This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Leon_Ja
Participant
‎2017-12-05 02:39 AM

Need some help on how to setup DMZ on CP5100 Cluster

I need some expert advice here. I'm new to Checkpoint Firewall. I have just purchased the appliance. I got it setup and running. Now I want to setup two different DMZ for our Web Servers and mail server for two different business partners. I would like to make it accessible from the Internet and also site to site vpn connection. I would like to ask for your guidance on how do I plan, configure and secure it I have been searching through Checkpoint Support website and Checkmate forums but found little information about it. So, your help would be very much appreciated.

                                     |

0 Kudos
8 Replies
Gaurav_Pandya
Advisor
‎2017-12-05 04:00 AM

Hi,

It will be good if you have 2 separate subnet for 2 DMZ. You can assign this to interfaces. Like below

DMZ A - Subnet A - Interface A

DMZ B - Subnet B - Interface B

Now you can achieve traffic flow/restriction through security policy.

Internet --> Subnet A --> https --> allow and vice versa

If you want to build site to site tunnel then you can build with specific subnet (Subnet A Or Subnet B)

Hope this helps.

0 Kudos
Leon_Ja
Participant
‎2017-12-05 04:12 AM
In response to Gaurav_Pandya

Thanks Gaurav,

I only have one physical interface available. That's why plan to to use sub-interface ETH3.1 for Subnet A and ETH3.2 for Subnet B. Is this achievable?

0 Kudos
Pedro_Espindola
Advisor
‎2017-12-05 04:31 AM
In response to Leon_Ja

You will treat the sub-interface the exact same way as a physical interface. Configure the VLANs on your Gaia Web Portal and set them as DMZs on the topology page of your GW. Configure your policy accordingly.

Zach_Rack
Contributor
‎2017-12-05 06:37 PM
In response to Pedro_Espindola

I agree with you Pedro 100%, he can  configure multiple VLANS on one physical interface,but the problem is sub interfaces or (multiple VLANS on one physical interfaces ) is not supported in case of the firewalls are deployed in cluster mode as the sk89980 indicate there.

0 Kudos
AlekseiShelepov
Advisor
‎2017-12-06 12:01 AM
In response to Zach_Rack

Secondary IP is not the same as VLAN interface. Please don't confuse other people.

It is written in the sk89980 provided by you:

If the physical machine does not have enough physical interfaces, then VLAN interfaces should be configured 
• Check Point supports up to 256 VLANs per physical interface
• Check Point supports up to 1024 VLAN per Security Gateway

Gaurav_Pandya
Advisor
‎2017-12-06 01:52 AM
In response to AlekseiShelepov

Hi,

Yes. You can achieve same thing with Sub-interface as Pedro suggested. It is easily configurable in GUI.

You need to make trunk port on Switch end.

Leon_Ja
Participant
‎2017-12-07 03:17 AM
In response to Gaurav_Pandya

Thanks all for your responses

0 Kudos
Zach_Rack
Contributor
‎2017-12-06 07:03 AM
In response to AlekseiShelepov

Yes you are 100% correct , and I apologize for wrongfully info I presented. I must understood the question in a different way.

Thank you for correcting me  in such a gentle way!!!

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events