This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Imad981
Explorer
‎2025-07-17 08:03 AM

Microsegmentation with Firewall Hardware

Hello Community ,

I need your help and suggestions .

Our client is adopting an SDN architecture, and we've proposed Checkpoint as a firewall that will perform microsegmentation in the fabric .
Let's assume a physical server hosting VMs at the hypervisor level connected to a leaf switch. How will we technically inspect inter-VM traffic, given that the proposed firewall is hardware-based? How can we achieve the same functionality as CloudGuard?
For information, the firewall is located in a service bridge domain, allowing it to operate within graph contract services. But we don't know how tu push the traffic outside , inspect and then back to the hypervisor to the VM at the destination .

Thanks for your help 

Imad

0 Kudos
3 Replies
Bob_Zimmerman
Authority
Authority
‎2025-07-17 09:14 AM

First, microsegmentation is a grave mistake. It's a maintenance nightmare and actively encourages people to build applications in ways which are extraordinarily difficult to reason confidently about when troubleshooting. I say this from extensive, painful experience.

If you are absolutely sure you want to wreck the datacenter, it's possible to do as long as your switches and your hypervisor platform support private VLANs. It could also be done with MPLS route distinguishers (I originally misspoke and said "descriptors") and route targets, but that's much more exotic, so you're less likely to find people who can support MPLS in this way. Give all of your VMs and physical endpoints (not the firewalls) a 32-bit (or 128-bit for IPv6) netmask and a gateway address. Give your firewalls the normal netmask. When endpoints try to go anywhere, the frame goes to the gateway's MAC. The gateway then filters it and sends it back out the same interface to the destination. The private VLANs or MPLS configuration enforce this traffic pattern, so a misconfigured VM or physical host can't talk to anything on its local network.

0 Kudos
Imad981
Explorer
‎2025-07-17 09:44 AM
In response to Bob_Zimmerman

Hello @Bob_Zimmerman , 

 

Thanks for your answer , but in this way can we enforce the traffic is routed out of the hypervisor (host ESXi for example) and into the hardware firewall?

0 Kudos
Bob_Zimmerman
Authority
Authority
‎2025-07-18 10:22 AM
In response to Imad981

It depends on the hypervisor's capabilities. It needs to support private VLANs, MPLS-based flow control, or an analogous feature. I haven't followed ESX development in years, but it looks like they have at least some support for private VLANs.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events