Archive for the ‘checkpoint’ Category

Configuring static lag on Brocade ICX switches to be used with Check Point bond

Monday, April 14th, 2014

As we’re slowly (but surely) moving towards replacing our Cisco gear with Brocade I’m going to publish a set of articles related to ICX 6610 configuration. Bear with me since I’m still learning it. By the way, if you spot any mistakes please let me know.

In comparison with the Cisco 3745 the Brocade’s ICX 6610 wins by miles, both in terms of performance and price (big time!), so here we go.

The first article will be related to the configuration of LAG (Link Aggregation Group) on ICX 6610 to be used with Check Point’s bond interfaces. The idea is to aggregate two or more physical links into a virtual one, so in case there is an issue with one of the links (faulty cable or NIC) the connection is still operational. To summarize, on Brocade you configure LAGs and on Check Point you configure bonds. Initially, when I first started working on it, my main goal was all about redundancy and I didn’t really care about load distribution. At the end it came out that the traditional active/backup setup cannot be implemented with the bond where both legs are terminated on the same switch, so I ended up with the active/active implementation. It’s a mix of load balancing + redundancy so should be fine.

(more…)

Hide NAT with Any as a Source in Checkpoint

Thursday, April 4th, 2013

As you know, adding a hide NAT rule with Any as a Source is not possible in Checkpoint (at least with R71.30). So the rule below will generate an error during validation:

20130403-hide-nat

Error:

  1. Verifier warnings: Invalid <Any> in Source of Address Translation Rule. <Any> is valid only if the matching Translated column is <Original>.

which is a shame, since it’s a perfectly fine requirement for asymmetric routing environments.

The fix (call it a “hack”) is to add two network objects: 0.0.0.0/128.0.0.0 and 128.0.0.0/128.0.0.0, group them and place created group as a Source. That way the policy will be compiled and installed without any errors and you will still have “Any” as a Source because these two networks include any possible IP address.

According to sk21751 this is by design. It’d be interesting to read though about the reasons behind (performance may be, cause you need to maintain a massive translation table?).