https://community.checkpoint.com/t5/General-Topics/Difference-between-interface-based-and-zone-based-firewall/m-p/4191#M330 <HTML><HEAD></HEAD><BODY><P>like to know the difference between interface based and zone based firewall</P></BODY></HTML> Sat, 15 Jul 2017 06:33:57 GMT yoganand_i 2017-07-15T06:33:57Z https://community.checkpoint.com/t5/General-Topics/Difference-between-interface-based-and-zone-based-firewall/m-p/4191#M330 <HTML><HEAD></HEAD><BODY><P>like to know the difference between interface based and zone based firewall</P></BODY></HTML> Sat, 15 Jul 2017 06:33:57 GMT https://community.checkpoint.com/t5/General-Topics/Difference-between-interface-based-and-zone-based-firewall/m-p/4191#M330 yoganand_i 2017-07-15T06:33:57Z https://community.checkpoint.com/t5/General-Topics/Difference-between-interface-based-and-zone-based-firewall/m-p/4192#M331 <HTML><HEAD></HEAD><BODY><P>It comes down to how the policy is defined.</P><P></P><P>In a zone-based firewall I can say "everything that comes from this interface should be treated this way" without worrying about the IP addresses at all.</P><P>You can achieve the same thing in an interface-based firewall, but you have to know (and define) every IP address reachable from that firewall.</P><P>Which, in complex environments with dynamic routing, can be a challenge.</P><P></P><P>Check Point did not support using zones in the firewall policy until R80.10 (except on SMB appliances, where this has been supported for a while).&nbsp;</P><P>However, even in R80.10, interface Anti-spoofing and NAT rules still have to be defined in terms of IP addresses--something that should be addressed in future releases.&nbsp;</P></BODY></HTML> Sat, 15 Jul 2017 15:54:35 GMT https://community.checkpoint.com/t5/General-Topics/Difference-between-interface-based-and-zone-based-firewall/m-p/4192#M331 PhoneBoy 2017-07-15T15:54:35Z