cancel
Showing results for 
Search instead for 
Did you mean: 
Create a Post

Integration with Cisco ACI in unmanaged PBR mode

Hi CheckMates,

We're in the process of migrating from a traditional DC network to ACI, with a pair of ClusterXL HA CheckPoint SG as the gateway. The SG is currently at R77, but we're also about to upgrade to R80.

We're about to move all gateway to the Cisco ACI (leaving only one logical sub-interface connecting the ACI leaves to the SG, as a requirement of PBR). On the SG there's gonna be only one default route out.

As traffic is gonna be entering and exiting on the same sub-interface, just want to ask if CheckPoint does support this "one-armed" topology? As far as I know, CheckPoint has an Anti-Spoofing feature - how does it affect the networks behind the sub-interface, as they will not be directly connected to the CheckPoint SG anymore?

Also, will changing interfaces affect the existing security rules? I know that Palo Alto is OK with this, Cisco ASA doesn't like that so much, but how does the CheckPoint SG act upon the firewall rules in response to topology change?

Thanks heaps!

 

0 Kudos
3 Replies
Admin
Admin

Re: Integration with Cisco ACI in unmanaged PBR mode

I believe this works, but it's definitely not best practice.
The rules should be mostly fine, though anything involving "Internet" as a destination should probably be changed to Any (applies to App Control rules).
0 Kudos

Re: Integration with Cisco ACI in unmanaged PBR mode

Hi @PhoneBoy,
I don't see the reasons to change the "Internet" to only Any, as it could still be defined as Any with the exception to the corporate's internal addresses, couldn't it?
https://community.checkpoint.com/t5/Policy-Management/Properly-defining-the-Internet-within-a-securi...
0 Kudos
Admin
Admin

Re: Integration with Cisco ACI in unmanaged PBR mode

That's another way to solve the issue.
Point is: you can't use Internet in your specific case.
0 Kudos