How to manage Checkpoint UTM-1 Edge behind a (S&D) NAT Firewall with Smartdashboard.

Hello Experts,

I have the following situation for which I have not (yet) found a solution.
We have several sites connected with a mesh VPN on checkpoint NGX R65 where we manage the UTM-1 Edge devices centrally from SmartDashboard on the smartcenter server.

One site will be connected to our VPN community but the Checkpoint UTM-1 Edge is behind a NAT firewall who will do source and destination NAT. (We do NOT manage that Firewall.)

NETWORK 1 = "public"  network, this has the external interfaces of the other UTM's, they connect site to site with a direct tunnel as needed. (NET1)
NETWORK 2 = The new site's internal network with nonrouteable IP's. (NET2)
NETWORK 3 = The Internal network within the VPN I manage (Not applicable in the rest of this discussion)

They are connected like this:
NET1 <--> Firewall1 <--> NET2 <--> Firewall 2 (UTM-1 Edge) <--> NET3
We do not manage Firewall1, but it is configured with an external IP on NET1 which was assigned for the UTM 1 (FW2). So this is the IP that would have been on the external interface of the UTM-1 if it would have been possible to connect to it directly.

Any incomming traffic to this IP is D(estionation)NAT' ed to arrive on the external interface of the UTM-1 Edge, which has an internal IP in NET2. Because NET2 IP's are not transmittable over the public NET1 any (reply) traffic from the UTM-1 is S(ource)NAT' ted to the external IP as assigned on the Firewall1 between NET1 and NET2.

So that neatly covers traffic to and traffic from the UTM-1 to the other location with a UTM and should in theorie enable it to establish VPN tunnels to them. (Thus making NET3 available to other sites.)

The issue is this. When I add a UTM-1 checkpoint in SmartDashboard I also add the topology of that device. How do I configure this so that the device knows the IP assigned to the external interface on the UTM-1, but also that other sites know that that firewall is reachable by communicating to the assigned IP on the Firewall 1 between NET1 and NET2?

So what I want is a way to tell the other nodes in the network to talk to the Routable external IP assigned to the Firewall one when setting up a VPN to this site, but have the UTM-1 on this site to be manageable from the Smartcenter and know his network connections.
This is because I will lose the connection if I accidently assign the external routeable IP to the external interface of the UTM.

I hope this clearly describes the situation and I would be very happy with any help. I will keep an eye on this topic during CET work hours and reply to any further questions for details.
500 Points are available based on the fact that I could not find any relevant links when googling it so I guess it's an advanced topic. I just had my NGX 1 and NGX 2 training, so It's hard to guestimate how complicated this is, so better on the safe side. Besides, once you are building VPN's opver separate networks like this it's advanced anyways, even  if it is sometimes a simple answer. If multiple people help me to the answer I'll split points.

Thanks in advance.
Who is Participating?
deimarkConnect With a Mentor Commented:
I still have no clear answer for him I'm afraid.

A full SR raised with CP might shed some light on this to get a definitive answer from the vendor may be required here (not sure if the previous case raised was with CP direct or via a CCSP)

I think this is a limitation on the edge device.  I would try to move away from edges and buy the new UTM-1 130s, which are similar size but run SPLAT and full CP version, not the cut down rebadged sofaware install.
This is an interesting one.

Normally in a full UTM-1 install, ie not an edge box, we can edit the VPN properties for the link selection.  In the UTM-1 link selection, we would use a statically NATted IP address as hosted by an upstream router in this case, to use as the source for outgoing VPN connections.  This would allow external hosts to connect to the natted public address successfully and passed through teh external router to the UTM-1 firewall.

Now, with an edge, its different as there is no statically natted link selection available.

Have you tried to bring up a VPN between this edge and another one?:  Using the public NAT address of the edge as hosted from firewall1?

Might be worth trying to create an edge object to use the public address from firewall1 as the main IP and then configure the encryption domain as NET3 (as a new object, manually configured)

Once done, test the VPN connectivity to see if it works.

If the NAT as configured on firewall1 is a complete 1 to 1 static mapping, then basic connectivity (webUI access  etc) should work fine but not too sure on the VPN stuff.
mgijtenbeekAuthor Commented:
Sadly I cannot try to bring up a VPN yet as the UTM-1 Edge has just been sent to the remote country.
I just discussed the configuration with my colleague and we discovered the error in the way we planned this. :-(

So if I do understand you correctly this is pretty simple to solve with a full UTM-1as it offers the upstream NAT box as a supported option, the UTM-1 Edge just doesn't support "hiding" behind a NAT upstream router/firewall.

I figured the NATing should work with the web interface and such, but the entire reason it is there is for the VPN tunnel to connect it to other sites. I will try to create the objects you described as the device is delivered onsite, but that might take a while.

I now realize it might have been a bad idea to post this already as I cannot test any suggestions yet, but perhaps it will get the attention of others who know for sure if this is possible or not.
Increase Security & Decrease Risk with NSPM Tools

Analyst firm, Enterprise Management Associates (EMA) reveals significant benefits to enterprises when using Network Security Policy Management (NSPM) solutions, while organizations without, experienced issues including non standard security policies and failed cloud migrations

Have a look at the demo instance of smartdashboard bud.  Fire up the application and select demo and advanced from the drop down box.

This will open upa  demo instance of the app including a set of configs that you can break.  Needless to say you cant push any policies etc, but it will allow you to see the VPN link selection I mention.

The advanced database that you open has the full UTM-1 firewalls there, go to VPN > Link selection to see what I mean.  Thre is also an edge there for review, so you can compare them both.

Of course for any VPN device its preferred to have a proper public address for it, but as we know, its not always possible.  CP have installed this feature on the main firewall product but it does not seem to on the smaller edge devices.

Let us know how you get on though
mgijtenbeekAuthor Commented:
Sorry to have kept you waiting, we had an outage on our NOC site to the network we use. First things first....

What I think we need is a way to inform the other nodes that they can reach the UTM-1 on a different IP then the one assigned to the external interface.

I think for this to work we'd need to make the Smartcenter server aware of the topology on that specific site, so I think I'd need to add the firewall I do not manage and add in that that device is the one connecting the reachable public IP's to the UTM-1 I manage. Am I on the right track here?

I also put in a case with our checkpoint contact to ask if the situation I described is supported on with a UTM-1 Edge X, I will let you know. (If all else fails it will at least answer other peoples question when they search and run into this post.)
"I think for this to work we'd need to make the Smartcenter server aware of the topology on that specific site, so I think I'd need to add the firewall I do not manage and add in that that device is the one connecting the reachable public IP's to the UTM-1 I manage. Am I on the right track here?"

You have hit the nail on the head here.  This is whats needed in your system, and it taken care of in the full UTM-1 appliances, ie you can specify a different IP for VPN connections.  This is CPs solution to the task.

I have had a dig around the edge docs, smartcentre info as well as my own edge box and can't see anyway for us to do this on an edge.  I may have missed a possible work around to this, but at the moment, I don't think it can be done on an edge.

We may need to look at doing some funky routing and network stuff to give the edge box a public IP from the firewall1.
mgijtenbeekAuthor Commented:
Wel, thnis seems like a starnge case with no certain answer.

I have been in contact with our checkpoint support partner and several networking colleagues and some say it can work and some say it won't.
To help other people browsing EE and hitting this topic I will post the result here,
We will just configure the UTM-1 Edge and send it over. As this is to another country it will take some days and we have to wait for it to be installed so I don't knwo when I will update this.

If it works I'll post more details about how we configured it, if it doesn't I"ll just close the topic with the closing comment that it is not possible.
mgijtenbeekAuthor Commented:
Wel, I finally figured it out.

It needs NAT traversal to be enabled, UDP port 4500. Then it will work.
But you will need to enable this on any other Edge on other locations as well.

Sadly this was not something that we where able to enable on the client side in the different countries involved, so we fixed it with some VPN routing internally. (Workaround, but at least it works.)

So in short, yes the UTM-1 Edge X does support NAT traversal, just not as easy as the bigger more feature complete models higher up the price range.

However, that does answer your question, for any people looking up this topic.
My apologies for taking this long, but then again, this has only just been solved last month, because I'm always waiting on other party's.
mgijtenbeekAuthor Commented:
In closing, I'll accept Deimarks replies as a solution because he dis a lot of work to help me out.
I'll award him the points, read the rest of the topic to see if it will help future EE users.
mgijtenbeekAuthor Commented:
Points awarded because he did a lot of work and assisted greatly, but when my CP support company and several other sources don't know the answer sometimes you just have to try as we did and see how it works out.

Basically he did the research and came to the same conclusion, being that it was unclear wether it would work or not.
Sorry to hear that you had such a trouble getting the work around but glad that at least you got something out of it.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.