https://community.checkpoint.com/t5/Firewall-and-Security-Management/LOM-question/m-p/169857#M30787 <P>Every customer I know does it on the LAN side, so if we ever need it, it has to be accessed via remote access VPN. In all honesty, in all my years dealing with CP, I had to use it probably 4 times max. Personally, but this is just me, I would not put it on publicly accessible IP address. The reason I say that is simply due to the fact you wont have a need for anyone to access the LOM portal often enough in the first place.</P> Wed, 01 Feb 2023 03:55:42 GMT the_rock 2023-02-01T03:55:42Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/LOM-question/m-p/169849#M30785 <P>Wondering where most folks put the LOM port for an appliance - private network, publicly reachable but post firewall, or directly on the public network, flat to the firewall?</P><P>For years i've been putting mine on the private side, but i can see a ton of value placing them flat to the firewall on the public side.&nbsp; For instance, at every location the ISP provides me a /29 for the handoff of which i immediately use 4 or the 6 public IPs - their gw, VIP, real-1, real-2.&nbsp; So i have just enough IPs to place the LOM ports there.&nbsp; But....are they hardened enough to be in a free fire zone?&nbsp; Assume i'm using a complex password - any options to harden even more?</P><P>Appreciate your feedback.</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P> Wed, 01 Feb 2023 02:29:35 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/LOM-question/m-p/169849#M30785 D_TK 2023-02-01T02:29:35Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/LOM-question/m-p/169857#M30787 <P>Every customer I know does it on the LAN side, so if we ever need it, it has to be accessed via remote access VPN. In all honesty, in all my years dealing with CP, I had to use it probably 4 times max. Personally, but this is just me, I would not put it on publicly accessible IP address. The reason I say that is simply due to the fact you wont have a need for anyone to access the LOM portal often enough in the first place.</P> Wed, 01 Feb 2023 03:55:42 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/LOM-question/m-p/169857#M30787 the_rock 2023-02-01T03:55:42Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/LOM-question/m-p/169859#M30789 <P>In theory Yes you could put the LOM on an external public IP. You could potential lock it down via other methods of authentication and provide access to only specific IP addresses (your home IP static and/or jump PC within your organization) Though I'm not sure I still would feel comfortable doing that. I much rather have a true out of band solution for all my hardware (router, switches, FWs, etc)&nbsp;</P> <P>Here is the LOM guide if you didn't already have it.</P> <P><A href="https://dl3.checkpoint.com/paid/73/733690c295a61c638b41ebd8ce744428/CP_Smart-1_5_6_7_13_15_16_21_23_26_28K_LOM_AdminGuide.pdf?HashKey=1675232349_a5163c3d045b27ae1ffb5b6f65047099&amp;xtn=.pdf" target="_blank">https://dl3.checkpoint.com/paid/73/733690c295a61c638b41ebd8ce744428/CP_Smart-1_5_6_7_13_15_16_21_23_26_28K_LOM_AdminGuide.pdf?HashKey=1675232349_a5163c3d045b27ae1ffb5b6f65047099&amp;xtn=.pdf</A></P> Wed, 01 Feb 2023 04:26:36 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/LOM-question/m-p/169859#M30789 CE_SE 2023-02-01T04:26:36Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/LOM-question/m-p/169861#M30790 <P>Good point&nbsp;<a href="https://community.checkpoint.com/t5/user/viewprofilepage/user-id/69138">@CE_SE</a>&nbsp;</P> Wed, 01 Feb 2023 05:03:38 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/LOM-question/m-p/169861#M30790 the_rock 2023-02-01T05:03:38Z