• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1783
  • Last Modified:

Changing Checkpoint's Subnet!?!

Hello Experts

I need to reconfigure checkpoint onto a separate subnet (hidden from main LAN).  

We currently operate a flat network, for this example  The IP of the firewall is currently   Our default gateway configuration is rubbish, single interface doing stick routing (traffic in/out on same interface).

Client ( -> Default Gateway (single interface - > Firewall (

I need to change the default gateway to use two interfaces and checkpoint will be on the external side of the new default gateway config (with a new subnet)

Client ( -> Default Gateway (internal interface -> Default Gateway (external interface - > Firewall (

I've written the routing table for a dual interface gateway correctly.  Tested these rules on a DSL router (connected to external interface on gateway) and they worked.   When I changed the subnet on checkpoint we lost all external connectivity.  Main error messages seen in checkpoint was :-

Information:       message_info: Dropped packet forwarded between two external interfaces

The step taken in checkpoint was

1. Change Physical Adapter IP information
2. Change Gateway IP information in Dashboard (VPN Communities)
3. Added Network to Checkpoint.
4. Update Dashboard Topography to indicate Network was behind Network (VPN Communities)

So what did I miss, NAT perhaps???  Anyone know the logical steps to go through to change checkpoint's subnet....



1 Solution
hi..i am really not able to understand ur requirement/setup..can u do some work on a diagram which u can post here...

in the topology--Ip spoofing .. window, change the topology of one of the interfaces to internal ...i suppose both interfaces will be set to external at present. it should work after that
missystemsAuthor Commented:

I've already tried our setup with IP spoofing disabled.  NO joy.  Sorry forgot to add that to my inital request 8(

missystemsAuthor Commented:
Figured this out

The firewall external "" network is a theoretical sub-network of the internal "" network.  (subnetted networks)

Default gateway would get confused about routing ;)

Fixed use different network range for external interface.
PAQed with points refunded (500)

Community Support Moderator

Featured Post

Threat Trends for MSPs to Watch

See the findings.
Despite its humble beginnings, phishing has come a long way since those first crudely constructed emails. Today, phishing sites can appear and disappear in the length of a coffee break, and it takes more than a little know-how to keep your clients secure.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now