In This Section: |
The Security Gateway provides a single point of entry to the internal network. It is the Security Gateway that makes the internal network "available" to remote machines. If the Security Gateway fails, the internal network is no longer available. It therefore makes good sense to have Multiple Entry Points (MEP) to the same network.
In an MEP environment, more than one Security Gateway is both protecting and giving access to the same VPN domain. How a remote user selects a Security Gateway in order to reach a destination IP address depends on how the MEP Security Gateways have been configured, which in turn depends on the requirements of the organization.
The Check Point solution for multiple entry points is based on a proprietary Probing Protocol (PP) that tests Security Gateway availability. The probing protocol is used only in Site-to-Site MEP. MEP checks for gateway availability. The MEP Security Gateways do not have to be in the same location and can be widely-spaced, geographically.
Note - In a MEP Security Gateway environment, the remote clients supported are the Check Point Remote Access Clients.
There are three methods used to choose which Security Gateway is used as the entry point for a connection:
The RDP Security Gateway discovery mechanism used in an MEP environment runs over UDP. This creates a special challenge for Remote Access clients in Visitor Mode, because all traffic is tunneled over a regular TCP connection.
In an MEP environment:
Must support visitor mode.
There are two ways to configure the routing for return packets:
IP pool NAT is a type of NAT in which source IP addresses from remote VPN domains are mapped to an IP address drawing from a pool of registered IP addresses. In order to maintain symmetric sessions using MEP Security Gateways, the MEP Security Gateway performs NAT using a range of IP addresses dedicated to that specific Security Gateway and should be routed within the internal network to the originating Security Gateway. When the returning packets reach the Security Gateway, the Security Gateway restores the original source IP address and forwards the packets to the source.
To configure MEP, decide on the MEP selection method:
MEP configuration can be implicit or manual.
Whichever you choose, you must set the XX Product XX configuration file to identify the configuration.
To define MEP topology:
$FWDIR/conf/trac_client_1.ttm
configuration file.automatic_mep_topology.
If you do not see this parameter, add it manually as shown here:
|
:default
to:true
- For implicit configurationfalse
- For manual configurationenable_gw_resolving
is true
When more than one Security Gateway leads to the same (overlapping) VPN domain, they are considered MEP by the remote peer, and the first Security Gateway to respond to the probing protocol is chosen. To configure first to respond, define that part of the network that is shared by all the Security Gateways into a single group and assign that group as the VPN domain.
To configure Implicit First-to-Respond:
The gateway window opens and shows the General Properties page.
Note - Make sure to use the same VPN domain for the Security Gateways.
To configure Manual First-to-Respond:
$FWDIR/conf/trac_client_1.ttm
.mep_mode
, change default (client_decide)
to default(first_to_respond)
.ips_of_gws_in_mep
, change default (client_decide)
to default(<PrimaryIP&#SecondaryIP&#TertiaryIP&#>)
. For example, default(192.168.20.250À.168.20.240&#)
.
To configure Implicit Primary-Backup:
To configure the backup gateway settings:
The gateway window opens and shows the General Properties page.
To configure Manual Primary-Backup:
$FWDIR/conf/trac_client_1.ttm
.mep_mode
, change default (client_decide)
to default(primary_backup)
.ips_of_gws_in_mep
, change default (client_decide)
to default(<PrimaryIP&#SecondaryIP&#TertiaryIP&#>)
. For example, default(192.168.20.250À.168.20.240&#)
When you enable this option, the load distribution is dynamic and the remote client randomly selects a Security Gateway.
To configure Implicit Load Distribution for Remote Access clients:
To configure Manual Load Distribution:
$FWDIR/conf/trac_client_1.ttm
.mep_mode
, change default (client_decide)
to default(load_shiaring)
.ips_of_gws_in_mep
, change default (client_decide)
to default(<PrimaryIP&#SecondaryIP&#TertiaryIP&#>)
. For example, default(192.168.20.250À.168.20.240&#)
For clients that do not use Office Mode there are two configurations:
Configure NAT using the NAT page in the Virtual System window. Hide or Static NAT addresses configured in this manner are automatically forwarded to the Virtual Router to which the Virtual System is connected. Alternatively, you can manually add NAT routes on the Topology page in the Virtual Router window.
To configure NAT for a Virtual System on a VSX Gateway:
Step |
Description |
---|---|
1 |
Connect with SmartConsole to the Security Management Server / Target Domain Management Server that manages this Virtual System. |
2 |
From the left navigation panel, click Gateways & Servers. |
3 |
Open the Virtual System object. |
4 |
From the navigation tree, click NAT > Advanced. The Advanced page opens. |
5 |
Select Add Automatic Address Translation. |
6 |
Select the Translation method.
|
7 |
From the Install on Gateway list, select the VSX Gateway. |
8 |
Click OK. |
9 |
Install the Access Control Policy on this Virtual System. |
To configure NAT for a Virtual System on a VSX Cluster:
Use case - Perform Hide NAT on traffic a Virtual System itself generates in a VSX Cluster, so that the Virtual System could connect to external resources (for example, update Anti-Bot signatures from the Check Point cloud).
Step |
Description |
---|---|
1 |
Connect to the command line on each VSX Cluster Member. |
2 |
Log in to the Expert mode. |
3 |
Switch to the context of the applicable Virtual System:
|
4 |
Get the Funny IP address of the applicable Virtual System interface, through which the applicable traffic goes out. Note - Funny IP address is the IP address that belongs to cluster's internal communications network (open the VSX Cluster object properties and go to the "Cluster Members" pane). Run one of these commands:
Write down the Funny IP address. |
5 |
Connect with SmartConsole to the Security Management Server / Target Domain Management Server that manages this Virtual System. |
6 |
From the left navigation panel, click Gateways & Servers. |
7 |
Create a new Node Host object and assign to it the Funny IP address you wrote down in Step 4. |
8 |
Create a new Node Host object and assign to it the NATed IP address. |
9 |
From the left navigation panel, click Security Policies. |
10 |
In the Access Control > NAT policy, create the applicable NAT rule to hide the traffic from the Virtual System behind the NATed IP address:
|
11 |
Install the Access Control Policy on this Virtual System. |
For each Security Gateway, create a network object that represents the IP pool NAT addresses for that Security Gateway.
To configure NAT for an IP pool for Remote Access VPN:
To disable MEP, set the following command to true in DBedit, the Check Point database tool:
desktop_disable_mep