Firewall-1
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [FW-1] NATing and netowkr related issues

from Brian Anderson [Permanent Link]
Subject: Re: [FW-1] NATing and netowkr related issues
From: Brian Anderson <brian.anderson AT TERADYNE DOT COM>
To: FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM
Date: Thu, 30 Jun 2005 08:49:37 -0400 
Charalambos,

I would like to respectfully disagree with your statement below:
do you use VRRP on your cluster? If so, you must not fill any information 
on 
the topology tab of the cluster object (only in the cluster member 
objects).

I believe Check Point recommends for NG AI R55 exactly opposite of what 
you mention.  I've run NG AI R55 (with Nokia VRRP) clusters at two 
different companies and have always had the topology information filled in 
on the topology section of the cluster object, not the cluster members. In 
addition to that, on the 3rd Party Configuration, you would choose High 
Availability and then select Nokia VRRP.

Thanks,
Brian




Charalambos Klitiropoulos <klitiro AT GMAIL DOT COM> 
Sent by: Mailing list for discussion of Firewall-1 
<FW-1-MAILINGLIST AT amadeus.us.checkpoint DOT com>
06/28/2005 01:58 PM
Please respond to
Mailing list for discussion of Firewall-1 
<FW-1-MAILINGLIST AT amadeus.us.checkpoint DOT com>


To
FW-1-MAILINGLIST AT amadeus.us.checkpoint DOT com
cc

Subject
Re: [FW-1] NATing and netowkr related issues






Hello,

do you use VRRP on your cluster? If so, you must not fill any information 
on 
the topology tab of the cluster object (only in the cluster member 
objects). 
Another possible cause according to CP's knowledge base is when you enter 
the NATed IP as the object's IP address and the real address of the server 

in the NAT tab (if you use automatic NAT). The last one however does not 
seem to be the cause, as you would have noticed these problems right from 
the start, but you never know. By the way, do you have another object with 

the NATed IP and if so, do you use it anywhere in your policy?

On 6/28/05, Lenny Sanchez <lennys AT healthgate DOT com> wrote:
> 
> Hello,
> 
> For the last couple of weeks, I've had a problem(s) surface that had 
never 
> come up before. I'm running a cluster configuration of 2 Nokia IP440's 
with 
> Checkpoint NG AI R55. The usual route downstream is from the IDC's 
router, 
> thought the primary firewall, down to a F5 load balance appliance. As 
you 
> all know, the load balancer will then make the decision as to which of 
the 2 
> web servers (Windows 2003 Standard Servers, mutli-homed NICs) to send 
> traffic. What we started see happening was, the traffic destined for the 

> external interface on the firewall, was instead routing through the 
internal 
> interface. Firewall was saying, "no way, address spoof", and then 
dropping 
> the outbound packets. This started happening out of nowhere. Checked 
every 
> route on every device under the sun. Started to add new one's in hoping 
I 
> could catch a break. You guys have to understand, no other 
sites/services 
> were having this problem. Only these 2003 servers, which had been 
routing 
> correctly for a bit of time.
> 
> So as a test, I bypassed the whole DMZ route. Come in through the 
> firewalls, go through an internal router, and then to only one of the 
2003 
> servers. Made the necessary static route change within the firewall. 
Worked 
> for a few days, then start seeing Connection contains real IP of Nated 
> address. So, changed over to the other server. Same thing. Traffic is 
fine 
> for a while, and then Connection contains IP of NATed address.
> 
> I know I'm missing something. Any help you guys/girls could provide 
would 
> be great.
> 
> Thanks
> Lenny
> 
> =================================================
> To set vacation, Out-Of-Office, or away messages,
> send an email to LISTSERV AT amadeus.us.checkpoint DOT com
> in the BODY of the email add:
> set fw-1-mailinglist nomail
> =================================================
> To unsubscribe from this mailing list,
> please see the instructions at
> http://www.checkpoint.com/services/mailing.html
> =================================================
> If you have any questions on how to change your
> subscription options, email
> fw-1-owner AT ts.checkpoint DOT com
> =================================================
>

=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================


=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [FW-1] Nokia trouble, Reinhard Stich
Next by Date:  [FW-1] Ant: Re: [FW-1] Nokia trouble, Steffen
Previous by Thread:  Re: [FW-1] NATing and netowkr related issues, Charalambos Klitiropoulos
Next by Thread:  Re: [FW-1] NATing and netowkr related issues, Charalambos Klitiropoulos
Indexes:  [Date] [Thread] [Top] [All Lists]