I have two Checkpoint UTM-1 270s running NGX R65 in a HA cluster. I have the several VLAN interfaces on the external interface and one non-VLAN (our default route ISP). Routing to and from the private VLANs works fine, but I have just connected a new ISP via a VLAN on the external interface. The connection from the ISP is up and I can PING the interface and it's gateway from the appliance, but all incoming traffic, from the internet, is dropped due to 'Address spoofing'. I have created an object for the interface and put in a rule to allow incoming ICMP traffic, but the firewall still drops it due to spoofing.
I understand why this is happening, as the checkpoint is only expecting internet traffic to come from the interface with the default route. But, I need the new ISP connection to allow incoming traffic, as it will be NATting traffic to a web site and other services. Since I can't add the entire Internet to the topology of the this interface, I am at a loss here. How do I make this happen?
This interface does not need to allow internally initiated outbound traffic (but that would be nice too.)