This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
JasMan
Contributor
yesterday

Default Route and Blackhole Routing

H all,

I've a general question about a best practise for noobs 🙂

Some clients in our network try to communicate with RFC1918/private IP addresses, which subnets are not existing in our network.
Therefore, the traffic takes the default route to our perimeter gateway (CP 9000 Appliance) which forwards it to the ISP line.

I think it's not a big problem, but I don't like to see traffic with private IP addresses as destination on our WAN line.

What are your suggestions to block or reject the traffic before it enters the ISP line?
Is blackhole routing a good idea? I'm not sure if the priority of smaller routes for a subnet within the blackhole route is higher. I'm afraid to block any traffic by adding a blackhole route like 10.0.0.0/8.

 

 

0 Kudos
5 Replies
Bob_Zimmerman
MVP Gold
MVP Gold
yesterday

I would look into why the rules are allowing the traffic out. If a private destination isn't in your network or at the other end of a VPN, you probably shouldn't have rules allowing traffic to it.

Routing should not be used for access control. Down that path lies incredible and lasting pain.

the_rock
MVP Diamond
MVP Diamond
yesterday

I totally second what Bob said. If you think about it logically, say even if routes are 100% right, say if rule said any any block, then nothing would work, except web ui to 443 (ONLY that port) and ssh, thats it.

Best,
Andy
0 Kudos
simonemantovani
Participant
5 hours ago

Also for me, I agree with Bob and The_Rock, if there is traffic for RDC1918 private IP addressses that doesn't exist in your network the best solution is to create a rule to block this traffic (put the rule in the right position, before the rule that permit traffic to Internet.

0 Kudos
Alex-
MVP Silver
MVP Silver
5 hours ago

There are different aspects to this question. The policy should indeed be correctly articulated.

However in a controlled and segmented network, a blackhole route for private ranges with their largest subnet mask can eliminate back and forth traffic which would be accepted by the policy but would cause unnecessary sessions and load on the NIC's.

Let's say you route from your core the default to the FW and on the FW 10.0.0.0/8 to the core instead of the discrete networks you use.

Now an application with misconfigured, hardcoded or incorrect values would talk not to 10.1.1.1 but to 10.2.1.1 which doesn't exist. If somehow this flow would be permitted in the rules, you would have a loop until the TTL stops the party. Multiply this by hundreds or thousands depending on the architecture and you use X% of your capacity in useless traffic.

Whenever we can, we use those blackhole routes and ensure the supernets or segments are routed towards the core or reside on direct VLAN for a more intentional, predictable routing.

On top of a sensible security policy, of course.

0 Kudos
Vincent_Bacher
MVP Silver
MVP Silver
31m ago
In response to Alex-

Or do it different: no default route to internet breakouts.  😉

and now to something completely different - CCVS, CCAS, CCTE, CCCS, CCSM elite
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    In-Person

    Tue 24 Feb 2026 @ 04:30 PM (EST)

    Las Vegas: MDR/XMDR
    In-Person

    Wed 25 Feb 2026 @ 04:30 PM (MST)

    Tempe, AZ: MDR/MXDR
    CheckMates Events