Solved

Two external interfaces with UTM-1 NGX R65

Posted on 2011-02-15
1
1,219 Views
Last Modified: 2013-11-16
I have two Checkpoint UTM-1 270s running NGX R65 in a HA cluster.  I have the several VLAN interfaces on the external interface and one non-VLAN (our default route ISP).  Routing to and from the private VLANs works fine, but I have just connected a new ISP via a VLAN on the external interface.  The connection from the ISP is up and I can PING the interface and it's gateway from the appliance, but all incoming traffic, from the internet, is dropped due to 'Address spoofing'.  I have created an object for the interface and put in a rule to allow incoming ICMP traffic, but the firewall still drops it due to spoofing.

I understand why this is happening, as the checkpoint is only expecting internet traffic to come from the interface with the default route.  But, I need the new ISP connection to allow incoming traffic, as it will be NATting traffic to a web site and other services.   Since I can't add the entire Internet to the topology of the this interface, I am at a loss here.  How do I make this happen?

This interface does not need to allow internally initiated outbound traffic (but that would be nice too.)

David Griswold

0
Comment
Question by:david_griswold
1 Comment
 

Accepted Solution

by:
david_griswold earned 0 total points
ID: 34901430
Never mind.  I forgot to specify in the firewall Topology that this was an external interface.  I assumed, incorrectly, that if I associated the VLAN with the external interface when I created it, it would default to being external.  Guess not.
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I recently had the displeasure of buying a new firewall at one of the buildings I play Sys Admin at. I had to get a better firewall than the cheap one that I had there since I was reconnecting the main office to the satellite office via point-to-poi…
The DROP (Spamhaus Don't Route Or Peer List) is a small list of IP address ranges that have been stolen or hijacked from their rightful owners. The DROP list is not a DNS based list.  It is designed to be downloaded as a file, with primary intention…
This video shows how to quickly and easily add an email signature for all users on Exchange 2016. The resulting signature is applied on a server level by Exchange Online. The email signature template has been downloaded from: www.mail-signatures…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…

813 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now