This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
ABOUT CHECKMATES & FAQ
Create a Post
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Help

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
John_Edovia
Participant
‎2018-05-18 01:09 AM

Check Point Firewall behind ASA Firewall

Could someone point me to a design guide on implementing Check point Security appliance behind ASA firewall with firepower services. Are there known limitations that one should be aware of?

Network design;

Dual firewall design

The purpose of the Check point firewall is to provide a second layer of security to internal servers and also control traffic from LAN to Server farm and LAN to internet.

6 Replies
Vladimir
Champion
Champion
‎2018-05-18 01:55 PM

Few things come to mind:

1. if you intend to use VPN functionality on Check Point:

 

2. Exclude ASA DMZ network from Anti-spoofing protection on external interface of the Check Point gateway:

John_Edovia
Participant
‎2018-05-18 02:28 PM
In response to Vladimir

@Vladimir VPN will be setup on the ASA and the external interface of check point will be assigned a private IP address. NAT will also be configured on the ASA.

Some vendors recommend that the firewall behind another firewall be configured in layer 2 mode(bridge). Does this apply to check point?

0 Kudos
Vladimir
Champion
Champion
‎2018-05-18 04:22 PM
In response to John_Edovia

My preferred architecture is to have layer 2 bridge in front of the addressable L3 device.

In your case,since ASA is directly accessible from the Internet, it is easier to run DDOS against (unless there is additional filtering performed on the border routers).

If you have a firewall/IPS in transparent bridge on the edge, you can drop a lot of stuff before it hits the device that actually has to accept connections.

0 Kudos
John_Edovia
Participant
‎2018-05-20 11:16 AM
In response to Vladimir

Site-to-site and remote access VPN is not supported on ASA in transparent mode, so we cannot have the ASA in layer 2 bridge mode. To block unwanted traffic at the edge as you rightly pointed out, we might explore the option of enabling IOS zone based firewall on the edge router.

Kindly correct me if I am wrong, from what I have gathered so far from the responses here, its OK to  have the ASA and Check Point in routed mode.

Thank you.

0 Kudos
Vladimir
Champion
Champion
‎2018-05-20 02:10 PM
In response to John_Edovia

Absolutely. I've just recently deployed it in exactly the situation you are describing.

FYI: if the Check Point piece is a cluster, you may have to add static routes to individual member's IPs pointing to the vIP of the cluster on next hop routers, if you want to make individual members reachable. Alternatively, there is a kernel parameter fix that allows you to achieve the same. There is a thread in CheckMates regarding this issue, if you'll have to look it up. 

0 Kudos
PhoneBoy
Admin
Admin
‎2018-05-18 04:26 PM

Make sure the ASA is allowing the traffic listed in this SK: How to verify that Security Gateway and/or Security Management Server can access Check Point servers...