This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Alexander_Frolk
Explorer
‎2017-12-14 10:57 PM

CheckPoint in ESXi environment

Hello, guys!

I implement test stand with 2 CP gateways in my lab with rules Any-Any. 

My first firewall (cp-sb) has as default gateway cp-ngfw.

Mutual network for 2 firewalls is in promiscous port group. Also, monitor mode interface is in promiscous port group.

When I run this stand my real switch goes into overdrive and real network starts to lose packets.

Experimentally, it was found that this behavior begins to occur when 2 conditions are met:

1) The workstation 10.0.0.2 is running.

2) Interface with monitor mode is enabled.

Both of these conditions should not affect the network in any way, but this is not the case and I cannot understand why.

I will be happy if someone tells me what it might be related to.

Many thanks.

0 Kudos
6 Replies
Vladimir
Champion
Champion
‎2017-12-15 06:39 AM

Without thinking on it too much, it looks like you are looping the traffic from VLAN 101 into the same gateway.

I do not quite see the reason for this, as VLAN 101 will be hitting the gateway any way.

Is your Real Switch working in L2 with routing disabled? If not, you may be looking at the routing of the duplicate traffic.

Run the wireshark on workstation 10.0.0.2 and see what and where is hitting it when the switch is smoking.

0 Kudos
AlekseiShelepov
Advisor
‎2017-12-15 07:03 AM

Yeah, I cannot also see an obvious reason for breaking the real switch. Maybe promiscuous mode enabled for the whole vSwitch0, but not only for the Port Group?

I suspect that promiscuous mode should be enabled only for one port of vSwitch - the one where monitoring interface of cp-ngfw is connected (Virtual Maestro: Promiscuous mode - only enabled on QA port group in this example). Additional information from VMware Knowledge Base:

When promiscuous mode is enabled at the portgroup level, objects defined within that portgroup have the option of receiving all incoming traffic on the vSwitch. Interfaces and virtual machines within the portgroup will be able to see all traffic passing on the vSwitch, but all other portgroups within the same virtual switch do not.

I would connect vlan100 interface to a different vSwitch, just in case. Also I think it is not a good idea to connect monitoring interface of a firewall and the usual one to the same network.

0 Kudos
Vladimir
Champion
Champion
‎2017-12-15 07:18 AM
In response to AlekseiShelepov

You can define promiscuous mode either on the vSwitch or Port Group, but not on individual ports.

I would suggest moving the Monitor port to a different Port Group and not tagging VLANs on it.

What exactly are you trying to use the Monitor port for? 

0 Kudos
Alexander_Frolk
Explorer
‎2017-12-15 07:41 AM
In response to Vladimir

I understand that this scheme is not correct, but I can not understand why the interface with the monitor mode affects this problem.

Also, if I has only 1 gateway then issue does not occurs. When I run VM behind firs GW, my real network fall down.

What exactly are you trying to use the Monitor port for? 

I want to make SecCheckUP from ESXI network.

I'm preparing to conduct test at my customer, and I need to impement gateway with SPAN and sandblast appliance. As I cannot deploy sandlast on VM, I install 2 gateways, one of them sends files to cloud.

During the lab test I met with some problems, and decided to understand why they arise Smiley Happy

0 Kudos
Vladimir
Champion
Champion
‎2017-12-15 09:34 AM
In response to Alexander_Frolk

If the test at your customer will involve virtual appliances running on ESXi, as is in your lab,I suggest using dedicated NIC for the vSwitch and the Port Group used for Monitor port.

In your current environment, at least put it on a separate Port Group configured as promiscuous and remove promiscuous mode from the Port Group containing gateways interconnects.

"Also, if I has only 1 gateway then issue does not occurs. When I run VM behind firs GW, my real network fall down." - please expand on this, describe the switch make model and config (you may attach it) as well.

0 Kudos
AlekseiShelepov
Advisor
‎2017-12-15 07:42 AM
In response to Vladimir

Yes, exactly, thank you for the correction. I meant to put FW monitor interface in promiscuous port group and put other interfaces into a different normal port group. Like it was in the provided example.

But in that case monitor interface will also receive packets from vlan100 of the same vSwitch, I believe. Or maybe that is what Alexander Frolkin wanted to achieve.

I haven't configured this for quite a long time, so I'm interested myself now. 

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events