• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1489
  • Last Modified:

Checkpoint Firewall - routing set of IPs through different router..

hi guys,

I want to ask your advice how to make it possible with Checkpoint fw on Win NT/2000. What do I have to configure to make the FW route a (sub)set of the LAN IPs through another Router (B)?
Assuming this current topology:

             ISP1
               |
          Router A
               ---
                 |
              Firewall (no NAT)
                 |
                LAN

I want this new topology:


             ISP1     ISP2
               |       |
          Router A   Router B
               --------
                 |
              Firewall (no NAT)
                 |
                LAN

Please check through the list with me:

1. Add another NIC to FW (can I do this without
adding a NIC but rather specifying the next hop router,
A or B instead of the interface to go out?)
2. Configure static routing on NT box to route
subset IP traffic to router B?
Default for all other traffic would be router A.
3. ???

Pls advice...!

                 
0
Haho
Asked:
Haho
  • 3
  • 3
  • 2
  • +3
1 Solution
 
geoffrynCommented:
Are you trying to load balance your client machines?  If I understand correctly, you want to forward all of the traffic from a subset of your LAN IPs to a different ISP.  Why?
0
 
HahoAuthor Commented:
hi geoff

for some testing scenario where we want to divert some IPs to another link (Router B). Router A remains the default gateway. Please advice if this can be doen and how to go about it.
0
 
lrmooreCommented:
You could let the router A (your default gateway) make that decision with route-maps/access-lists. Basically, any traffic from source X to destination Y goes to router B, else go out router A. Simple thing to do on a router, but alas, Windows/Checkpoint ain't a router.
0
Managing Security Policy in a Changing Environment

The enterprise network environment is evolving rapidly as companies extend their physical data centers to embrace cloud computing and software-defined networking. This new reality means that the challenge of managing the security policy is much more dynamic and complex.

 
geoffrynCommented:
That's a tough one.  As Lrmoore said Checkpoint is not really a router.  You might be able to accomplish this using by defining a network object for the range you want to divert and then NATing from inside to outside, but I cannot confirm that.  Never tried it.
0
 
HahoAuthor Commented:
dear guys,

I understand that Checkpoint is not a router but it does really seem possible because I believe we can set up static routing in Windows NT/2000 for that few specific addresses, for eg.

0.0.0.0   router A  interface A
x.x.x.x   router B  interface B (the new NIC)

and setup Checkpoint for the appropriate rules..
seems logical to you guys?
Pls advice.
0
 
lrmooreCommented:
Yes, you can setup static routes per DESTINATION network. Your question was regarding routing by SOURCE. You can send all traffic destined for specific address x.x.x.x out to router B. Router A and router B can be on the same network and you would not need another physical NIC.
If you setup a static route to say 12.33.13.x to go to router B and setup a rule that only allows certain users/source IP addresses to go to that network, then nobody else would get there at all. How many foreign destination networks are you looking at setting up static routes for? You can have one and only one default.


C:>ROUTE ADD -P X.X.X.X MASK 255.255.255.0 <IP ADD OF RTR B>

syntax:
 route add -p (make it permanent) <foreign network> mask <foreign netmask> <gateway>

0
 
ymashCommented:
Listening
0
 
jwalsh88Commented:
Haho,

I am sorry I am jumping in to this kind of late, I am guessing that you are trying to make some "sub(set)" of your internal hosts use routerB(ISP2) for there outgoing internet.  If I am right , I just would like to ask why?  You realize this will get you almost nothing unless the host(s) using routerB are internet servers.  Unless I am missing something your public blocks of IP addresses are advertised out routerA through ISP1, right?  well most of your traffic should be incoming not outgoing.  So even if you send half the traffic out routerB, the overall majority of your traffic will still be coming across routerA.  And to answer your question, if you are trying to do policy based routing on checkpoint fw's you need floodgate-1 a QoS module from checkpoint for their fw's.  Again I dont see you getting any benifit by sending some of the traffic out another link unless you host alot of servers that get accessed from the internet.
0
 
hstilesCommented:
Can't you just cheat?

You could, say define Router A as the default gateway for the firewall and simply modify the routing table on Router A to redirect traffic either to Router B or back to the firewall as required.
0
 
HahoAuthor Commented:
That looks like a solution ! :)
0
 
lrmooreCommented:
How is the accepted solution different from what I suggested a month earlier - let the routers make those decisions....????
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Increase Security & Decrease Risk with NSPM Tools

Analyst firm, Enterprise Management Associates (EMA) reveals significant benefits to enterprises when using Network Security Policy Management (NSPM) solutions, while organizations without, experienced issues including non standard security policies and failed cloud migrations

  • 3
  • 3
  • 2
  • +3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now