CheckPoint: ISP Redundancy Limitations

When using ISP redundancy with load-balancing, there are a number of limitations where routing comes in to play, I’ll try to bullet point a few rules:

* In general, traffic responses will be routed back through the pipe the requests went out on. (you can force it to do otherwise but then you are into asymmetrical routing and you will be lucky to get your responses.)

* Anything with a static NAT will be forced out through the 1st link

* You can force certain services to go through your first link but you cannot force anything to go through your 2nd link – see here for instructions.

* You cannot use hide NAT to force anything to go through one link or the other – Checkpoint per se does not support source-based routing (policy-based routing)

* You can in theory force one particular machine to route through the 1st link by statically NATing it to a free public address on your subnet but you will need to have 1 routable IP per machine for which this is to be done. You cannot  force any traffic / services through your 2nd link.

If you really need the flexibility to route your traffic based on services and/or source IPs then you can:
* install a router in fron of your firewall which does policy-based routing

* if you are running on linux or SecurePlatform then you can configure the iproute2 daemon (this will NOT be supported by Checkpoint)

* if you are running on Nokia IPSO boxes then Policy-based routing functionality is built in from IPSO 4.2 build 069 onwards.

Checkpoint: Configure Wireshark for “fw monitor” Analysis

This article guides you through setting up the Wireshark packet analyser to interpret captures as a Checkpoint FW-1 capture. This will only have an effect on captures taken using “fw monitor”, all other captures will read as normal.

1. Edit -> Preferences -> Protocols -> Ethernet -> Check “Attempt to interpret as Firewall-1 monitor file”:

 

2. Edit -> Preferences -> User Interface -> Columns -> click “New” to add a new column – give it a title of FW Monitor and choose FW-1 monitor if/direction as the format:

You should now have an extra column when you open a capture file – if you open an fw monitor capture file you will see  4 entries for each packet tracked as they go in one interface and out of another.

The ethernet interfaces e.g. eth0, eth1 etc etc are marked with either i, I, o or O.

i = pre-incoming ……….. I = post-incoming

o = pre-outgoing ……….. O = post outgoing

So ..

1          i    eth0                                  <- pre-IN: this is the packet as it arrives at the interface

2               eth0    I                            <- post-IN: this is the packet leaving the interface, now in the CheckPoint kernel

3         o    eth1                                  <- pre-OUT: this is the packet having left the kernel and arriving at the egress interface

4                eth1    O                           <- post-OUT: this is the packet leaving the interface

This is dead handy for loads of troubleshooting situations, an ovious one is NAT being applied, e.g.:

A packet from internal IP 10.1.1.1 headed for a destination on the internet 4.2.2.1 through a firewall with an external IP of 81.82.83.84 would look something like:

SRC                   DST                       FW1

10.1.1.1                4.2.2.1                i   eth0

10.1.1.1                4.2.2.1                eth0    I

10.1.1.1                4.2.2.1                o   eth1

81.82.83.84       4.2.2.1                eth1    O          <- NAT has been applied and the source IP is now the firewall’s external IP

Exit mobile version
%%footer%%