topic Re: Check Point Firewall behind ASA Firewall in Firewall and Security Management

Check Point Firewall behind ASA Firewall

John_Edovia — Fri, 18 May 2018 08:09:42 GMT

Could someone point me to a design guide on implementing Check point Security appliance behind ASA firewall with firepower services. Are there known limitations that one should be aware of?

Network design;

The purpose of the Check point firewall is to provide a second layer of security to internal servers and also control traffic from LAN to Server farm and LAN to internet.

Re: Check Point Firewall behind ASA Firewall

Vladimir — Fri, 18 May 2018 20:55:48 GMT

Few things come to mind:

1. if you intend to use VPN functionality on Check Point:

2. Exclude ASA DMZ network from Anti-spoofing protection on external interface of the Check Point gateway:

Re: Check Point Firewall behind ASA Firewall

John_Edovia — Fri, 18 May 2018 21:28:08 GMT

@Vladimir VPN will be setup on the ASA and the external interface of check point will be assigned a private IP address. NAT will also be configured on the ASA.

Some vendors recommend that the firewall behind another firewall be configured in layer 2 mode(bridge). Does this apply to check point?

Re: Check Point Firewall behind ASA Firewall

Vladimir — Fri, 18 May 2018 23:22:46 GMT

My preferred architecture is to have layer 2 bridge in front of the addressable L3 device.

In your case,since ASA is directly accessible from the Internet, it is easier to run DDOS against (unless there is additional filtering performed on the border routers).

If you have a firewall/IPS in transparent bridge on the edge, you can drop a lot of stuff before it hits the device that actually has to accept connections.

Re: Check Point Firewall behind ASA Firewall

PhoneBoy — Fri, 18 May 2018 23:26:06 GMT

Make sure the ASA is allowing the traffic listed in this SK: How to verify that Security Gateway and/or Security Management Server can access Check Point servers?

Re: Check Point Firewall behind ASA Firewall

John_Edovia — Sun, 20 May 2018 18:16:45 GMT

Site-to-site and remote access VPN is not supported on ASA in transparent mode, so we cannot have the ASA in layer 2 bridge mode. To block unwanted traffic at the edge as you rightly pointed out, we might explore the option of enabling IOS zone based firewall on the edge router.

Kindly correct me if I am wrong, from what I have gathered so far from the responses here, its OK to have the ASA and Check Point in routed mode.

Thank you.

Re: Check Point Firewall behind ASA Firewall

Vladimir — Sun, 20 May 2018 21:10:36 GMT

Absolutely. I've just recently deployed it in exactly the situation you are describing.

FYI: if the Check Point piece is a cluster, you may have to add static routes to individual member's IPs pointing to the vIP of the cluster on next hop routers, if you want to make individual members reachable. Alternatively, there is a kernel parameter fix that allows you to achieve the same. There is a thread in CheckMates regarding this issue, if you'll have to look it up.