This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Gaetano_Nicosia
Participant
‎2020-01-28 06:28 AM

Intervlan

Hi to all,

On my cp730 firewall I created some vlan, for example 201, 202,203 etc.

I need to configure vlan 202 so that it only sees itself and cannot see the others vLan.

Can you suggest me a way?

Thank You and Best Regards

Gaetano

0 Kudos
8 Replies
Maarten_Sjouw
Champion
Champion
‎2020-01-28 06:47 AM

just setup a block rule for the network connected on VLAN 202 to drop/reject all traffic to the other networks configured on VLAN 201 and 203
Regards, Maarten
0 Kudos
G_W_Albrecht
MVP Silver
MVP Silver
‎2020-01-28 06:50 AM

How could that be ? VLAN is used to separate Ethernet packets coming from the same IP/IF by tagging. Switches see the VLAN tags, but a VLAN can really see nothing...

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
Gaetano_Nicosia
Participant
‎2020-01-29 06:11 AM
In response to G_W_Albrecht

Hi to All and thank You for feedback.

I will try to explain the problem better.

  1. I configured LAN3 on the Firewall as network, assigning it IP 192.168.201.254 and enabling the DHCP;
  2. On LAN3 I created two VLANs, the first 202 (192.168.202.254 and DHCP enabled) and the second 203 (192.168.203.254 and DHCP enabled).
  3. A POE switch is connected to this LAN and correctly takes an IP from the firewall; for example 192.168.201.1. Obviously on the switch was Tagged the port that connects to the Firewall.
  4. I connected two Access Points to ports 1 and 2 (tagged) of the switch; the two access points also take an IP from the firewall, for example 192.168.201.2 and 192.168.201.3.
  5. On each Access Point, I configured two SSIDs. I assigned the VLAN 202 to the first (WiFi-Mag) and the VLAN 203 to the second (WiFi-Guest).
  6. I connect successfully from a notebook or a mobile to each Wifi network. The IP assigned to the mobile device are respectively 192.168.202.xxx or 192.168.203.xxx
  7. The same vlan are configured on the switch.

And this is where the problematic part comes.

It's all right for the lan 202, but I need that the WiFi-guest 203 have only access to Internet and no browsing on the corporate network formed by 202 and other VLAN's configured on ports 1 and 2 of the firewall.

I hope I have been clearer and that someone can give me some indications.

Thank You and Best Regards

Gaetano

 

0 Kudos
G_W_Albrecht
MVP Silver
MVP Silver
‎2020-01-29 06:27 AM
In response to Gaetano_Nicosia

I do not understand the question - if 192.168.203.xxx is not allowed to connect to the internal networks, why not make a rule to drop that traffic ? This is a firewall, after all 8)...

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
Gaetano_Nicosia
Participant
‎2020-01-29 07:19 AM
In response to G_W_Albrecht

Hi Albrecht,

This is exactly the point.

I am unfamiliar with this firewall (I approach for a short time to Check Point) and I ask for help to understand where and how to create this rule.

Otherwise where I can find a tutorial that will help me.

Gaetano

0 Kudos
Maarten_Sjouw
Champion
Champion
‎2020-01-29 10:07 AM
In response to Gaetano_Nicosia

Have a look at the howto video's
https://community.checkpoint.com/t5/How-To-Videos/bd-p/howto
Just make one thing very clear, a firewall will only allow traffic that you tell it to allow.
Regards, Maarten
0 Kudos
Gaetano_Nicosia
Participant
‎2020-01-29 10:57 PM
In response to Maarten_Sjouw

Thanks for the feedback, I will see the videos that will surely help me.

As this is a community, I provide the solution sent to me by Check Points technical assistance.

Could help other friends.

From Policy rule, "Incoming, internal and VPN" section create a rule with

  • Source: the vLAN that has only access to Internet
  • Destination: LAN network
  • Action: Block

That's all, very very simple.😀

 

0 Kudos
G_W_Albrecht
MVP Silver
MVP Silver
‎2020-01-30 12:44 AM
In response to Gaetano_Nicosia

Why not just read the documentation that explains this and much, much more  ? CP_R77.20.80_1100_1200R_1400_Appliance_LocalAdminGuide

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events