Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
kamilazat
Collaborator
Jump to solution

Clarification Needed: Firewall Traffic Inspection Within the Same Subnet

 

I was testing TLS handshake inspection on custom ports and noticed an interesting behavior. Here's a summary of what I did and found:

  1. I configured two hosts, a Gateway (GW), and a Security Management Server (SMS), all within the same subnet.
  2. Created custom objects for various TLS and HTTPS protocols and pushed Drop rules.
  3. Set up a server using OpenSSL on Host 1 and attempted a connection from Host 2 via an arbitrary custom port.

Initially, the inspection didn't seem to function. This led me to suspect that the firewall might not be inspecting traffic directly exchanged between hosts on the same subnet. So I implemented forced routing on each host to route their inter-host traffic through the GW and it started working as expected. 

 

So I have some questions:

  1. Does Check Point firewall typically bypass inspection for traffic that doesn't pass through the firewall?
  2. In a scenario where one of the machines within a "Secure Network" (as defined in Network Management) initiates malicious activity, how can we ensure traffic inspection if it's not routed through the GW?
  3. Are there recommended practices or configurations in Check Point for ensuring traffic inspection within the same subnet, particularly for traffic that isn't naturally routed through the GW?

Any insights or recommendations on this matter would be greatly appreciated.

 

Thank you!

0 Kudos
3 Solutions

Accepted Solutions
Lloyd_Braun
Collaborator

The packets need to be sent through the firewall in some manner for it to perform inspection. Typically it is a layer 3 routing hop where the hosts are on different subnets. The firewall can potentially be positioned between hosts as a layer 2 hop, in bridge mode, if the hosts are on the same subnet.

View solution in original post

the_rock
Legend
Legend

Put it this way...there is literally nothing for CP firewall to inspect (or any fw for that matter) if hosts are on the same subnet. As @Lloyd_Braun said, if its layer 2, then its more of a switch, not exactly a typical firewall. For firewall to do proper inspection, it would need to function on layer 3. As far as your question about the inspection if traffic does not pass through it, well, there is nothing to isnpect in that instance. Btw, its important to note it also depends how you configure threat prevention blades, because if its in monitor mode, those protections wont really be active in such instance.

Best,

Andy

View solution in original post

(1)
Bob_Zimmerman
Authority
Authority

There are other ways to force the firewall into the path between two endpoints on the same network block. Private VLANs with proxy ARP could let you insert a firewall in the path with no modifications to the endpoints. Changing the endpoints' net masks to 32-bit and routing everything through the firewall explicitly could also work, but would require changes on the endpoints.

But yes, the point is the firewall can only inspect traffic which goes in one of its interfaces (if all you want is detection, this could be done with a hub or span port). The firewall can only drop traffic which goes in one of its interfaces and which goes out one of its interfaces (they can be the same interface).

View solution in original post

(1)
3 Replies
Lloyd_Braun
Collaborator

The packets need to be sent through the firewall in some manner for it to perform inspection. Typically it is a layer 3 routing hop where the hosts are on different subnets. The firewall can potentially be positioned between hosts as a layer 2 hop, in bridge mode, if the hosts are on the same subnet.

Bob_Zimmerman
Authority
Authority

There are other ways to force the firewall into the path between two endpoints on the same network block. Private VLANs with proxy ARP could let you insert a firewall in the path with no modifications to the endpoints. Changing the endpoints' net masks to 32-bit and routing everything through the firewall explicitly could also work, but would require changes on the endpoints.

But yes, the point is the firewall can only inspect traffic which goes in one of its interfaces (if all you want is detection, this could be done with a hub or span port). The firewall can only drop traffic which goes in one of its interfaces and which goes out one of its interfaces (they can be the same interface).

(1)
the_rock
Legend
Legend

Put it this way...there is literally nothing for CP firewall to inspect (or any fw for that matter) if hosts are on the same subnet. As @Lloyd_Braun said, if its layer 2, then its more of a switch, not exactly a typical firewall. For firewall to do proper inspection, it would need to function on layer 3. As far as your question about the inspection if traffic does not pass through it, well, there is nothing to isnpect in that instance. Btw, its important to note it also depends how you configure threat prevention blades, because if its in monitor mode, those protections wont really be active in such instance.

Best,

Andy

(1)

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events