Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
?
Solved

Checkpoint 4.1 external interface(s)

Posted on 2003-03-20
7
Medium Priority
?
463 Views
Last Modified: 2013-11-16
Running Checkpoint 4.1 on Solaris 2.6

I was wondering, is it possible to have two external interfaces on the same network? This is part Solaris question, part Checkpoint.
example:

hme0 23.24.25.6
hme1 23.24.25.7
hme2 10.2.1.1

My understanding is that it wouldn't be possible b/c Solaris wouldn't be able to route packets. But even if I could work it under Solaris, would it work with Checkpoint?
The reason I ask is b/c I can't get two external interfaces to come up without causing serious problems, and I'm starting to think it can't work. I'm just messing around, so its not urgent, but any input would be appreciated. Thanks.
0
Comment
Question by:calic0
7 Comments
 
LVL 23

Expert Comment

by:rhandels
ID: 8181115
Hello,

For as far as i now, it's not possible in Checkpoint, it can only support one way out. I think that you would be spoofing yourself. Anyhows, why would like to pull this one off???

Greets Ray

0
 
LVL 14

Expert Comment

by:chris_calabrese
ID: 8181132
You should be able to this on the Solaris side pretty easily. There are docs on sun.com on how to do this.

And I don't think CheckPoint cares (though I won't swear to it, since it may cause problems for the state table).

But meanwhile, CP 4.1 is no longer supported, so you should be playing around on NG.
0
 
LVL 2

Expert Comment

by:zekker
ID: 8181338
You cannot have the same network on two different interfaces.  UNLESS you are doing some sort of fall over between NIC's and even in that case, there would be one "virtual" ip shared between them.

I know on a Cisco Router this is not possible but we are not talking cisco and I have never seen it on a CP firewall.
0
Who's Defending Your Organization from Threats?

Protecting against advanced threats requires an IT dream team – a well-oiled machine of people and solutions working together to defend your organization. Download our resource kit today to learn more about the tools you need to build you IT Dream Team!

 
LVL 14

Expert Comment

by:chris_calabrese
ID: 8182815
Solariswise: You can definitely have two interfaces on the same network, but must use something BGP to balance them. This is typically done to support redundant NIC's.

CPwise: if this is for redundancy, a more typical way of doing this is to have two complete firewalls and have failover or load-balancing between. This can be done with routing (BGP), with hardware (load balancers), or with software (Stonebeat, etc.)
0
 
LVL 1

Expert Comment

by:igge
ID: 8675986
I think the best way to do this is to set an ip alias, virtual ip or whatever you call it on the external interface .. depending on what you want to do with it .. I'd do this by set up the NIC with one interface and one ip .. then when that's working just do "arp -s secondary_ip external_interface_mac_adress_in_hex pub" then the fw will recieve packets for that ip .. then you can do whatever with them like "route -host secondary_ip some_internal_ip" or something .. a manual old fashioned NAT ..

/Magnus
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 8904717
calic0,
No comment has been added lately (33 days), so it's time to clean up this TA.
I will leave a recommendation in the Cleanup topic area for this question:

RECOMMENDATION: PAQ/No Refund

Please leave any comments here within 7 days.

-- Please DO NOT accept this comment as an answer ! --

Thanks,

lrmoore
EE Cleanup Volunteer
0
 
LVL 6

Accepted Solution

by:
Mindphaser earned 0 total points
ID: 8996150
Force accepted

** Mindphaser - Community Support Moderator **
0

Featured Post

Evaluating UTMs? Here's what you need to know!

Evaluating a UTM appliance and vendor can prove to be an overwhelming exercise.  How can you make sure that you're getting the security that your organization needs without breaking the bank? Check out our UTM Buyer's Guide for more information on what you should be looking for!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Wikipedia defines 'Script Kiddies' in this informal way: "In hacker culture, a script kiddie, occasionally script bunny, skiddie, script kitty, script-running juvenile (SRJ), or similar, is a derogatory term used to describe those who use scripts or…
Do you have a windows based Checkpoint SmartCenter for centralized Checkpoint management?  Have you ever backed up the firewall policy residing on the SmartCenter?  If you have then you know the hassles of connecting to the server, doing an upgrade_…
When cloud platforms entered the scene, users and companies jumped on board to take advantage of the many benefits, like the ability to work and connect with company information from various locations. What many didn't foresee was the increased risk…
Whether it be Exchange Server Crash Issues, Dirty Shutdown Errors or Failed to mount error, Stellar Phoenix Mailbox Exchange Recovery has always got your back. With the help of its easy to understand user interface and 3 simple steps recovery proced…
Suggested Courses
Course of the Month10 days, 5 hours left to enroll

571 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question