Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
John_Edovia
Participant

Check Point Firewall behind ASA Firewall

Could someone point me to a design guide on implementing Check point Security appliance behind ASA firewall with firepower services. Are there known limitations that one should be aware of?

Network design;

Dual firewall design

The purpose of the Check point firewall is to provide a second layer of security to internal servers and also control traffic from LAN to Server farm and LAN to internet.

6 Replies
Vladimir
Champion
Champion

Few things come to mind:

1. if you intend to use VPN functionality on Check Point:

 

2. Exclude ASA DMZ network from Anti-spoofing protection on external interface of the Check Point gateway:

John_Edovia
Participant

@Vladimir VPN will be setup on the ASA and the external interface of check point will be assigned a private IP address. NAT will also be configured on the ASA.

Some vendors recommend that the firewall behind another firewall be configured in layer 2 mode(bridge). Does this apply to check point?

0 Kudos
Vladimir
Champion
Champion

My preferred architecture is to have layer 2 bridge in front of the addressable L3 device.

In your case,since ASA is directly accessible from the Internet, it is easier to run DDOS against (unless there is additional filtering performed on the border routers).

If you have a firewall/IPS in transparent bridge on the edge, you can drop a lot of stuff before it hits the device that actually has to accept connections.

0 Kudos
(1)
John_Edovia
Participant

Site-to-site and remote access VPN is not supported on ASA in transparent mode, so we cannot have the ASA in layer 2 bridge mode. To block unwanted traffic at the edge as you rightly pointed out, we might explore the option of enabling IOS zone based firewall on the edge router.

Kindly correct me if I am wrong, from what I have gathered so far from the responses here, its OK to  have the ASA and Check Point in routed mode.

Thank you.

0 Kudos
Vladimir
Champion
Champion

Absolutely. I've just recently deployed it in exactly the situation you are describing.

FYI: if the Check Point piece is a cluster, you may have to add static routes to individual member's IPs pointing to the vIP of the cluster on next hop routers, if you want to make individual members reachable. Alternatively, there is a kernel parameter fix that allows you to achieve the same. There is a thread in CheckMates regarding this issue, if you'll have to look it up. 

0 Kudos
PhoneBoy
Admin
Admin

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events