topic Re: Integrating checkpoint to fortigate in Firewall and Security Management

Integrating checkpoint to fortigate

wac — Sun, 17 Mar 2024 21:09:24 GMT

10.x.x.x/24 ---> FortiGate --->Internet

current setup with vip configured on fortigate

10.x.x.x/24 --> CheckPoint-->Fortigate ---> Internet.

We want to maintain same configuration on the fortigate ie Nat, vip and VPN with checkpoint doing filtering.

PS checkpoint will not be in transparent mode.

Re: Integrating checkpoint to fortigate

_Val_ — Mon, 18 Mar 2024 07:52:22 GMT

Not sure I understand. Are you adding a second layer with Check Point?

Re: Integrating checkpoint to fortigate

wac — Mon, 18 Mar 2024 08:10:04 GMT

YES additional layer of checkpoint behind fortigate. But fortigate has vip and vpns configured. Is there a way of configuring the checkpoint for just filtering and the vips and vpn works on the fortigate.

Re: Integrating checkpoint to fortigate

_Val_ — Mon, 18 Mar 2024 08:44:39 GMT

Actually, bridge mode would be the most reasonable way to approach this, as it will help you avoid massive network changes. Why don't you want to use it, then?

Re: Integrating checkpoint to fortigate

Hugo_vd_Kooij — Mon, 18 Mar 2024 08:57:56 GMT

With that there is the drawback that the Check Point firewall will be blissfully unaware of what ever threath is lurking inside the VPN traffic.

So apart from good sales figures and crossing the "Different vendor firewalls in cascade" tickbox I don't understand the added value here. It does not add real security to the design.

Re: Integrating checkpoint to fortigate

wac — Mon, 18 Mar 2024 08:59:18 GMT

YES bridge mode is the best approach but customer wants this setup instead. And they are ready for any network changes. Can you suggest the best approach for this set.

Re: Integrating checkpoint to fortigate

_Val_ — Mon, 18 Mar 2024 09:17:53 GMT

Adding Check Point in any mode will improve security. But I understand your point, it seems too be too complex this way.

Re: Integrating checkpoint to fortigate

_Val_ — Mon, 18 Mar 2024 09:19:52 GMT

So you need to add a different default route to your internal network pointing to CP, while CP GW will have Forti as a DG. A networking exercise, starting from the drawing board.

Re: Integrating checkpoint to fortigate

wac — Mon, 18 Mar 2024 09:25:21 GMT

Routing is not a problem but the vips on the fortigate will it work with CP in place without any config changes??.

Re: Integrating checkpoint to fortigate

wac — Mon, 18 Mar 2024 09:26:28 GMT

Yes complex but customer wants this setup for additional protection.

Re: Integrating checkpoint to fortigate

_Val_ — Mon, 18 Mar 2024 09:30:03 GMT

The internal traffic is cleartext. VPN tunnels are terminated on Forti. The domain has not changed. It is essentially a Forti question, but I don't see a reason for VPNs to fail after an internal routing change

Re: Integrating checkpoint to fortigate

wac — Mon, 18 Mar 2024 09:38:29 GMT

OK noted. what about the vips do we have to do natting on CP ??.

Re: Integrating checkpoint to fortigate

G_W_Albrecht — Mon, 18 Mar 2024 10:11:15 GMT

Then explain to the customer that bridge mode is best here 8) Or suggest to pay for CP Professional Services to make this setup work without issues...

Re: Integrating checkpoint to fortigate

PhoneBoy — Mon, 18 Mar 2024 16:59:46 GMT

Not sure what relevance the VIPs have on the Check Point configuration except maybe as a default route.
Assuming the networking is set up correctly, it should not be required to perform any NAT on the Check Point device.