https://community.checkpoint.com/t5/General-Topics/Microsegmentation-with-Firewall-Hardware/m-p/253472#M42547 <P>It depends on the hypervisor's capabilities. It needs to support private VLANs, MPLS-based flow control, or an analogous feature. I haven't followed ESX development in years, but it looks like they have at least some support for private VLANs.</P> Fri, 18 Jul 2025 17:22:32 GMT Bob_Zimmerman 2025-07-18T17:22:32Z https://community.checkpoint.com/t5/General-Topics/Microsegmentation-with-Firewall-Hardware/m-p/253382#M42520 <P>Hello Community ,</P><P>I need your help and suggestions .</P><P>Our client is adopting an SDN architecture, and we've proposed Checkpoint as a firewall that will perform microsegmentation in the fabric .<BR />Let's assume a physical server hosting VMs at the hypervisor level connected to a leaf switch. How will we technically inspect inter-VM traffic, given that the proposed firewall is hardware-based? How can we achieve the same functionality as CloudGuard?<BR />For information, the firewall is located in a service bridge domain, allowing it to operate within graph contract services. But we don't know how tu push the traffic outside , inspect and then back to the hypervisor to the VM at the destination .</P><P>Thanks for your help&nbsp;</P><P>Imad</P> Thu, 17 Jul 2025 15:03:19 GMT https://community.checkpoint.com/t5/General-Topics/Microsegmentation-with-Firewall-Hardware/m-p/253382#M42520 Imad981 2025-07-17T15:03:19Z https://community.checkpoint.com/t5/General-Topics/Microsegmentation-with-Firewall-Hardware/m-p/253388#M42521 <P>First, microsegmentation is a <EM><STRONG>grave mistake</STRONG></EM>. It's a maintenance nightmare and actively encourages people to build applications in ways which are extraordinarily difficult to reason confidently about when troubleshooting. I say this from extensive, painful experience.</P> <P>If you are <STRONG>absolutely sure</STRONG> you want to wreck the datacenter, it's possible to do as long as your switches and your hypervisor platform support private VLANs. It could also be done with MPLS route distinguishers (I originally misspoke and said "descriptors") and route targets, but that's much more exotic, so you're less likely to find people who can support MPLS in this way. Give all of your VMs and physical endpoints (not the firewalls) a 32-bit (or 128-bit for IPv6) netmask and a gateway address. Give your firewalls the normal netmask. When endpoints try to go anywhere, the frame goes to the gateway's MAC. The gateway then filters it and sends it back out the same interface to the destination. The private VLANs or MPLS configuration enforce this traffic pattern, so a misconfigured VM or physical host can't talk to anything on its local network.</P> Fri, 18 Jul 2025 17:15:57 GMT https://community.checkpoint.com/t5/General-Topics/Microsegmentation-with-Firewall-Hardware/m-p/253388#M42521 Bob_Zimmerman 2025-07-18T17:15:57Z https://community.checkpoint.com/t5/General-Topics/Microsegmentation-with-Firewall-Hardware/m-p/253393#M42523 <P>Hello&nbsp;<a href="https://community.checkpoint.com/t5/user/viewprofilepage/user-id/27871">@Bob_Zimmerman</a>&nbsp;,&nbsp;</P><P>&nbsp;</P><P>Thanks for your answer , but in this way can we enforce the traffic&nbsp;is routed out of the hypervisor (host ESXi for example) and into the hardware firewall?</P> Thu, 17 Jul 2025 16:44:40 GMT https://community.checkpoint.com/t5/General-Topics/Microsegmentation-with-Firewall-Hardware/m-p/253393#M42523 Imad981 2025-07-17T16:44:40Z https://community.checkpoint.com/t5/General-Topics/Microsegmentation-with-Firewall-Hardware/m-p/253472#M42547 <P>It depends on the hypervisor's capabilities. It needs to support private VLANs, MPLS-based flow control, or an analogous feature. I haven't followed ESX development in years, but it looks like they have at least some support for private VLANs.</P> Fri, 18 Jul 2025 17:22:32 GMT https://community.checkpoint.com/t5/General-Topics/Microsegmentation-with-Firewall-Hardware/m-p/253472#M42547 Bob_Zimmerman 2025-07-18T17:22:32Z