Showing results for 
Search instead for 
Did you mean: 
Create a Post

External Interface - Internal Only Firewall

I am in the process of setting up some firewalls to segment different parts of my network. I'm curious how some of you configure the external interface in this case. These firewalls will be internal only, no direct connection to an ISP, and no public IPs. Just use a private IP space then NAT it at the edge gateway? Then define as external in topology for address spoofing? Seems like it should be easier than this. Let me know how you solve this.

0 Kudos
3 Replies

Re: External Interface - Internal Only Firewall

You describe the solution yourself?

That's exactly how I'd do it.

0 Kudos

Re: External Interface - Internal Only Firewall

It is required for antispoofing feature in your case and cose sometimes handy in other cases, like for example hide all traffic behind external gateway IP in with one checkbox.

Internal interface would mean that you have only specific networks behind it:

  • Network defined by the interface IP and Net Mask - There is only one network that connects to this internal interface.
  • Specific - There is more than one network that connects to this internal interface, select a group.

External interface - all other networks, not defined as internal ones or Sync.

Of course you can disable antispoofing at all and not think about it, which I would highly not recommend.

In my opinion, this is how to choose an external interface in this case - leading in the direction of internet connection (default route), all protected networks (for example networks with some specific servers) which you can define are behind other (internal) interfaces, in that direction there are many network, which cannot be easily defined and they are not part of protected scope of this gateway.

0 Kudos

Re: External Interface - Internal Only Firewall

External doesn't mean the interface that directly connects to the ISP router, it describes the network segment your traffic passes to reach (even indirectly) public or other untrusted networks. Often this is the interface that connects to the default gateway of your firewall.

Anti-Spoofing is a sanity-check on what interfaces packets are coming from and what interfaces they should be going to.

Some Check Point features need to know what interfaces are Internet-facing (External) in order to activate protections. Example for 'Interface leads to DMZ'.

0 Kudos