CPUG: The Check Point User Group

Resources for the Check Point Community, by the Check Point Community.


Tim Hall has done it again! He has just released the 2nd edition of "Max Power".
Rather than get into details here, I urge you to check out this announcement post.
It's a massive upgrade, and well worth checking out. -E

 

Results 1 to 7 of 7

Thread: ISP Circuit Change and Check Point- assistance request

  1. #1
    Join Date
    2018-04-18
    Posts
    23
    Rep Power
    0

    Default ISP Circuit Change and Check Point- assistance request

    Good Morning,

    My organization has a HA pair of Check Point 15400 appliances running R77.30 with Jumbo Hotfix Accumulator GA take 302.

    My organization has public IP's from our ISP for things like our mail server and Citrix remote access. These servers sit in our DMZ and our Check Points uses NAT to translate the public IP to a internal private IP in the DMZ.

    A couple nights ago we attempted to cut over to a new and faster internet circuit and had our IP's migrated from the old to the new. All of our DMZ servers, including the two mentioned above, were unreachable via any inbound traffic from the public internet.
    I cleared the ARP cache on our Check Points and all switches in the path and connectivity from the public internet to these servers still would not work. In SmartView tracker I couldn't even see the attempts.

    Traffic from the inside to the public internet worked fine.

    We had to back out of the change and connectivity was restored to the servers.

    I am at a loss as to why connectivity broke. Is there something special that needs to be done with these public IP's? Is there an issue that the public IP's for these servers don't actually exist on a physical interface of a device and only used in our Check Point's NAT rules to translate to a internal IP?

    Our public internet connection comes into a layer 2 switch and each Check Point connects to a port on that same switch in the public internet VLAN.

    Any help with this would be greatly appreciated as I am going to have to try to bring up this new circuit again.

    Thank you.

  2. #2
    Join Date
    2006-07-28
    Location
    San Francisco, USA
    Posts
    2,492
    Rep Power
    15

    Default Re: ISP Circuit Change and Check Point- assistance request

    How does your public IP address range work? Is it a subnet that is in use between the firewalls & the upstream routers, and you take NAT IP addresses from that range?

    Or is your upstream ISP routing all traffic for your public IP range direct to the firewall?

    If it's the first case, then your issue was probably related to proxy ARP. Have you checked that configuration?

  3. #3
    Join Date
    2018-04-18
    Posts
    23
    Rep Power
    0

    Default Re: ISP Circuit Change and Check Point- assistance request

    Quote Originally Posted by northlandboy View Post
    How does your public IP address range work? Is it a subnet that is in use between the firewalls & the upstream routers, and you take NAT IP addresses from that range?

    Or is your upstream ISP routing all traffic for your public IP range direct to the firewall?

    If it's the first case, then your issue was probably related to proxy ARP. Have you checked that configuration?


    We have a /26 block of IP's from the provider. From looking at the configuration of the providers router on the current working circuit I see that the first usable IP from the /26 is assigned to the inside interface. We don't have a p2p /32 connection between the Check Point and the providers router.

    I don't see any NAT in the providers router.

    I am assuming this is the same for their new router on our new circuit.

    I am not too familiar with checking the proxy ARP on Check Point devices. I do get the below output from the "show arp proxy all" command if this helps?

    EXT-FWA> show arp proxy all
    IP Address MAC Address / Interface Real IP Address
    165.252.92.216 eth2 165.252.92.198
    165.252.92.219 eth2 165.252.92.198
    165.252.92.220 eth2 165.252.92.198


    165.252.92.198 is the public IP of our current active firewall member, so I am assuming proxy arp is turned on?

  4. #4
    Join Date
    2012-07-19
    Posts
    96
    Rep Power
    7

    Default Re: ISP Circuit Change and Check Point- assistance request

    Quote Originally Posted by mjensen View Post

    EXT-FWA> show arp proxy all
    IP Address MAC Address / Interface Real IP Address
    165.252.92.216 eth2 165.252.92.198
    165.252.92.219 eth2 165.252.92.198
    165.252.92.220 eth2 165.252.92.198


    165.252.92.198 is the public IP of our current active firewall member, so I am assuming proxy arp is turned on?
    Proxy arp is not a switch you turn on or off. You need to configure proxy arp for your new IP addresses (assuming you have PA addresses, i.e. you get new public IPs when switching ISPs).

    If you didn't do that, the check point will not answer arp requests from your ISP router and thus you will not even see anything in SmartLog, as the packets never arrive at the gateway.

    Refer to sk30197 for your specific setup / environment.


    You can configure proxy arp for your new IP addresses beforehand. Keep in mind configuring proxy arp on WebUI or clish still requires a policy push. Check 'fw ctl arp' if your configuration attempt was successful.

  5. #5
    Join Date
    2018-04-18
    Posts
    23
    Rep Power
    0

    Default Re: ISP Circuit Change and Check Point- assistance request

    Quote Originally Posted by Jejerod View Post
    Proxy arp is not a switch you turn on or off. You need to configure proxy arp for your new IP addresses (assuming you have PA addresses, i.e. you get new public IPs when switching ISPs).

    If you didn't do that, the check point will not answer arp requests from your ISP router and thus you will not even see anything in SmartLog, as the packets never arrive at the gateway.

    Refer to sk30197 for your specific setup / environment.


    You can configure proxy arp for your new IP addresses beforehand. Keep in mind configuring proxy arp on WebUI or clish still requires a policy push. Check 'fw ctl arp' if your configuration attempt was successful.

    Hello, the IP's stay the same. The ISP migrates the IP's from the old circuit to the new.

  6. #6
    Join Date
    2006-09-26
    Posts
    3,157
    Rep Power
    16

    Default Re: ISP Circuit Change and Check Point- assistance request

    Quote Originally Posted by mjensen View Post
    Hello, the IP's stay the same. The ISP migrates the IP's from the old circuit to the new.
    you're making the problem more complicated than it is. Any reasons why you use proxy ARP instead of just telling the ISP to route the /26 directly to your router VIP. That way, there is no need for proxy ARP and you can control NAT with the firewall.

  7. #7
    Join Date
    2018-04-18
    Posts
    23
    Rep Power
    0

    Default Re: ISP Circuit Change and Check Point- assistance request

    Quote Originally Posted by cciesec2006 View Post
    you're making the problem more complicated than it is. Any reasons why you use proxy ARP instead of just telling the ISP to route the /26 directly to your router VIP. That way, there is no need for proxy ARP and you can control NAT with the firewall.
    We tried another turn up of the and migration with the new circuit last week and it was successful. The fault was on AT&T's end. They are using Edge Water routers that are Unix based with a built in firewall and the turn up technician had to make some changes on it and then all of our services were operational.

Similar Threads

  1. Replies: 3
    Last Post: 2016-06-10, 14:12
  2. Replies: 3
    Last Post: 2012-05-17, 20:48
  3. Our New Check Point Bugs and Feature Request Project
    By Barry J. Stiefel in forum About This Discussion Board
    Replies: 1
    Last Post: 2009-02-07, 16:22
  4. Monitored Circuit VRRP Problem
    By crossover in forum Check Point IP Appliances and IPSO (Formerly Sold By Nokia)
    Replies: 2
    Last Post: 2008-05-13, 11:49

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •