This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
JordanHsu
Explorer
‎2023-09-14 09:02 PM

About SMB 1600 bridge mode

Hello Sirs, 

I've received a requirement where the current network architecture consists of an external firewall, CoreSwitch, LAN DHCP, and various devices such as PCs, ESXi servers, and other servers. During vulnerability scanning, it was discovered that certain ports on the internal servers are potential attack targets.

To enhance security and compliance, I'm considering adding a SMB CheckPoint firewall to the network and enabling IPS functionality without disrupting the existing network architecture. I've thought about using CP's Bridge Mode for this purpose, but I have some questions.

In my proposed architecture, I plan to make ESXi and problematic servers part of the Bridge Mode setup. Would it be possible to control traffic rules using this CheckPoint firewall? For instance, can I set up rules to restrict specific IP traffic through this configuration?

such as :

  1. Oracle Database Server Vulnerabilities (Port 0):

    • Restrict access to this port to specific IPs that need access.
    • Implement IP whitelisting for authorized connections.

  2. PCI DSS Compliance: Detected Remote Access Software (Ports 139 and 445):

    • Limit access to these ports to specific IP addresses (privileged computers) that require remote access.
    • Utilize IP whitelisting to control access.

  3. Oracle Database Vulnerabilities (Port 1521):

    • Apply IP restrictions to limit connections to this port.
    • Ensure that only relevant hosts (e.g., AP and CP) are allowed access.

  4. PCI DSS Compliance: Detected Remote Access Software (Ports 21 and 22):

    • Restrict access to these ports by specifying authorized IP addresses (privileged computers).
    • Employ IP whitelisting to enforce the restriction.

  5. Unsupported Linux Kernel Version Detected (Port 23):

    • Implement IP-based access control to this port.
    • Limit connections to privileged computers.

  6. SSL/TLS Vulnerabilities (Ports 443 and 8081):

    • Apply IP restrictions to these ports to allow access only to authorized IP addresses.
    • Consider disabling older SSL/TLS versions and weak cipher suites if feasible for security

 

 
 

圖01.jpg

 

 

Does it work?

Thanks kindly support 

0 Kudos
23 Replies
G_W_Albrecht
Legend
Legend
‎2023-09-14 10:30 PM

Read here: sk101371: Bridge Mode on Gaia OS and SecurePlatform OS

CCSE CCTE CCSM SMB Specialist
0 Kudos
JordanHsu
Explorer
‎2023-09-15 12:16 AM
In response to G_W_Albrecht

Hello Sir 

I just read the document, but I don't quite understand it

Regrettably I don't have physical machines in my company. 

Just want to make sure, in my architecture if i want to release 2 server under to Brige mode SMB FW1600 , does that function were make same of the traditional firewall as we know, to install policy setup the rule , Source ,Destination , VPN action ?

The purpose of this is to eliminate changes to the current architecture and to control traffic and IPS functions.

Thanks your time.

Jordan

0 Kudos
G_W_Albrecht
Legend
Legend
‎2023-09-15 12:40 AM
In response to JordanHsu

Legend:

  • G_W_Albrecht_0-1694763560480.png = Supported
  • G_W_Albrecht_2-1694763560473.png = Supported, but requires a software package, or limitations exist
  • G_W_Albrecht_3-1694763560534.png = Not supported
Software Blade /
Feature		 Supported in
Gateway mode?		 Supported in
VSX mode?
Firewall G_W_Albrecht_4-1694763560565.png

 

 G_W_Albrecht_5-1694763560476.png

 
CCSE CCTE CCSM SMB Specialist
0 Kudos
PhoneBoy
Admin
Admin
‎2023-09-15 03:45 PM

You realize you can also run a virtual security gateway inside your ESXi environment, right?
Also, it's not clear how the traffic will flow here or be restricted to going through the bridge, or might flow through the bridge more than once.
Having traffic traverse the bridge more than once is not supported (i.e. double inspection).

0 Kudos
JordanHsu
Explorer
‎2023-09-18 06:27 PM
In response to PhoneBoy

Hello Sir, 

We have two ESXi virtual machines in our environment, and we need to implement IPS and security protection for the VMs within them. If we connect both ESXi hosts to a CheckPoint 1600 in Bridge mode, will the traffic flow be sufficient?

However , According to my CheckPoint distributor partner in Taiwan, the recommendation is to add an additional switch in this scenario. However, I don't fully understand the purpose of adding a switch without making changes to the network environment and IP settings. Additionally, I'm unsure about where this switch should be placed...:(

0 Kudos
G_W_Albrecht
Legend
Legend
‎2023-09-18 11:48 PM
In response to JordanHsu

Ask the CP TAC engineers !

CCSE CCTE CCSM SMB Specialist
0 Kudos
PhoneBoy
Admin
Admin
‎2023-09-19 06:15 AM
In response to JordanHsu

What is the physical connectivity between the ESXi server and the 1800 and how will that map to the VMs in question?
And why not run a Quantum Security Gateway as a VM instead?

0 Kudos
JordanHsu
Explorer
‎2023-09-20 02:18 AM
In response to PhoneBoy

Hello Sir, 

That is my new writed layout as below, 

If i don't want to change my current service IP address, where is the CP1600 good for this case

  2023-09-20_15-48-07.png

0 Kudos
G_W_Albrecht
Legend
Legend
‎2023-09-20 02:20 AM
In response to JordanHsu

Where is the CP1600 ?

CCSE CCTE CCSM SMB Specialist
0 Kudos
JordanHsu
Explorer
‎2023-09-20 09:09 PM
In response to G_W_Albrecht

We are not deiced where is the locale of CP1600

As regarding of support team recommend 

I am really confuse why we need to added a new switch between the CoreSwitch  

2023-09-21_12-04-17.png

0 Kudos
G_W_Albrecht
Legend
Legend
‎2023-09-21 01:30 AM
In response to JordanHsu

This looks wrong, i see a loop !

CCSE CCTE CCSM SMB Specialist
0 Kudos
JordanHsu
Explorer
‎2023-09-21 01:50 AM
In response to G_W_Albrecht

How about that ? 

Could you please let me know why be setting to the loop ?

 

 

2023-09-21_12-04-17.png

0 Kudos
Tom_Hinoue
Advisor
Advisor
‎2023-09-21 02:40 AM
In response to JordanHsu

Can you explain to us in detail what servers and its IP needs to be in the protected scope...like the direction of the connections?
Note that if the servers IP that's running on ESXi is in the same network segment, typically IPS would not be enforced in the first place, or can only protect a certain asset and not both at the same time.

0 Kudos
JordanHsu
Explorer
‎2023-09-21 03:02 AM
In response to Tom_Hinoue

Hello Sir, 

We would like to protected these VM segment of 192.168.2.X 

0 Kudos
Tom_Hinoue
Advisor
Advisor
‎2023-09-21 03:17 AM
In response to JordanHsu

Are you referring to North-South traffic to different segments or, East-West traffic to protect traffic from/to servers in the same segment? 

<e.g.>
192.168.2.0 <-> 192.168.2.0     : do you want security inspection to be enforced on inbound/outbound traffic between servers in the same segment?

192.168.2.0 <-> 192.168.1.0     : Or between other networks that traverses through the core switch? or both patterns?

just to make things clear.

0 Kudos
JordanHsu
Explorer
‎2023-09-21 06:19 PM
In response to Tom_Hinoue

Hello Sir, 

We just to define and protect 192.168.2.X segment , Because we have going to vulnerability scan had 1433 port issue in that DB server. 

So we just to confirmed Intranet traffic, actually in customer layout that have set the policy on that outside firewall.

 All intranet segments can access 192.168.2.X

0 Kudos
G_W_Albrecht
Legend
Legend
‎2023-09-21 03:57 AM
In response to JordanHsu

What about this:

1600.png:

 

CCSE CCTE CCSM SMB Specialist
0 Kudos
JordanHsu
Explorer
‎2023-09-21 06:26 PM
In response to G_W_Albrecht

Hello Sir, 

According of your graphic your mean is that all ESXI to connected to new deploy switch DSV2 vswitch0 , 1 ? 

That is my our expectations, but we afraid will the traffic be insufficient.. does it cause a loop if I keep my layout ? Vswitch0 to core switch ?

Thanks

 

0 Kudos
G_W_Albrecht
Legend
Legend
‎2023-09-21 11:05 PM
In response to JordanHsu

All traffic that has to be inspected must pass thru the 1600.

CCSE CCTE CCSM SMB Specialist
0 Kudos
G_W_Albrecht
Legend
Legend
‎2023-09-22 04:15 AM
In response to JordanHsu

we afraid will the traffic be insufficient - do you need more than 2,5 GB ?

CCSE CCTE CCSM SMB Specialist
0 Kudos
JordanHsu
Explorer
‎2023-09-27 12:27 AM
In response to G_W_Albrecht

Unfortunately  , we encountered a failure after last week's testing. We have an Esxi host that, after migrating through a Vswitch, is unable to successfully obtain the Gateway. We suspect that the issue may be related to the Edge Switch, which might require a Layer 2 switch that can be configured as a trunk. It's worth noting that even though our company environment doesn't utilize VLANs for control, everything is currently operating on VLAN 1.

0 Kudos
PhoneBoy
Admin
Admin
‎2023-09-28 11:02 AM
In response to JordanHsu

Even when you do not explicitly use VLANs, VLAN 1 always "exists" as it is the default LAN.

0 Kudos
JordanHsu
Explorer
‎2023-10-01 09:31 PM
In response to PhoneBoy

Is a Layer 2 Switch behind the firewall necessary? In CheckPoint, using Bridge mode,

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events