Here's the diagram again:
Anyway, the problem is internal routes. In my example, I have a layer 3 switch handling internal routing. The steps are:
1. Log into each Checkpoint cluster member and add static routes. You can use either ssh with the sysconfig utility, or use a web browser and go to each firewall (typically port 4434.) In this example case, you'll add:
Note that 192.168.5.254 is the layer 3 switch.
2. Create subnet objects for each of the internal networks/VLANs.
|Ignore CP_default_Office, it's part of the demo network config.|
3. If you look at the cluster interface topology, you'll see:
And if we drill down further:
And further into the internal interface (where our corp, eng, QA, and colo interfaces reside behind:
And now to the "Topology tab"
|Topology anti-spoofing config|
This configuration will block the eng, qa, and corp subnets. Depending on the configuration, the Co-Lo net may never need to talk to anything that the firewall manages (DMZ1, etc.) But, better safe than sorry.
5. Now, go back to the topology anti-spoofing config in step 3 and modify it to use the group you created.
There, anti-spoofing should work correctly. Make sure NAT is configured properly!