This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Luis_Miguel_Mig
Advisor
‎2017-10-19 02:04 AM

Firewall management

I have inherited an environment with 3 firewall managers and several gateway clusters.

The gateway ip addresses defined for management (gateway objects’s ips) are cluster type/network objective.

I am planning to change this configuration and manage the gateway using “non monitored private” interfaces.

To do that  I  also need to create a new ip for the firewall manager.  So basically I will create a new network/vlan for firewall management where I will attach firewall gateways and firewall managers.

The current firewall manager have two interfaces and it reaches firewall gateways through both interfaces, so it presents different ips to different gateways.

We don’t have implied rules for the management traffic. Global propierties -> Firewall -> Accept control connections is disabled. Therefore we have explicit rules with the firewall manager and firewall gateways objects.

We also have implied rules for “Outgoing packets generated from the firewall gateway”.

I have checked the logs to analyze the firewall manager and I have seen that the two of the firewall manager ips match the explicit rule for traffic management. I am wondering why. Is it expected?

I would have expected to see matches only from the ip configured in the firewall manager object.

The firewall manager license is linked to the old firewall manager ip. Does it need the firewall management ip to be the same as the licensed ip? Or is it only required to have the license ip configured as a network interface?

I was thinking of configuring new explicit rules for the new firewall gateways and new firewall managers. I guess that it won’t hurt anyway. But it looks like it wouldn’t be needed as we have a implicit rule for firewall gateway’s outgoing packets and it looks like the firewall manager object contains all the firewall manager ips.

In terms of the SIC, I don't need to be worried about it as SIC doesn't care about ips, correct?

Finally, I was wondering what the purpose of the firewall manager ip is.  I can think of two:

  • To be used in the implicit rules for traffic management
  • To sync with the other firewall manager in a HA firewall manager architecture.

Am I missing something?

0 Kudos
5 Replies
PhoneBoy
Admin
Admin
‎2017-10-19 07:16 AM

On a multi-homed system, the OS will determine which IP the connection will come from.

Since you have multiple interfaces, it will depend on the routing table. 

This is expected.

The licensed IP only needs to match the IP of one of the interfaces, it doesn't matter which.

SIC is based on certificates, not on IP address.

The management IP address is used when the gateway needs to initiate communication in specific circumstances (e.g. fetch policy), and would factor into implied rules.

0 Kudos
Hugo_vd_Kooij
Advisor
‎2017-10-19 11:56 PM
In response to PhoneBoy

Please note that if the interface is NOT up your license might not work. (it is accept it's just no good to you 😉

Not sure if R80 is still this strict but I have seen that fail a lot of times when people use a dummy interface during migration because they didn't move the IP address of the license before they started the migration. 

<< We make miracles happen while you wait. The impossible jobs take just a wee bit longer. >>
0 Kudos
Luis_Miguel_Mig
Advisor
‎2017-10-20 02:20 AM
In response to Hugo_vd_Kooij

I was wondering if configuring the licensed ip at the loopback interface would be a good practice. But I guess that the firewall manager interfaces are not redundant most of the times and they just need to be up, so not a big deal

0 Kudos
Luis_Miguel_Mig
Advisor
‎2017-10-19 07:35 AM

Thank you very much Dameon.

There is only one question that I like to dig in a bit more. So the routing table will define the source ip address, however what about the rules. I saw in the firewall logs that the rule defined for traffic management was hit by not only the ip address defined in the firewall manager object but also by the second ip configured in the second interface.

So it seems that there is some sort of logic that would allow any ip interface configured in the firewall manager. Is it correct?

0 Kudos
PhoneBoy
Admin
Admin
‎2017-10-19 08:26 AM
In response to Luis_Miguel_Mig

Yes, that's correct.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events