VPN, because our gate uses the internal IP as ID in the IPSec negotiation. The remote partner does of course not recognize this internal IP and sends an

"Notify Payload

Next Payload: NONE
Reserved: 0
Length: 00 1c (28)
DOI: 00 00 00 00 (0)
ProtID: 1
SPI Size: 16
Notify Type: 18 (INVALID-ID-INFORMATION)
SPI:
ef a0 bb b4 2f 0b 0a 8c f3 d5 90 69 23 84 ea
62 "

Has anyone ever hat this problem, too?

Thanks in advance,

Dennis Breithaupt

[northlandboy]

Yes, I've seen that problem. If you're using pre-NGX, you need to use the external IP as the primary IP of the firewall object. Normally this is not a big deal to change, since your licenses should be central anyway.

If you're using NGX, the link-selection options should let you do what you want without changing the firewall IP.

[Tetaworx]

Hi,

we're using NGX (R60_HFA03).

Outgoing Route Selection is on "Operating system routing table", Source IP address settings is on "Automatic (derived from method of IP selection by remote peer)".

We need this setting, because some of our remote-users connect to an "internal" interface of our firewall, so we can't set this "hard" to "Manual: Main IP address".

Nevertheless the "Source Adress" of our IKE-pakets is correct, the external IP of our gateway. But the "ID" in the payload of the IPSec-pakets is the wrong one, the internal IP.

I don't see any option to manipulate this "ID" itself.

Further hints?

Thanks!