The Security Gateway provides a single point of entry to the internal network. It is the Security Gateway that makes the internal network "available" to remote machines. If the Security Gateway fails, the internal network is no longer available. It therefore makes good sense to have Multiple Entry Points (MEP) to the same network.
In an MEP environment, more than one Security Gateway is both protecting and giving access to the same VPN domain. How a remote user selects a Security Gateway in order to reach a destination IP address depends on how the MEP Security Gateways have been configured, which in turn depends on the requirements of the organization.
The Check Point solution for multiple entry points is based on a proprietary Probing Protocol (PP) that tests Security Gateway availability. The probing protocol is used only in Site-to-Site MEP. MEP checks for gateway availability. The MEP Security Gateways do not have to be in the same location and can be widely-spaced, geographically.
Note - In a MEP Security Gateway environment, the remote clients supported are the Check Point Remote Access Clients.
There are three methods used to choose which Security Gateway is used as the entry point for a connection:
- First to Respond - The first Security Gateway to reply to the probing mechanism is chosen.
- Primary/Backup - The client attempts to connect to the Primary Security Gateway first. If the Primary Security Gateway does not reply, the client attempts to connect to the Backup Security Gateway. If the Backup Security Gateway does not reply, there are no further attempts to connect.
- Random Selection - In a Load Sharing MEP environment, the client randomly selects a Security Gateway and assigns the Security Gateway priority. The remote peer stays with this chosen Security Gateway for all subsequent connections to host machines within the VPN domain. Load distribution takes place on the level of "different clients", rather than the level of "endpoints in a connection".
The RDP Security Gateway discovery mechanism used in an MEP environment runs over UDP. This creates a special challenge for Remote Access clients in Visitor Mode, because all traffic is tunneled over a regular TCP connection.
In an MEP environment:
- The RDP probing protocol is not used; instead, a special Visitor Mode handshake is employed.
- When a MEP failover occurs, the Remote Access client disconnects and the user needs to reconnect to the site in the usual way. See sk115996 for information on configuration.
- In a Primary-Backup configuration, the Remote Access client reconnects to the backup gateway only when the primary gateway is unavailable. When the primary gateway is available again, the Remote Access client remains on the backup gateway and does not connect to the primary gateway.
- All the gateways in the MEP:
Must support visitor mode.
There are two ways to configure the routing for return packets:
- Enable NAT for the Office Mode network.
- Use the IP pool NAT, (if the client is configured to ignore Office Mode).
IP pool NAT is a type of NAT in which source IP addresses from remote VPN domains are mapped to an IP address drawing from a pool of registered IP addresses. In order to maintain symmetric sessions using MEP Security Gateways, the MEP Security Gateway performs NAT using a range of IP addresses dedicated to that specific Security Gateway and should be routed within the internal network to the originating Security Gateway. When the returning packets reach the Security Gateway, the Security Gateway restores the original source IP address and forwards the packets to the source.
To configure MEP, decide on the MEP selection method:
- First to Respond
- Primary/Backup
- Load Distribution
MEP configuration can be implicit or manual.
- Implicit - MEP methods and gateway identities are taken from the topology and configuration of gateways that are in fully overlapping encryption domains or that have Primary-Backup gateways.
- Manual - You can edit the list of MEP Security Gateways in the XX Product XX TTM file.
Whichever you choose, you must set the XX Product XX configuration file to identify the configuration.
To define MEP topology:
- On the gateway, open the $FWDIR/conf/trac_client_1.ttm configuration file.
- Find automatic_mep_topology. If you do not see this parameter, add it manually as shown here:
:automatic_mep_topology (
:gateway (
:map (
:true (true)
:false (false)
:client_decide (client_decide)
)
:default (true)
)
) - Set the value of :default to:
- true - For implicit configuration
- false - For manual configuration
- For Manual MEP only: Make sure that enable_gw_resolving is true
- Save the file.
- Install the policy.
When more than one Security Gateway leads to the same (overlapping) VPN domain, they are considered MEP by the remote peer, and the first Security Gateway to respond to the probing protocol is chosen. To configure first to respond, define that part of the network that is shared by all the Security Gateways into a single group and assign that group as the VPN domain.
To configure Implicit First-to-Respond:
- In SmartConsole, click and double-click the Security Gateway.
The gateway window opens and shows the page.
- From the navigation tree, click .
- Click .
- Click the field and select the VPN domain.
- Repeat these steps for each Security Gateway.
Note - Make sure to use the same VPN domain for the Security Gateways.
To configure Manual First-to-Respond:
- On the Security Management Server, open $FWDIR/conf/trac_client_1.ttm.
- Make these changes:
- Under mep_mode, change default (client_decide) to default(first_to_respond).
- Under ips_of_gws_in_mep, change default (client_decide) to default(<PrimaryIP&#SecondaryIP&#TertiaryIP&#>).
For example, default(192.168.20.250À.168.20.240&#).
- Save the changes.
- Install Policy.
- Connect with a client for the configuration to be applied.
To configure Implicit Primary-Backup:
- From Menu, click .
- From the navigation tree, click .
- Click .
- Click
- the changes.
To configure the backup gateway settings:
- Click and double-click the primary Security Gateway.
The gateway window opens and shows the page.
- From the navigation tree, click .
- Click .
- From the drop-down menu, select the backup gateway.
- Determine if the backup gateway uses its own VPN domain.
- To configure the backup gateway without a VPN domain of its own:
- Double-click the Security Gateway and from the navigation tree click .
- Click .
- Click the field and select the group or network that contains only the backup gateway
- Click and publish the changes.
- To configure the backup gateway that DOES have a VPN domain of its own:
- Make sure that the IP address of the backup gateway is not included in the VPN domain of the primary gateway.
- For each backup gateway, define a VPN domain that does not overlap with the VPN domain of the other backup gateways.
- Configure IP pool NAT or Hide NAT to handle return packets.
To configure Manual Primary-Backup:
- On the Security Management Server, open $FWDIR/conf/trac_client_1.ttm.
- Make these changes:
- Under mep_mode, change default (client_decide) to default(primary_backup).
- Under ips_of_gws_in_mep, change default (client_decide) to default(<PrimaryIP&#SecondaryIP&#TertiaryIP&#>).
For example, default(192.168.20.250À.168.20.240&#)
- Save the changes.
- Install Policy.
- Connect with a client for the configuration to be applied.
When you enable this option, the load distribution is dynamic and the remote client randomly selects a Security Gateway.
To configure Implicit Load Distribution for Remote Access clients:
- From Menu, click .
- From the navigation tree, click .
- In the section, click .
- Click and publish the changes.
- Configure the same VPN domain for all Security Gateways.
To configure Manual Load Distribution:
- On the Security Management Server, open $FWDIR/conf/trac_client_1.ttm.
- Make these changes:
- Under mep_mode, change default (client_decide) to default(load_sharing).
- Under ips_of_gws_in_mep, change default (client_decide) to default(<PrimaryIP&#SecondaryIP&#TertiaryIP&#>).
For example, default(192.168.20.250À.168.20.240&#)
- Save the changes.
- Install Policy.
- Connect with a client for the configuration to be applied.
For clients that do not use Office Mode there are two configurations:
Configure NAT using the NAT page in the Virtual System window. Hide or Static NAT addresses configured in this manner are automatically forwarded to the Virtual Router to which the Virtual System is connected. Alternatively, you can manually add NAT routes on the Topology page in the Virtual Router window.
To configure NAT for a Virtual System on a VSX Gateway:
1 | Connect with SmartConsole to the Security Management Server / Target Domain Management Server that manages this Virtual System. |
2 | From the left navigation panel, click . |
3 | Open the Virtual System object. |
4 | From the navigation tree, click > . The page opens. |
5 | Select . |
6 | Select the .
|
7 | From the list, select the VSX Gateway. |
8 | Click . |
9 | Install the Access Control Policy on this Virtual System. |
To configure NAT for a Virtual System on a VSX Cluster:
Use case - Perform Hide NAT on traffic a Virtual System itself generates in a VSX Cluster, so that the Virtual System could connect to external resources (for example, update Anti-Bot signatures from the Check Point cloud).
1 | Connect to the command line on each VSX Cluster Member. |
2 | Log in to the Expert mode. |
3 | Switch to the context of the applicable Virtual System: [Expert@HostName:0]# vsenv <VSID> |
4 | Get the Funny IP address of the applicable Virtual System interface, through which the applicable traffic goes out. Note - Funny IP address is the IP address that belongs to cluster's internal communications network (open the VSX Cluster object properties and go to the "Cluster Members" pane). Run one of these commands:
Write down the Funny IP address. |
5 | Connect with SmartConsole to the Security Management Server / Target Domain Management Server that manages this Virtual System. |
6 | From the left navigation panel, click . |
7 | Create a new object and assign to it the Funny IP address you wrote down in Step 4. |
8 | Create a new object and assign to it the NATed IP address. |
9 | From the left navigation panel, click . |
10 | In the policy, create the applicable NAT rule to hide the traffic from the Virtual System behind the NATed IP address:
|
11 | Install the Access Control Policy on this Virtual System. |
For each Security Gateway, create a network object that represents the IP pool NAT addresses for that Security Gateway.
To configure NAT for an IP pool for Remote Access VPN:
- From Menu, click .
- From the navigation tree, click .
- Click .
- Click and publish the changes.
- For each Security Gateway create a network object that represents the IP pool NAT addresses for that Security Gateway. The IP pool can be a network, group, or address range.
- Click (Ctrl+E).
- Create the new object.
- Configure the IP addresses.
- Click and publish the changes.
- Double-click the Security Gateway object where IP pool NAT translation is performed.
- From the navigation tree, click .
- Click , and select the IP pool object.
- Click Use IP Pool NAT for VPN client connections.
- Optional: Click Use IP Pool NAT for Security Gateway to Security Gateway connections.
- Click OK and publish the changes.
- Edit the routing table of each internal router, so that packets with an IP address assigned from the NAT pool are routed to the appropriate Security Gateway.
To disable MEP, set the following command to true in , the Check Point database tool:
- desktop_disable_mep
- When MEP is disabled, MEP RDP probing and fail over are not be performed. As a result, remote hosts connect to the Security Gateway defined without considering the MEP configuration. Remote Access clients use Visitor Mode instead of RDP to probe gateways.