Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
LCarrau808
Explorer

Same interface for inbound and outbound internal traffic

Hello,

 

I want to perform Access Control and Threat Prevention between the local networks.

Description:

All networks are connected to a Router, which will detour all traffic to the Security Gateway, even when the destination is direct attached. For the Security Gateway, the inbound and outbound interface is the same in all packets but there is no assymetrical routing.

 

Questions:

Will the Threat Prevention and Firewall Blades work without issues on this scenario/layout?

Will the SG send to the router a ICMP Redirect Message?

 

Thanks

 

Lanello

 

0 Kudos
9 Replies
_Val_
Admin
Admin

Not a good idea. Use Bridge mode instead or IP forwarding in a normal mode.

0 Kudos
LCarrau808
Explorer

Hello

For the Bridge Mode can get a little bit complicated.

The Checkpoint would be at a side instead Man-In-The-Middle (Check the drawing).

Layout.png

It is a ClusterXL with 6 VSX. Two of them are Perimeter Firewalls, but I want to perform IPS between the local networks.

I know I can connect the networks direct to the Checkpoint and get rid of the router, but I still want to have it arround.

 

Thanks for your help.

 

Lanello

0 Kudos
vinceneil666
Advisor

Hi, as stated before.. not a good idea. 🙂 

Its like a firewall-on-a-stick setup, and I would guess that you will need to spend some time to get the routing set up and working. But yeah - sure I can't see that it wont work.

I have had setups where you had a main vrf with several 'child' vrf's, connecting the firewall to the main vrf and providing access between the 'childs' on the SG. This can be comapred to what you are asking.

Regaring the question on 'icmp redirects' vs. 'all networks connected to a router' gives me a confused picture on how you are planning to actually set this up.. is there to be several networks/subnets ? If you have ex. 2 client subnets and a subnet where the SG is to be placed, the packet flow will be pretty regular, just entering and leaving on same.

 

But all in all. not a good idea.

0 Kudos
LCarrau808
Explorer

Your example with the VRF is exaclty the same I want to do.

The routing part is already solved with a forced unconditional next-hop leading the packets to the firewall and the default route for the SG is the Core Router again (that's the plan).

Yes, there is a separated subnet for the comm between the SG and the Router.

 

If the VRF scenario is working for you, I can see the light at the end of the tunnel.

But you still say it is not a good idea...

 

Have you inter-VRF traffic that pass through the SG?

 

 

 

 

 

 

0 Kudos
vinceneil666
Advisor

Hi, ok - well. It depends on your design. For me the main thing was to have seperation between the vrf's, but do to 'stuff' I had to allow some traffic to pass between them, and thus getting the setup I was refering to. Worked fine..

It pretty much comes down to the network design. For me it added a bit of extra management, just to get people to understand the design. And troubleshooting got a bit more tedious.. NAT would probably be a bit 'interesting'.. Voice, qos, as an example, I have no idea. You have to take into consideration how you build policy set..working with zones etc..

But in general, "basic firewall functionality was fine.
0 Kudos
Maarten_Sjouw
Champion
Champion

In your configuration all traffic between VLANs can be easily routed trhough the FW's when you use the FWs as their default gateways.
Traffic between device in the same LAN will never work as both devices will always directly address the other device in the same LAN. Redirecting this to the FW is not only a bad idea but also very hard to do.
Regards, Maarten
0 Kudos
lcarrau
Explorer

Thanks for you comment @Maarten_Sjouw !

I will desist. The common sentence in teh comments of all of you is "This is a bad idead".

Anyways I will test the scenario in a lab and let you know.

Thanks guys!

 

PS:

Redirecting the traffic is very easy.

A Policy based route overrides the general routing table, setting the "default-nexthop" the firewall.

I have tested this step already without issues.

 

 

Lanello

 

 

0 Kudos
Maarten_Sjouw
Champion
Champion

I'm sorry for that typo..
Are all systems in that VLAn capable of setting that policy route?
Only other method I can think of is by setting the IP to a /32 and set the default gateway, but normally those types of config are not accepted by most OS's.
Regards, Maarten
0 Kudos
lcarrau
Explorer

I don't need to inspect traffic between the hosts on the same network.

Only the inter-subnet traffic.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events