https://community.checkpoint.com/t5/Firewall-and-Security-Management/External-Topology-and-Addressing/m-p/149370#M23939 <P>My 2cents,</P><P>Even if an /24 sounds BIG, you will soon exhaust it&nbsp;<span class="lia-unicode-emoji" title=":beaming_face_with_smiling_eyes:">😁</span>.</P><P>I would split it in many subnets, one for routing, one for DMZ, etc etc.</P><P>As for size of the splits, think loong run plans...</P><P>&nbsp;</P><P>Thx,</P> Tue, 24 May 2022 20:01:19 GMT Sorin_Gogean 2022-05-24T20:01:19Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/External-Topology-and-Addressing/m-p/149288#M23929 <P>Hi&nbsp;</P><P>&nbsp;</P><P>We have an ARIN assigned&nbsp; /24 public range. The physical topology of external internet link is the typical ISP &lt;&gt; External Router &lt;&gt; Layer2 Switches &lt;&gt; Checkpoint ClusterXL.&nbsp;</P><P>&nbsp;</P><P>Is it best to use /24 for addressing the external&nbsp;Checkpoint ClusterXL interfaces/VIP or use a smaller /28 or /29 for addressing&nbsp;the external&nbsp;Checkpoint ClusterXL interfaces and then route the /24 range on the External Router to the Checkpoint ClusterXL VIP interface?<BR /><BR />I know both will work but wanted to get some feedback on best practices and security considerations. Note - we also have DDoS protection/scubbing on the /24 range. As a result is it safer to use the first option?</P><P>&nbsp;</P><P>&nbsp;</P> Tue, 24 May 2022 04:30:53 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/External-Topology-and-Addressing/m-p/149288#M23929 ham2065 2022-05-24T04:30:53Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/External-Topology-and-Addressing/m-p/149321#M23930 <P>Usually, external routable IPs are scares and expensive, so people are trying to be as economical as possible when defining the external subnet. But if you have /24, knock yourself out and have a party <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span><BR /><BR />From where I stand, these settings are not related to security but to networking.</P> Tue, 24 May 2022 11:42:42 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/External-Topology-and-Addressing/m-p/149321#M23930 _Val_ 2022-05-24T11:42:42Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/External-Topology-and-Addressing/m-p/149325#M23931 <P>Either way but routing the addresses towards the firewall and removing a reliance on proxy-arp gets my vote.</P> <P>Also since you raised the DDoS topic you may opt only to route the used addresses and send the others to Null.</P> Tue, 24 May 2022 12:03:03 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/External-Topology-and-Addressing/m-p/149325#M23931 Chris_Atkinson 2022-05-24T12:03:03Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/External-Topology-and-Addressing/m-p/149370#M23939 <P>My 2cents,</P><P>Even if an /24 sounds BIG, you will soon exhaust it&nbsp;<span class="lia-unicode-emoji" title=":beaming_face_with_smiling_eyes:">😁</span>.</P><P>I would split it in many subnets, one for routing, one for DMZ, etc etc.</P><P>As for size of the splits, think loong run plans...</P><P>&nbsp;</P><P>Thx,</P> Tue, 24 May 2022 20:01:19 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/External-Topology-and-Addressing/m-p/149370#M23939 Sorin_Gogean 2022-05-24T20:01:19Z