This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
ShlomiA
Explorer
‎2020-10-11 09:09 AM
Jump to solution

Policies per Incoming & Outgoing interface?

Hi, I'm not sure I'm 100% understanding what I actually want, But I used to work with Fortigate all the time and I'm missing that feature in Checkpoint or I just don't understand how to accomplish that.

In fortigate, I can configure the Incoming interface and Outgoing interface for a specific policy.

So when ever I configure a new interface, I have to add a specific policy for it to have network between other interfaces.

Now, on my checkpoint firewall ( x2 5100 ClusterXL ) I have 5 interfaces:

1. Mgmt - Management Interface - 192.168.1.0/24

2. eth1 - External Interface

3. eth2 - DMZ Interface - 192.168.2.0/24

4. eth3 - LAN Interface - 192.168.3.0/24

5. eth5 - Sync Interface - 192.168.4.0/24

For example, Let's take DMZ Interface:

I would like to allow all outbound traffic from DMZ to WAN but if I configure:

Source: DMZ ( network address pool )

Destination: All_Internet

Action: Accept

It will work but he will also have network to the other interfaces.

When I check the logs, I can see it's communicating the other interfaces through the "All_Internet" policy even though I want it to allow only WAN traffic..

Sorry for the lack of knowledge.

0 Kudos
1 Solution

Accepted Solutions
PhoneBoy
Admin
Admin
‎2020-10-11 09:19 AM
Jump to solution

First of all there is only one access policy that applies to all interfaces.
You just have to make your policy more specific.

If you look at the All_Internet object you will notice it is a range object that says 0.0.0.0-255.255.255.255.
Which means it will allow access to any IP regardless of interface.

What you want to use instead is the object Internet (I believe) which corresponds to the Zone assigned to your external interface.
You can confirm this by looking at the interface definitions on the gateway object and see what Zone that is assigned to your external interface.

In any case, you can assign arbitrary Zones to each interface and use that in your Access Policy.
You will not be able to use them in your NAT policy, however, which is planned for R81.

View solution in original post

4 Replies
PhoneBoy
Admin
Admin
‎2020-10-11 09:19 AM
Jump to solution

First of all there is only one access policy that applies to all interfaces.
You just have to make your policy more specific.

If you look at the All_Internet object you will notice it is a range object that says 0.0.0.0-255.255.255.255.
Which means it will allow access to any IP regardless of interface.

What you want to use instead is the object Internet (I believe) which corresponds to the Zone assigned to your external interface.
You can confirm this by looking at the interface definitions on the gateway object and see what Zone that is assigned to your external interface.

In any case, you can assign arbitrary Zones to each interface and use that in your Access Policy.
You will not be able to use them in your NAT policy, however, which is planned for R81.

ShlomiA
Explorer
‎2020-10-11 09:38 AM
In response to PhoneBoy
Jump to solution

I can understand that.

Thank you!

0 Kudos
ShlomiA
Explorer
‎2020-10-12 04:55 AM
In response to PhoneBoy
Jump to solution

Hi, Can you please tell me where in my policy I need to put the "Zone" object?

These are the columns I have:

TlvAJNF

So lets say I have a network object for my DMZ vLAN:

192.168.2.0 - 255.255.255.0

and I want to allow some traffic to another interface ( Zone ), Do I put the zone object & vLAN object in "Source" column?

Thanks

0 Kudos
ShlomiA
Explorer
‎2020-10-12 07:30 AM
In response to ShlomiA
Jump to solution

Can you please tell me if that example is good?

testpolicy.png

What I'm trying to accomplish is:

Allow traffic from NS1 ( in DMZ interface ) to UniProdDC1 ( in LAN interface ) with DNS protocol only.

Allow traffic from NS1 ( in DMZ interface ) to WAN interface with http/https ( to allow internet ).

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events