Cisco Routing & Check Point

[JoeBloggssss]

Hi Guys,

I put together a lab to get started working with CP, I created a static route to my wan router to route to my intranet.

Router ----> Gateway ----> Intranet

My question is in a real world situation, if I enable say OPSF on my router on its fa port, am I right in assuming it would carry the broadcast enough through the network to find another router to learn the intranet topology. Can someone give their design in terms to reducing the number to manual static routes. Thanks

 

[JoeBloggssss]

Hi,

Don't think I worded this great. What I am asking is, if I have a large internal intranet, with many routers, how does each router determine, if I want to go onto the internet, the next router to forward the request to and eventually find the gateway. I remember setting up policy soruce maps??? Not quite sure, I thought perhaps you added your proxy address to your web browser, but is this still used? Thanks

 

[ChrisAC]

Generally you would have to create static routes on the firewall to route to other networks behind it and of course, you would have to set up some kind of routing on your internal network, either static or dynamic. It really depends on the set up of your network. This is more of a routing question than a firewall question.

If all your networks directly behind the firewall are reachable via a single router that the firewall can see the you could create a supernet route on the firewall for encompass all those networks. If you are running a Nokia firewall then IPSO also supports OSPF.

Chris.

**********************
Chris A.C, CCNA, CCSA
**********************

 

[wirelesspeap]

This definitely has to do more with routing than with firewall.

If you're running CP on Nokia platforms, you can use OSPF, RIP or IGRP for IGP. If you're running Secureplatform, you can also do the same thing but it will require some knowledges of gated and routed because you have to make modifications in the /etc/zebra/ directory where the routing configurations are for Secureplatforms. After all,
Secureplatforms is CP on Linux and linux uses zebra.

 

[JoeBloggssss]

Hi,

It has been a long long time since we implemented our network, if it breaks we copy config to it so I am abit rusty. But reviewed our setup today.

We have several sites inconnected using OSPF as means of providing routing, at each router we have a static route point to a router further upstream for unknown (ie web) traffic, eventually it reaches the gateway. On the gateway firewall we have one static route point to next downstream router, which then has knowledge of all intranet subnets (OSPF updates). This seems to work well, I assume this is what you guys have or similar, I am sure there are more advanced method of proving this functionality. Sorry if this is more of a routing question, but want a wholistics view of the check point managed infrastructure.

 

[JoeBloggssss]

Actual the last statement about one route from the gateway to the downstream router, this wuld be wrong, we have many, one for each subnet. I suppose I could implement a routing protocol on the interface gateway interface, but I am considered about additional traffic overhead.