Adding a NIC to current Checkpoint Firewall-1?

Posted on 2002-05-08
Last Modified: 2013-11-16

Looking for the correct way to add another NIC to my current Checkpoint Firewall-1 v4.1 SP4 NT4.0 SP5 system.  I have reviewed looking for a solution or help and cannot find one so I'm asking here.  I want to add a DMZ to my current firewall configuration, each time I add the new NIC and configure the rules and ensure that the the firewall object has all the interfaces, the firewall ceases to seem to work (i.e. forwarding of packets).  What is the correct way to install the new NIC and get it to function?  Should I backup the config files, install the NIC, then reinstall the firewall and finally copy back over the config information?  Or is there an easier way?  Anyone else tried to do this before?

Question by:sergold
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2

Accepted Solution

Mishou earned 500 total points
ID: 6997152

You nedd to do the following steps:

In Control Panel ->devices ,look for 2 firewall devices and set them on manual.
In Control Panel ->services ,set all the firewall related services to manual.
Shutdown server.
Install the card in an empty PCI slot.
Reboot server and add the driver for this new card and config the ip address on it.

This will require another reboot of the machine.

Once the server is up verify that you are able to ping and be pinged from DMZ, Internal LAN and from the outside card.
This will ensure that the routing table is configured right.
Also maybe is a good ideea to post here the output of your "route print" command and "ipconfig /all".

Remember FW-1 is just a software that sit on top of your NICs allowing (or denying) traffic.

At this moment you can set back the FW-1 devices and services to automatic(or whatever state the were configured before) and restart the server.

Configure the firewall object to recognize all 3 interfaces and modify your policy to reflect this and to include DMZ zone.

Now there are few question :

do you use NAT , or routing with public ip ?
what's the ip and networks on yor card ?

Try to use a generic policy (as a test)that open everything in order to see if you can send/receive traffic to/from DMZ and Internal LAN.

Hope this will help



Author Comment

ID: 7001396

Thank you for your quick reply.  I am going to try what you suggest first thing Monday morning.  I cannot do it now as the firewall is in use.  I will attempt to work on it before hours.  We do use NAT.  The Internal NIC is on our illegal IP network, the External NIC is on the Public legal IP network, and I plan to put the DMZ NIC on the network.  I think the key will be to use a generic policy, I should have thought of this, but instead I just tried using the one I already had with the new rules added.  I will test ping everything then start the firewall and try an open basic policy.  I will let you know how it goes.

Will follow-up here monday


Expert Comment

ID: 7004628
This is not directly related to your question, but I feel compelled to comment on this: you mention NT 4.0 SP5 as being the OS on which your FW-1 operates. ***You are not fully patched **** I would suggest you upgrade at the earliest to SP6A and also apply the Security Rollup Package (SRP) which fixes a lot of vulnerabilities.


for more details. Be sure to try this rollout on a pre-production firewall before you apply on the production firewall.


Arvind Shyamsundar
Brainbench MVP for Internet Security

Author Comment

ID: 7010964
Mishou and Arvind,

Thanks both for your help.  Great advice from both of you and I appreciate the help.  Everything both said is correct and worked great.  I still had the problem though with the DMZ not working.  I figured out the solution was to add a couple rules in Address Translation from some help from the help list at  Because I was using NAT and hiding behind, in other words the firewall's IP address, I need to have Address Translation keep the orginal SRC and DEST.  Thanks for all the help and getting me on the right track of where to start.  I entensively used your pinging idea Mishou with an open rulebase to help figure this all out.  And also thanks Arvind for the note on patching, it was planned just hadn't happened yet.


Featured Post

Three Reasons Why Backup is Strategic

Backup is strategic to your business because your data is strategic to your business. Without backup, your business will fail. This white paper explains why it is vital for you to design and immediately execute a backup strategy to protect 100 percent of your data.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Windows 10 Task Scheduler fears and concerns 8 45
Need a modeling tool 2 40
Quick start reading for Windows sysinternals 5 43
Rogue RDP Connections 5 55
The related questions "How do I recover the passwords for my Q-See DVR" and "How can I reset my Q-See DVR to eliminate a password" are seen several times a week.  Here we discuss the grim reality of the situation.
If you are looking at this article, you have most likely been hit by some version of ransomware and are trying to find out if there is anything you can do, or what way you should react - READ ON!
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…
Nobody understands Phishing better than an anti-spam company. That’s why we are providing Phishing Awareness Training to our customers. According to a report by Verizon, only 3% of targeted users report malicious emails to management. With compan…

740 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question