Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted
Participant

Need some help on how to setup DMZ on CP5100 Cluster

I need some expert advice here. I'm new to Checkpoint Firewall. I have just purchased the appliance. I got it setup and running. Now I want to setup two different DMZ for our Web Servers and mail server for two different business partners. I would like to make it accessible from the Internet and also site to site vpn connection. I would like to ask for your guidance on how do I plan, configure and secure it I have been searching through Checkpoint Support website and Checkmate forums but found little information about it. So, your help would be very much appreciated.

                                     |

0 Kudos
8 Replies
Highlighted

Hi,

It will be good if you have 2 separate subnet for 2 DMZ. You can assign this to interfaces. Like below

DMZ A - Subnet A - Interface A

DMZ B - Subnet B - Interface B

Now you can achieve traffic flow/restriction through security policy.

Internet --> Subnet A --> https --> allow and vice versa

If you want to build site to site tunnel then you can build with specific subnet (Subnet A Or Subnet B)

Hope this helps.

0 Kudos
Highlighted
Participant

Thanks Gaurav,

I only have one physical interface available. That's why plan to to use sub-interface ETH3.1 for Subnet A and ETH3.2 for Subnet B. Is this achievable?

0 Kudos
Highlighted

You will treat the sub-interface the exact same way as a physical interface. Configure the VLANs on your Gaia Web Portal and set them as DMZs on the topology page of your GW. Configure your policy accordingly.

Highlighted
Contributor

I agree with you Pedro 100%, he can  configure multiple VLANS on one physical interface,but the problem is sub interfaces or (multiple VLANS on one physical interfaces ) is not supported in case of the firewalls are deployed in cluster mode as the sk89980 indicate there.

0 Kudos
Highlighted

Secondary IP is not the same as VLAN interface. Please don't confuse other people.

It is written in the sk89980 provided by you:

If the physical machine does not have enough physical interfaces, then VLAN interfaces should be configured 
• Check Point supports up to 256 VLANs per physical interface
• Check Point supports up to 1024 VLAN per Security Gateway

Highlighted

Hi,

Yes. You can achieve same thing with Sub-interface as Pedro suggested. It is easily configurable in GUI.

You need to make trunk port on Switch end.

Highlighted
Participant

Thanks all for your responses

0 Kudos
Highlighted
Contributor

Yes you are 100% correct , and I apologize for wrongfully info I presented. I must understood the question in a different way.

Thank you for correcting me  in such a gentle way!!!