Solved

Checkpoint Firewall - routing set of IPs through different router..

Posted on 2002-04-29
11
1,441 Views
Last Modified: 2013-11-16
hi guys,

I want to ask your advice how to make it possible with Checkpoint fw on Win NT/2000. What do I have to configure to make the FW route a (sub)set of the LAN IPs through another Router (B)?
Assuming this current topology:

             ISP1
               |
          Router A
               ---
                 |
              Firewall (no NAT)
                 |
                LAN

I want this new topology:


             ISP1     ISP2
               |       |
          Router A   Router B
               --------
                 |
              Firewall (no NAT)
                 |
                LAN

Please check through the list with me:

1. Add another NIC to FW (can I do this without
adding a NIC but rather specifying the next hop router,
A or B instead of the interface to go out?)
2. Configure static routing on NT box to route
subset IP traffic to router B?
Default for all other traffic would be router A.
3. ???

Pls advice...!

                 
0
Comment
Question by:Haho
  • 3
  • 3
  • 2
  • +3
11 Comments
 
LVL 11

Expert Comment

by:geoffryn
ID: 6977822
Are you trying to load balance your client machines?  If I understand correctly, you want to forward all of the traffic from a subset of your LAN IPs to a different ISP.  Why?
0
 
LVL 1

Author Comment

by:Haho
ID: 6979195
hi geoff

for some testing scenario where we want to divert some IPs to another link (Router B). Router A remains the default gateway. Please advice if this can be doen and how to go about it.
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 6980381
You could let the router A (your default gateway) make that decision with route-maps/access-lists. Basically, any traffic from source X to destination Y goes to router B, else go out router A. Simple thing to do on a router, but alas, Windows/Checkpoint ain't a router.
0
Use Case: Protecting a Hybrid Cloud Infrastructure

Microsoft Azure is rapidly becoming the norm in dynamic IT environments. This document describes the challenges that organizations face when protecting data in a hybrid cloud IT environment and presents a use case to demonstrate how Acronis Backup protects all data.

 
LVL 11

Expert Comment

by:geoffryn
ID: 6980858
That's a tough one.  As Lrmoore said Checkpoint is not really a router.  You might be able to accomplish this using by defining a network object for the range you want to divert and then NATing from inside to outside, but I cannot confirm that.  Never tried it.
0
 
LVL 1

Author Comment

by:Haho
ID: 6982981
dear guys,

I understand that Checkpoint is not a router but it does really seem possible because I believe we can set up static routing in Windows NT/2000 for that few specific addresses, for eg.

0.0.0.0   router A  interface A
x.x.x.x   router B  interface B (the new NIC)

and setup Checkpoint for the appropriate rules..
seems logical to you guys?
Pls advice.
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 6983073
Yes, you can setup static routes per DESTINATION network. Your question was regarding routing by SOURCE. You can send all traffic destined for specific address x.x.x.x out to router B. Router A and router B can be on the same network and you would not need another physical NIC.
If you setup a static route to say 12.33.13.x to go to router B and setup a rule that only allows certain users/source IP addresses to go to that network, then nobody else would get there at all. How many foreign destination networks are you looking at setting up static routes for? You can have one and only one default.


C:>ROUTE ADD -P X.X.X.X MASK 255.255.255.0 <IP ADD OF RTR B>

syntax:
 route add -p (make it permanent) <foreign network> mask <foreign netmask> <gateway>

0
 
LVL 1

Expert Comment

by:ymash
ID: 6992284
Listening
0
 
LVL 4

Expert Comment

by:jwalsh88
ID: 6992323
Haho,

I am sorry I am jumping in to this kind of late, I am guessing that you are trying to make some "sub(set)" of your internal hosts use routerB(ISP2) for there outgoing internet.  If I am right , I just would like to ask why?  You realize this will get you almost nothing unless the host(s) using routerB are internet servers.  Unless I am missing something your public blocks of IP addresses are advertised out routerA through ISP1, right?  well most of your traffic should be incoming not outgoing.  So even if you send half the traffic out routerB, the overall majority of your traffic will still be coming across routerA.  And to answer your question, if you are trying to do policy based routing on checkpoint fw's you need floodgate-1 a QoS module from checkpoint for their fw's.  Again I dont see you getting any benifit by sending some of the traffic out another link unless you host alot of servers that get accessed from the internet.
0
 
LVL 13

Accepted Solution

by:
hstiles earned 100 total points
ID: 7011428
Can't you just cheat?

You could, say define Router A as the default gateway for the firewall and simply modify the routing table on Router A to redirect traffic either to Router B or back to the firewall as required.
0
 
LVL 1

Author Comment

by:Haho
ID: 7029044
That looks like a solution ! :)
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 7029900
How is the accepted solution different from what I suggested a month earlier - let the routers make those decisions....????
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Securing Azure Oracle instance of Linux VM 4 65
Creating a Vendor Admin user 23 81
Review of apps API SSL Cert policy 2 31
google exe file 5 69
Knowing where your website is hosted is as important as the features you receive, the monthly fee, and the support you receive. Due diligence should be done when choosing your next hosting provider.
In this increasingly digital world, security hacks are no longer just a threat, but a reality. As we've witnessed with Target's big identity hack 2013, Heartbleed in 2015, and now Cloudbleed, companies and their leaders need to prepare for the unthi…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …

830 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question