Hi Charalambos
Thanks for your response. Yes we use VRRP for synching between
firewalls. And a closer look does in fact reveal the topology portion
of the cluster object populated with entries for the various nics on the
firewall. I'm going to change the configuration for testing sake, but
just as an aside, why does this pose a problem for packet routing?
Lenny Sanchez
Systems Administrator
HealthGate Data Corp
781.685.4038
lennys AT healthgate DOT com
-----Original Message-----
From: Mailing list for discussion of Firewall-1
[mailto:FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM] On Behalf Of
Charalambos Klitiropoulos
Sent: Tuesday, June 28, 2005 1:58 PM
To: FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM
Subject: Re: [FW-1] NATing and netowkr related issues
Hello,
do you use VRRP on your cluster? If so, you must not fill any
information on
the topology tab of the cluster object (only in the cluster member
objects).
Another possible cause according to CP's knowledge base is when you
enter
the NATed IP as the object's IP address and the real address of the
server
in the NAT tab (if you use automatic NAT). The last one however does not
seem to be the cause, as you would have noticed these problems right
from
the start, but you never know. By the way, do you have another object
with
the NATed IP and if so, do you use it anywhere in your policy?
On 6/28/05, Lenny Sanchez <lennys AT healthgate DOT com> wrote:
>
> Hello,
>
> For the last couple of weeks, I've had a problem(s) surface that had
never
> come up before. I'm running a cluster configuration of 2 Nokia IP440's
with
> Checkpoint NG AI R55. The usual route downstream is from the IDC's
router,
> thought the primary firewall, down to a F5 load balance appliance. As
you
> all know, the load balancer will then make the decision as to which of
the 2
> web servers (Windows 2003 Standard Servers, mutli-homed NICs) to send
> traffic. What we started see happening was, the traffic destined for
the
> external interface on the firewall, was instead routing through the
internal
> interface. Firewall was saying, "no way, address spoof", and then
dropping
> the outbound packets. This started happening out of nowhere. Checked
every
> route on every device under the sun. Started to add new one's in
hoping I
> could catch a break. You guys have to understand, no other
sites/services
> were having this problem. Only these 2003 servers, which had been
routing
> correctly for a bit of time.
>
> So as a test, I bypassed the whole DMZ route. Come in through the
> firewalls, go through an internal router, and then to only one of the
2003
> servers. Made the necessary static route change within the firewall.
Worked
> for a few days, then start seeing Connection contains real IP of Nated
> address. So, changed over to the other server. Same thing. Traffic is
fine
> for a while, and then Connection contains IP of NATed address.
>
> I know I'm missing something. Any help you guys/girls could provide
would
> be great.
>
> Thanks
> Lenny
>
> =================================================
> To set vacation, Out-Of-Office, or away messages,
> send an email to LISTSERV AT amadeus.us.checkpoint DOT com
> in the BODY of the email add:
> set fw-1-mailinglist nomail
> =================================================
> To unsubscribe from this mailing list,
> please see the instructions at
> http://www.checkpoint.com/services/mailing.html
> =================================================
> If you have any questions on how to change your
> subscription options, email
> fw-1-owner AT ts.checkpoint DOT com
> =================================================
>
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================
|
