Static routing with intermediate address in Check Point

It is not possible to configure a static route with an intermediate address in a Check Point security gateway.

In out lab setup R4 tries to reach R3 using its loopback0 interface as the source.

R4 is configured with a default static route that points to R1 interface in the subnet 20.3.4.0/24.

Both R1 and R3 are configured with a default static route pointing towards firewall SG1.

In addition router R1 is configured with a more specific route that points towards R4 to reach 4.4.4.4/32 network.

SG1 is configured with rules to allow such a traffic and anti-spoofing has been disabled for simplicity.

We check that traffic is allowed through the firewall :

We configure the static route and check its state in the firewall routing table:

Now R4 is receiving replies from R3 through SG1.

Let’s try to point this static route to R4’s intermediate address 20.3.4.2 instead of R1’s directly connected address:

The route configuration is accepted.

But is no more installed in the routing table even though a static route to the intermediate address is added.

This route would eventually allow for a recursive route lookup in the routing table as it is the case on many other platforms (Cisco, Juniper, etc.).

How to respond to a case when:

I don’t have the control over the next hop address of router R1? that could be assigned dynamically by the ISP or partner?
and without the use of a dynamic routing protocol?

It is possible to do it thanks to a trick revealed by: https://www.adminsehow.com/2011/09/gateway-on-a-different-subnet-on-linux/

We check in our table that no route exists to our destination 4.4.4.4/32:

In expert mode we check the same and add our intermediate gateway address as being attached to eth3:

Now we add our route and we check that it shows only in the expert mode table and that pings are successful.

We check that pings are successful and getting through the firewall even if:

TEK@link