This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
bad_joojoo
Participant
‎2023-04-18 01:09 AM
Jump to solution

Gateway Topolgy - Internal, External or DMZ ?

Hi all,

 

Just looking at a scenario and asked a question around the correct "Topology" for interfaces connecting to other manufacturer firewalls. In this scenario, CP Gateway is the Internal firewall protecting the hosted Data Centres. There are links to other firewalls which provide ongoing connectivity to the varying customers networks, and links to similar with a DMZ hosting proxy services (Web, Email, etc).

My question is, should the interconnecting links be consider Internal, DMZ or External?

CP_Gateway_Topology.png

Cheers

Ju

 

 

0 Kudos
1 Solution

Accepted Solutions
PhoneBoy
Admin
Admin
‎2023-04-20 04:03 PM
Jump to solution

External should used for interfaces that can be used to reach the Internet (i.e. it has the default route).
Which means your interface pointing towards the upper Palo (which has the Internet connected) should be marked as external.
The interface pointing towards the customer networks can be marked as a DMZ.

View solution in original post

(1)
4 Replies
Chris_Atkinson
MVP Platinum CHKP MVP Platinum CHKP
MVP Platinum CHKP
‎2023-04-18 06:52 PM
Jump to solution

When making these decisions it's important to understand what these settings influence as relevant to what controls the gateway is enforcing. Provided below are some of the relevant resources for review:

SmartConsole R81.20 Help - Understanding Topology 

sk108057: What does the box "Interface leads to DMZ" control in interface topology? 

sk108057: How to configure the Protected Scope in Anti-Virus Settings for file downloads 

sk64543: Topology and "Internet" object in Application and URL Filtering rule base 

sk102675: When using "Internet" object as destination in Application Control rule to block an applic... 

CCSM R77/R80/ELITE
(1)
the_rock
MVP Platinum
MVP Platinum
‎2023-04-18 07:42 PM
Jump to solution

To me, logically, I would say DMZ, based on your diagram. 

Best,
Andy
0 Kudos
(1)
PhoneBoy
Admin
Admin
‎2023-04-20 04:03 PM
Jump to solution

External should used for interfaces that can be used to reach the Internet (i.e. it has the default route).
Which means your interface pointing towards the upper Palo (which has the Internet connected) should be marked as external.
The interface pointing towards the customer networks can be marked as a DMZ.

(1)
bad_joojoo
Participant
‎2023-04-21 12:23 AM
In response to PhoneBoy
Jump to solution

Many thanks all for your replies, Kind Regards Ju

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events