Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Kevin_Orrison
Collaborator

External Interface - Internal Only Firewall

I am in the process of setting up some firewalls to segment different parts of my network. I'm curious how some of you configure the external interface in this case. These firewalls will be internal only, no direct connection to an ISP, and no public IPs. Just use a private IP space then NAT it at the edge gateway? Then define as external in topology for address spoofing? Seems like it should be easier than this. Let me know how you solve this.

0 Kudos
5 Replies
HeikoAnkenbrand
Champion Champion
Champion

You describe the solution yourself?

That's exactly how I'd do it.

➜ CCSM Elite, CCME, CCTE ➜ www.checkpoint.tips
0 Kudos
AlekseiShelepov
Advisor

It is required for antispoofing feature in your case and cose sometimes handy in other cases, like for example hide all traffic behind external gateway IP in with one checkbox.


Internal interface would mean that you have only specific networks behind it:

  • Network defined by the interface IP and Net Mask - There is only one network that connects to this internal interface.
  • Specific - There is more than one network that connects to this internal interface, select a group.

External interface - all other networks, not defined as internal ones or Sync.

Of course you can disable antispoofing at all and not think about it, which I would highly not recommend.

In my opinion, this is how to choose an external interface in this case - leading in the direction of internet connection (default route), all protected networks (for example networks with some specific servers) which you can define are behind other (internal) interfaces, in that direction there are many network, which cannot be easily defined and they are not part of protected scope of this gateway.

0 Kudos
Danny
Champion Champion
Champion

External doesn't mean the interface that directly connects to the ISP router, it describes the network segment your traffic passes to reach (even indirectly) public or other untrusted networks. Often this is the interface that connects to the default gateway of your firewall.

Anti-Spoofing is a sanity-check on what interfaces packets are coming from and what interfaces they should be going to.

Some Check Point features need to know what interfaces are Internet-facing (External) in order to activate protections. Example for 'Interface leads to DMZ'.

0 Kudos
Kevin_Orrison
Collaborator

I want to ask a similar question. I am setting up another internal only firewall. In this case, I have limited connections. Would it be possible to combine management, internal, and external interfaces into one interface? They would all lead to the same place anyway. All would go to the next hop router, then somewhere inside or outside. Can someone help me run through if this will work and the possible pitfalls like potentially anti-spoofing.

0 Kudos
PhoneBoy
Admin
Admin

If everything is going in and out one interface (and it's not a VLANed interface), how can you be sure all of the necessary traffic will actually go through the gateway?
I mean, yeah, you can set it up that way (just set the interface as External and possibly disable Anti-Spoofing).
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events