topic Re: Same interface for inbound and outbound internal traffic in General Topics

Same interface for inbound and outbound internal traffic

LCarrau808 — Fri, 14 Feb 2020 14:26:53 GMT

Hello,

I want to perform Access Control and Threat Prevention between the local networks.

Description:

All networks are connected to a Router, which will detour all traffic to the Security Gateway, even when the destination is direct attached. For the Security Gateway, the inbound and outbound interface is the same in all packets but there is no assymetrical routing.

Questions:

Will the Threat Prevention and Firewall Blades work without issues on this scenario/layout?

Will the SG send to the router a ICMP Redirect Message?

Thanks

Lanello

Re: Same interface for inbound and outbound internal traffic

_Val_ — Fri, 14 Feb 2020 14:30:31 GMT

Not a good idea. Use Bridge mode instead or IP forwarding in a normal mode.

Re: Same interface for inbound and outbound internal traffic

LCarrau808 — Fri, 14 Feb 2020 15:29:29 GMT

Hello

For the Bridge Mode can get a little bit complicated.

The Checkpoint would be at a side instead Man-In-The-Middle (Check the drawing).

It is a ClusterXL with 6 VSX. Two of them are Perimeter Firewalls, but I want to perform IPS between the local networks.

I know I can connect the networks direct to the Checkpoint and get rid of the router, but I still want to have it arround.

Thanks for your help.

Lanello

Re: Same interface for inbound and outbound internal traffic

vinceneil666 — Fri, 14 Feb 2020 15:30:30 GMT

Hi, as stated before.. not a good idea. 🙂

Its like a firewall-on-a-stick setup, and I would guess that you will need to spend some time to get the routing set up and working. But yeah - sure I can't see that it wont work.

I have had setups where you had a main vrf with several 'child' vrf's, connecting the firewall to the main vrf and providing access between the 'childs' on the SG. This can be comapred to what you are asking.

Regaring the question on 'icmp redirects' vs. 'all networks connected to a router' gives me a confused picture on how you are planning to actually set this up.. is there to be several networks/subnets ? If you have ex. 2 client subnets and a subnet where the SG is to be placed, the packet flow will be pretty regular, just entering and leaving on same.

But all in all. not a good idea.

Re: Same interface for inbound and outbound internal traffic

LCarrau808 — Fri, 14 Feb 2020 15:41:26 GMT

Your example with the VRF is exaclty the same I want to do.

The routing part is already solved with a forced unconditional next-hop leading the packets to the firewall and the default route for the SG is the Core Router again (that's the plan).

Yes, there is a separated subnet for the comm between the SG and the Router.

If the VRF scenario is working for you, I can see the light at the end of the tunnel.

But you still say it is not a good idea...

Have you inter-VRF traffic that pass through the SG?

Re: Same interface for inbound and outbound internal traffic

vinceneil666 — Fri, 14 Feb 2020 15:51:30 GMT

Hi, ok - well. It depends on your design. For me the main thing was to have seperation between the vrf's, but do to 'stuff' I had to allow some traffic to pass between them, and thus getting the setup I was refering to. Worked fine..

It pretty much comes down to the network design. For me it added a bit of extra management, just to get people to understand the design. And troubleshooting got a bit more tedious.. NAT would probably be a bit 'interesting'.. Voice, qos, as an example, I have no idea. You have to take into consideration how you build policy set..working with zones etc..

But in general, "basic firewall functionality was fine.

Re: Same interface for inbound and outbound internal traffic

Maarten_Sjouw — Fri, 14 Feb 2020 18:16:38 GMT

In your configuration all traffic between VLANs can be easily routed trhough the FW's when you use the FWs as their default gateways.
Traffic between device in the same LAN will never work as both devices will always directly address the other device in the same LAN. Redirecting this to the FW is not only a bad idea but also very hard to do.

Re: Same interface for inbound and outbound internal traffic

lcarrau — Fri, 14 Feb 2020 21:51:35 GMT

Thanks for you comment @Maarten_Sjouw !

I will desist. The common sentence in teh comments of all of you is "This is a bad idead".

Anyways I will test the scenario in a lab and let you know.

Thanks guys!

PS:

Redirecting the traffic is very easy.

A Policy based route overrides the general routing table, setting the "default-nexthop" the firewall.

I have tested this step already without issues.

Lanello

Re: Same interface for inbound and outbound internal traffic

Maarten_Sjouw — Sat, 15 Feb 2020 09:51:49 GMT

I'm sorry for that typo..
Are all systems in that VLAn capable of setting that policy route?
Only other method I can think of is by setting the IP to a /32 and set the default gateway, but normally those types of config are not accepted by most OS's.

Re: Same interface for inbound and outbound internal traffic

lcarrau — Sat, 15 Feb 2020 11:53:01 GMT

I don't need to inspect traffic between the hosts on the same network.

Only the inter-subnet traffic.