Two external interfaces with UTM-1 NGX R65

I have two Checkpoint UTM-1 270s running NGX R65 in a HA cluster.  I have the several VLAN interfaces on the external interface and one non-VLAN (our default route ISP).  Routing to and from the private VLANs works fine, but I have just connected a new ISP via a VLAN on the external interface.  The connection from the ISP is up and I can PING the interface and it's gateway from the appliance, but all incoming traffic, from the internet, is dropped due to 'Address spoofing'.  I have created an object for the interface and put in a rule to allow incoming ICMP traffic, but the firewall still drops it due to spoofing.

I understand why this is happening, as the checkpoint is only expecting internet traffic to come from the interface with the default route.  But, I need the new ISP connection to allow incoming traffic, as it will be NATting traffic to a web site and other services.   Since I can't add the entire Internet to the topology of the this interface, I am at a loss here.  How do I make this happen?

This interface does not need to allow internally initiated outbound traffic (but that would be nice too.)

David Griswold

david_griswoldAsked:
Who is Participating?
 
david_griswoldAuthor Commented:
Never mind.  I forgot to specify in the firewall Topology that this was an external interface.  I assumed, incorrectly, that if I associated the VLAN with the external interface when I created it, it would default to being external.  Guess not.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.