Thursday, January 27, 2011

Checkpoint UTM Firewall Clusters Part 1

    I recently spent some time setting up a Checkpoint Firewall cluster using UTM firewall appliances. I'm going to post several configuration tips I learned the hard way. I did not find the documentation to be all that useful, though I was in a bit of a rush, so I might have missed something.
   Anyway, I'm laying out the topology in this post. Here are our nets:

Interface NameSubnetComments
ext10.10.10.0/24external network
int192.168.5.0/24router net
LAN1172.31.24.0/28sync network
LAN2172.31.23.0/24network management subnet
N/A192.168.6.0/23Corporate LAN (behind L3 switch)
N/A192.168.8.0/23Engineering LAN (behind L3 switch)
N/A192.168.10.0/23QA LAN (behind L3 switch)
N/A172.17.16.0/22subnet from CO-LO - from VPN tunnel

Note that there is a layer 3 switch behind the inside interface on the Checkpoint cluster, and that at least three VLAN/subnets are behind that switch. Note that there is an IPSec tunnel to the co-lo facility, and that tunnel terminates on the L3 switch in the router network (the endpoint is
Here is a simple diagram of the configuration:

