- Products
- Learn
- Local User Groups
- Partners
- More
Check Point Jump-Start Online Training
Now Available on CheckMates for Beginners!
Why do Hackers Love IoT Devices so Much?
Join our TechTalk on Aug 17, at 5PM CET | 11AM EST
Welcome to Maestro Masters!
Talk to Masters, Engage with Masters, Be a Maestro Master!
ZTNA Buyer’s Guide
Zero Trust essentials for your most valuable assets
The SMB Cyber Master
Boost your knowledge on Quantum Spark SMB gateways!
As YOU DESERVE THE BEST SECURITY
Upgrade to our latest GA Jumbo
CheckFlix!
All Videos In One Space
Could someone point me to a design guide on implementing Check point Security appliance behind ASA firewall with firepower services. Are there known limitations that one should be aware of?
Network design;
The purpose of the Check point firewall is to provide a second layer of security to internal servers and also control traffic from LAN to Server farm and LAN to internet.
Few things come to mind:
1. if you intend to use VPN functionality on Check Point:
2. Exclude ASA DMZ network from Anti-spoofing protection on external interface of the Check Point gateway:
@Vladimir VPN will be setup on the ASA and the external interface of check point will be assigned a private IP address. NAT will also be configured on the ASA.
Some vendors recommend that the firewall behind another firewall be configured in layer 2 mode(bridge). Does this apply to check point?
My preferred architecture is to have layer 2 bridge in front of the addressable L3 device.
In your case,since ASA is directly accessible from the Internet, it is easier to run DDOS against (unless there is additional filtering performed on the border routers).
If you have a firewall/IPS in transparent bridge on the edge, you can drop a lot of stuff before it hits the device that actually has to accept connections.
Site-to-site and remote access VPN is not supported on ASA in transparent mode, so we cannot have the ASA in layer 2 bridge mode. To block unwanted traffic at the edge as you rightly pointed out, we might explore the option of enabling IOS zone based firewall on the edge router.
Kindly correct me if I am wrong, from what I have gathered so far from the responses here, its OK to have the ASA and Check Point in routed mode.
Thank you.
Absolutely. I've just recently deployed it in exactly the situation you are describing.
FYI: if the Check Point piece is a cluster, you may have to add static routes to individual member's IPs pointing to the vIP of the cluster on next hop routers, if you want to make individual members reachable. Alternatively, there is a kernel parameter fix that allows you to achieve the same. There is a thread in CheckMates regarding this issue, if you'll have to look it up.
Make sure the ASA is allowing the traffic listed in this SK: How to verify that Security Gateway and/or Security Management Server can access Check Point servers...
About CheckMates
Learn Check Point
Advanced Learning
YOU DESERVE THE BEST SECURITY