Changing Checkpoint's Subnet!?!

Posted on 2006-06-02
Last Modified: 2013-11-16
Hello Experts

I need to reconfigure checkpoint onto a separate subnet (hidden from main LAN).  

We currently operate a flat network, for this example  The IP of the firewall is currently   Our default gateway configuration is rubbish, single interface doing stick routing (traffic in/out on same interface).

Client ( -> Default Gateway (single interface - > Firewall (

I need to change the default gateway to use two interfaces and checkpoint will be on the external side of the new default gateway config (with a new subnet)

Client ( -> Default Gateway (internal interface -> Default Gateway (external interface - > Firewall (

I've written the routing table for a dual interface gateway correctly.  Tested these rules on a DSL router (connected to external interface on gateway) and they worked.   When I changed the subnet on checkpoint we lost all external connectivity.  Main error messages seen in checkpoint was :-

Information:       message_info: Dropped packet forwarded between two external interfaces

The step taken in checkpoint was

1. Change Physical Adapter IP information
2. Change Gateway IP information in Dashboard (VPN Communities)
3. Added Network to Checkpoint.
4. Update Dashboard Topography to indicate Network was behind Network (VPN Communities)

So what did I miss, NAT perhaps???  Anyone know the logical steps to go through to change checkpoint's subnet....



Question by:missystems
    LVL 8

    Expert Comment

    hi..i am really not able to understand ur requirement/setup..can u do some work on a diagram which u can post here...


    Expert Comment

    in the topology--Ip spoofing .. window, change the topology of one of the interfaces to internal ...i suppose both interfaces will be set to external at present. it should work after that
    LVL 1

    Author Comment


    I've already tried our setup with IP spoofing disabled.  NO joy.  Sorry forgot to add that to my inital request 8(

    LVL 1

    Author Comment

    Figured this out

    The firewall external "" network is a theoretical sub-network of the internal "" network.  (subnetted networks)

    Default gateway would get confused about routing ;)

    Fixed use different network range for external interface.

    Accepted Solution

    PAQed with points refunded (500)

    Community Support Moderator

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    IT, Stop Being Called Into Every Meeting

    Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

    To setup a SonicWALL for policy based routing to be used with the Websense Content Gateway there are several steps that need to be completed. Below is a rough guide for accomplishing this. One thing of note is this guide is intended to assist in the…
    The DROP (Spamhaus Don't Route Or Peer List) is a small list of IP address ranges that have been stolen or hijacked from their rightful owners. The DROP list is not a DNS based list.  It is designed to be downloaded as a file, with primary intention…
    how to add IIS SMTP to handle application/Scanner relays into office 365.
    Sending a Secure fax is easy with eFax Corporate ( First, Just open a new email message.  In the To field, type your recipient's fax number You can even send a secure international fax — just include t…

    737 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    21 Experts available now in Live!

    Get 1:1 Help Now