https://community.checkpoint.com/t5/Firewall-and-Security-Management/Policies-per-Incoming-amp-Outgoing-interface/m-p/98852#M78175 <P>Hi, Can you please tell me where in my policy I need to put the "Zone" object?</P><P>These are the columns I have:</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="TlvAJNF" style="width: 1644px;"><img src="https://community.checkpoint.com/t5/image/serverpage/image-id/8404i5CA8AA85113B1BAF/image-dimensions/1644x29?v=v2" width="1644" height="29" role="button" title="TlvAJNF" alt="TlvAJNF" /></span></P><P>So lets say I have a network object for my DMZ vLAN:</P><P><SPAN>192.168.2.0 - 255.255.255.0</SPAN></P><P><SPAN>and I want to allow some traffic to another interface ( Zone ), Do I put the zone object &amp; vLAN object in "Source" column?</SPAN></P><P><SPAN>Thanks</SPAN></P> Mon, 12 Oct 2020 11:55:58 GMT ShlomiA 2020-10-12T11:55:58Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Policies-per-Incoming-amp-Outgoing-interface/m-p/98776#M78172 <P>Hi, I'm not sure I'm 100% understanding what I actually want, But I used to work with Fortigate all the time and I'm missing that feature in Checkpoint or I just don't understand how to accomplish that.</P><P>In fortigate, I can configure the Incoming interface and Outgoing interface for a specific policy.</P><P>So when ever I configure a new interface, I have to add a specific policy for it to have network between other interfaces.</P><P>Now, on my checkpoint firewall ( x2 5100 ClusterXL ) I have 5 interfaces:</P><P>1. Mgmt - Management Interface&nbsp;- 192.168.1.0/24</P><P>2. eth1 - External Interface</P><P>3. eth2 - DMZ Interface - 192.168.2.0/24</P><P>4. eth3 - LAN Interface - 192.168.3.0/24</P><P>5. eth5 - Sync Interface - 192.168.4.0/24</P><P>For example, Let's take DMZ Interface:</P><P>I would like to allow all outbound traffic from DMZ to WAN but if I configure:</P><P>Source: DMZ ( network address pool )</P><P>Destination: All_Internet</P><P>Action: Accept</P><P>It will work but he will also have network to the other interfaces.</P><P>When I check the logs, I can see it's communicating the other interfaces through the "All_Internet" policy even though I want it to allow only WAN traffic..</P><P>Sorry for the lack of knowledge.</P> Sun, 11 Oct 2020 16:09:29 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Policies-per-Incoming-amp-Outgoing-interface/m-p/98776#M78172 ShlomiA 2020-10-11T16:09:29Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Policies-per-Incoming-amp-Outgoing-interface/m-p/98778#M78173 <P>First of all there is only one access policy that applies to all interfaces.<BR />You just have to make your policy more specific.</P> <P>If you look at the All_Internet object you will notice it is a range object that says 0.0.0.0-255.255.255.255.<BR />Which means it will allow access to any IP regardless of interface.</P> <P>What you want to use instead is the object Internet (I believe) which corresponds to the Zone assigned to your external interface.<BR />You can confirm this by looking at the interface definitions on the gateway object and see what Zone that is assigned to your external interface.</P> <P>In any case, you can assign arbitrary Zones to each interface and use that in your Access Policy.<BR />You will not be able to use them in your NAT policy, however, which is planned for R81.</P> Sun, 11 Oct 2020 16:19:30 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Policies-per-Incoming-amp-Outgoing-interface/m-p/98778#M78173 PhoneBoy 2020-10-11T16:19:30Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Policies-per-Incoming-amp-Outgoing-interface/m-p/98780#M78174 <P>I can understand that.</P><P>Thank you!</P> Sun, 11 Oct 2020 16:38:47 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Policies-per-Incoming-amp-Outgoing-interface/m-p/98780#M78174 ShlomiA 2020-10-11T16:38:47Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Policies-per-Incoming-amp-Outgoing-interface/m-p/98852#M78175 <P>Hi, Can you please tell me where in my policy I need to put the "Zone" object?</P><P>These are the columns I have:</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="TlvAJNF" style="width: 1644px;"><img src="https://community.checkpoint.com/t5/image/serverpage/image-id/8404i5CA8AA85113B1BAF/image-dimensions/1644x29?v=v2" width="1644" height="29" role="button" title="TlvAJNF" alt="TlvAJNF" /></span></P><P>So lets say I have a network object for my DMZ vLAN:</P><P><SPAN>192.168.2.0 - 255.255.255.0</SPAN></P><P><SPAN>and I want to allow some traffic to another interface ( Zone ), Do I put the zone object &amp; vLAN object in "Source" column?</SPAN></P><P><SPAN>Thanks</SPAN></P> Mon, 12 Oct 2020 11:55:58 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Policies-per-Incoming-amp-Outgoing-interface/m-p/98852#M78175 ShlomiA 2020-10-12T11:55:58Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Policies-per-Incoming-amp-Outgoing-interface/m-p/98889#M78176 <P>Can you please tell me if that example is good?</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="testpolicy.png" style="width: 999px;"><img src="https://community.checkpoint.com/t5/image/serverpage/image-id/8412i8A0197CA1E7DC767/image-size/large?v=v2&amp;px=999" role="button" title="testpolicy.png" alt="testpolicy.png" /></span></P><P>What I'm trying to accomplish is:</P><P>Allow traffic from NS1 ( in DMZ interface ) to UniProdDC1 ( in LAN interface ) with DNS protocol only.</P><P>Allow traffic from NS1 ( in DMZ interface ) to WAN interface with http/https ( to allow internet ).</P> Mon, 12 Oct 2020 14:30:02 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Policies-per-Incoming-amp-Outgoing-interface/m-p/98889#M78176 ShlomiA 2020-10-12T14:30:02Z