This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Tuannnnnnnnn
Participant
‎2019-11-09 04:03 PM

Integration with Cisco ACI in unmanaged PBR mode

Hi CheckMates,

We're in the process of migrating from a traditional DC network to ACI, with a pair of ClusterXL HA CheckPoint SG as the gateway. The SG is currently at R77, but we're also about to upgrade to R80.

We're about to move all gateway to the Cisco ACI (leaving only one logical sub-interface connecting the ACI leaves to the SG, as a requirement of PBR). On the SG there's gonna be only one default route out.

As traffic is gonna be entering and exiting on the same sub-interface, just want to ask if CheckPoint does support this "one-armed" topology? As far as I know, CheckPoint has an Anti-Spoofing feature - how does it affect the networks behind the sub-interface, as they will not be directly connected to the CheckPoint SG anymore?

Also, will changing interfaces affect the existing security rules? I know that Palo Alto is OK with this, Cisco ASA doesn't like that so much, but how does the CheckPoint SG act upon the firewall rules in response to topology change?

Thanks heaps!

 

0 Kudos
3 Replies
PhoneBoy
Admin
Admin
‎2019-11-10 04:46 PM

I believe this works, but it's definitely not best practice.
The rules should be mostly fine, though anything involving "Internet" as a destination should probably be changed to Any (applies to App Control rules).
0 Kudos
Tuannnnnnnnn
Participant
‎2019-11-10 05:26 PM
In response to PhoneBoy

Hi @PhoneBoy,
I don't see the reasons to change the "Internet" to only Any, as it could still be defined as Any with the exception to the corporate's internal addresses, couldn't it?
https://community.checkpoint.com/t5/Policy-Management/Properly-defining-the-Internet-within-a-securi...
0 Kudos
PhoneBoy
Admin
Admin
‎2019-11-11 02:28 PM
In response to Tuannnnnnnnn

That's another way to solve the issue.
Point is: you can't use Internet in your specific case.
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events