This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
ABOUT CHECKMATES & FAQ
Create a Post
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Help

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Esteban_Cardona
Participant
‎2018-01-10 06:32 AM

Interfaces based Polcies to Zone based Policies

Hi,

We migrated from R77.30 to R80.10.

Before we bought Check Point, we had Juniper SSG and Juniper SRX, and of course we used to use policy based on zones and not on interfaces.

Now R80.10 give us the chance to come back to zone based policies, and my questions are:

- Do you recommend to migrate to interface based policies to zone based policies ? What are the main benefits ? 

- If yes, Why ? Will this new zoning approach better in  performance ?

- Did anyone make this migration before ?

Thank you,

Esteban

8 Replies
PhoneBoy
Admin
Admin
‎2018-01-10 08:04 AM

If you've already made the switch to non-zone policies, I don't see a huge benefit to switching back to zone-based policies.

Zone-based policies do have a couple of limitations:

  • NAT rules do not support use of Zone objects
  • You still need to configure anti-spoofing on your gateways

I believe both of these are planned to be addressed in later releases.

Esteban_Cardona
Participant
‎2018-01-10 09:15 AM
In response to PhoneBoy

Thank you very much for you answer Dameon !

Yes, I think that is a worthless effort make this change, but I thought that maybe exists some kind of performance explanation,

Thanks!

Esteban

0 Kudos
Timothy_Hall
Champion
Champion
‎2018-01-10 11:26 AM
In response to Esteban_Cardona

Hi Esteban,

I assume you are referring to gateway performance, both for throughput impact and policy evaluation. The short answer is that using Security Zones vs. using host/network/group objects doesn't make a noticeable difference in gateway performance, and I explicitly stated this in my book.  This is all based on my own research, and I'm sure if anything is incorrect someone from Check Point will be chiming in shortly.  🙂

Using Security Zones vs. network/host/group makes no difference as far as throughput performance. 

As far as policy evaluation overhead on the Firewall Worker cores, the Source and Destination Zone is always calculated for traffic anyway regardless of whether you are actually using Zone objects.  Security Zones also work just fine with SecureXL Accept Templates and the new Column-based policy matching.  I suppose if you have an extremely large group of objects in the source and/or destination of a policy layer rule Security Zones would provide a slight advantage as far as policy evaluation overhead, but even that potential gain is probably limited due to Column-based matching.

--
Second Edition of my "Max Power" Firewall Book
Now Available at http://www.maxpowerfirewalls.com

New 2021 IPS/AV/ABOT Immersion Self-Guided Video Series
now available at http://www.maxpowerfirewalls.com
Esteban_Cardona
Participant
‎2018-01-10 12:40 PM
In response to Timothy_Hall

Thank you Tim !

Very clear explanation,

0 Kudos
Timothy_Hall
Champion
Champion
‎2018-01-10 03:11 PM
In response to Esteban_Cardona

Sure thing, the main motivation for use of Security Zones right now is policy simplification.  When they hopefully become available for use in NAT policies though that will be a big deal and make things a lot easier.

--
Second Edition of my "Max Power" Firewall Book
Now Available at http://www.maxpowerfirewalls.com

New 2021 IPS/AV/ABOT Immersion Self-Guided Video Series
now available at http://www.maxpowerfirewalls.com
0 Kudos
Daniel_Kavan
Advisor
‎2021-03-11 01:02 PM
In response to PhoneBoy

Hi,

I've seen a recommendation to use zones in the parent Inline layer.   Can you define new/customZones for a particular gateway? 

I'm trying to for example make a zone for a few email servers for smtp traffic for example.   My mail servers are in the internal zone, but why direct all smtp traffic to my internal zone to this inline rule?   As I'm tying this, I'm starting to convince myself I could have the destination as the internal zone, but it seems like such a large set.  I guess there is just the internal, DMZ and Intranet zones and you're limited to those.

Any other changes now, with Zones in R81?

0 Kudos
PhoneBoy
Admin
Admin
‎2021-03-14 09:11 PM
In response to Daniel_Kavan

You can create custom zones, yes.
However, I believe you can only assign one zone per interface.
In R81, zones can be used in the NAT rulebase. 

0 Kudos
Hugo_vd_Kooij
Advisor
‎2018-01-11 01:07 AM

In my R80.10 lab I use Zones on my main policy and use sub policies for any combination of them. So there is a DMZ to DMZ policy and an Internet to DMZ policy, .....

Miracles happen while you wait. The impossible jobs take just a bit longer.