topic Re: Using security zone with security policies in Firewall and Security Management

Using security zone with security policies

strou — Tue, 13 Jul 2021 18:48:58 GMT

Hi,

I am a beginner with checkpoint.

Here is my question: When you use security zones as a source or destination in your security policies, does checkpoint limits the ip addresses to those matching the connected subnet of the interface bound to the security zone? Or does it allow any ip address coming from that interface?

Thanks,

Steve

Re: Using security zone with security policies

Marcel_Gramalla — Tue, 13 Jul 2021 20:29:23 GMT

I think it will allow any connection from the interface as you only tell the gateway which interface belongs to zone XY if you don't use address spoofing. But you should enable address spoofing and with that every connection from an unknown IP will be dropped even before the security policy. You can choose to only include the network where the Cluster IP resides in or choose "defined by routes" or even select a group of subnets if you have that use case.

Re: Using security zone with security policies

genisis__ — Tue, 13 Jul 2021 21:16:49 GMT

I believe looks at the topology related to the interface therefore the directly connected interface and any routes via that interfaces are in scope for the zone.

Re: Using security zone with security policies

JozkoMrkvicka — Wed, 14 Jul 2021 05:48:53 GMT

It is also important to note if the interface is marked in Topology as External or Internal.