https://community.checkpoint.com/t5/Firewall-and-Security-Management/Config-Arista-Macro-Segmentation-Service-MSS-Check-Point/m-p/135535#M20443 <P>Hi <a href="https://community.checkpoint.com/t5/user/viewprofilepage/user-id/38448">@bogdanp</a>,<BR /><BR />Unfortunately there are no official document from Check Point here.</P> <P>I would contact a local Check Point SE.</P> Sun, 05 Dec 2021 13:47:29 GMT HeikoAnkenbrand 2021-12-05T13:47:29Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Config-Arista-Macro-Segmentation-Service-MSS-Check-Point/m-p/118779#M16820 <P>Modern day applications deployed in the data centers have become multi-tiered and distributed. This has resulted in an increase<BR />in the amount of east-west traffic seen in the data centers. This includes traffic from physical-to-physical (P-to-P), virtual-to-virtual (V-to-V), and between physical and virtual (P-to-V) workload.</P> <P>Arista Macro-Segmentation Service (MSS) provides a software-driven dynamic and scalable network service to logically insert<BR />security devices into the path of traffic with complete flexibility on placement of security devices and workloads. It is specifically<BR />aimed at physical-to-physical (P-to-P) and physical-to-virtual (P-to-V) workloads.<BR />What makes MSS unique is that it places the control of policy enforcement directly in the hands of security administrators. This is<BR />accomplished using standards based forwarding with no proprietary frame formats and without placing limitations on where the<BR />service devices must exist within the network.</P> <P><STRONG>Arista MSS Deployment Mode:</STRONG><BR /><BR />Many data centers have firewalls deployed in layer-3 mode, acting as first hop for the hosts, serving applications. The Layer 3 Firewall<BR />is connected to the network and configured to enforce policy between different security zones or endpoints.<BR />Instead of using routing policy to attract traffic to the firewall, the Macro-Segmentation Service redirects traffic to the firewall,<BR />dynamically inserting it into the path for traffic between relevant endpoints. L3 Firewall is not configured as a gateway for the<BR />subnet.<BR /><BR /><STRONG>Requirements: </STRONG></P> <P><BR />• Arista CloudVision running EOS release 4.23.2F or later<BR />• Management Server Versions<BR />• Version R80.30 with API version 1.5 (and above). In addition to this Management Server version, Check Point has provided<BR />a “hot fix” that provides a “Proxy API” ability which allows the user to access the Gateway APIs through a special URL on the<BR />Management Server. This hot-fix is required for MSS to work.<BR />• Gateway Versions: Version R80.30 with API version 1.2 (and above)<BR /><BR /><STRONG><FONT color="#FF0000">Config example:</FONT></STRONG></P> <P><STRONG>Direct Flow is enabled on all TOR switches with 100Gbps Interfaces:</STRONG></P> <P>&nbsp;</P> <LI-CODE lang="markup">! cvx no shutdown ! service mss no shutdown policy enforcement rules verbatim ! dynamic device-set checkpoint device 10.0.0.200 username admin password 7 xxxxxxxxxxxxxxxx protocol https 4434 group poc-mss state active type check-point management-server policy tag redirect MSS_redirect policy tag offload MSS_offload policy tag modifier verbatim MSS_verbatim ! service vxlan no shutdown</LI-CODE> <P>&nbsp;</P> <P>&nbsp;</P> <P><STRONG>Check Point:</STRONG></P> <P>Interface Configurations:<BR /><BR />Interfaces configured in aggregation groups bond1.100 and bond1.200. bond1.100 is part of the zone ‘Tenant C’ and bond1.200 is<BR />part of the zone ‘Tenant D’<BR /><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Arista_1.PNG" style="width: 646px;"><img src="https://community.checkpoint.com/t5/image/serverpage/image-id/11730i3A9AF771946E2A2E/image-size/large?v=v2&amp;px=999" role="button" title="Arista_1.PNG" alt="Arista_1.PNG" /></span><BR /><BR /><STRONG>Route Configuration:</STRONG> <BR /><BR />The firewall needs to have routes back to the original subnets in which the end hosts reside. Static routes have been created for each subnet. Default GW for the Tenant C subnets is the VLAN 10 interface on the TOR and for Tenant D subnets its the VLAN 20 interface on the TOR.<BR /><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Arista_2.PNG" style="width: 655px;"><img src="https://community.checkpoint.com/t5/image/serverpage/image-id/11731i36128F32708AE045/image-size/large?v=v2&amp;px=999" role="button" title="Arista_2.PNG" alt="Arista_2.PNG" /></span></P> <P><STRONG>Policy Configuration:</STRONG></P> <P>For Tenant C:<BR />• Web servers can talk to each other directly only on port 443 or port 80 the web servers are connected directly on the same VLAN and IP subnet.<BR />• Web Servers can communicate with the proxy servers on port 8080 HTTP as well.<BR />For Tenant D :<BR />• Web servers can talk to each other directly only on port 443 or port 80 the web servers are connected directly on the same VLAN and IP subnet.<BR /><BR /><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Arista_5.PNG" style="width: 999px;"><img src="https://community.checkpoint.com/t5/image/serverpage/image-id/11733i6DCB5C753EC2A509/image-size/large?v=v2&amp;px=999" role="button" title="Arista_5.PNG" alt="Arista_5.PNG" /></span></P> <P>For Tenant C, firewall policy tags defined as “MSS-redirect” (red)&nbsp; are enforced by the Active Firewall.<BR /><BR />For Tenant C for proxy, Firewall tags defined as “MSS-offload” (blue) are enforced by the Arista switches locally without being redirected to the Active firewall.</P> <P><BR /><BR /><BR /></P> <P>&nbsp;</P> Thu, 20 May 2021 17:23:25 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Config-Arista-Macro-Segmentation-Service-MSS-Check-Point/m-p/118779#M16820 HeikoAnkenbrand 2021-05-20T17:23:25Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Config-Arista-Macro-Segmentation-Service-MSS-Check-Point/m-p/118781#M16822 <P>Is there detailed documentation from Check Point side for this Arista MSS feature with configuration examples?</P> <P>&nbsp;</P> Wed, 19 May 2021 09:22:50 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Config-Arista-Macro-Segmentation-Service-MSS-Check-Point/m-p/118781#M16822 HeikoAnkenbrand 2021-05-19T09:22:50Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Config-Arista-Macro-Segmentation-Service-MSS-Check-Point/m-p/135504#M20421 <P>Hello,</P><P>&nbsp;&nbsp;&nbsp;&nbsp; I am also interested in this solution. The only documents I have found so far regarding this solution were on the Arista websites (Arista EOS Central).</P><P>&nbsp;&nbsp;&nbsp;&nbsp; If someone has more input on this topic, I think it is trully welcomed.</P> Sat, 04 Dec 2021 11:02:19 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Config-Arista-Macro-Segmentation-Service-MSS-Check-Point/m-p/135504#M20421 bogdanp 2021-12-04T11:02:19Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Config-Arista-Macro-Segmentation-Service-MSS-Check-Point/m-p/135535#M20443 <P>Hi <a href="https://community.checkpoint.com/t5/user/viewprofilepage/user-id/38448">@bogdanp</a>,<BR /><BR />Unfortunately there are no official document from Check Point here.</P> <P>I would contact a local Check Point SE.</P> Sun, 05 Dec 2021 13:47:29 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Config-Arista-Macro-Segmentation-Service-MSS-Check-Point/m-p/135535#M20443 HeikoAnkenbrand 2021-12-05T13:47:29Z