This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
ABOUT CHECKMATES & FAQ
Create a Post
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Help

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have one, create one now for free!
ham2065
Explorer
‎2022-05-23 09:30 PM

External Topology and Addressing

Hi 

 

We have an ARIN assigned  /24 public range. The physical topology of external internet link is the typical ISP <> External Router <> Layer2 Switches <> Checkpoint ClusterXL. 

 

Is it best to use /24 for addressing the external Checkpoint ClusterXL interfaces/VIP or use a smaller /28 or /29 for addressing the external Checkpoint ClusterXL interfaces and then route the /24 range on the External Router to the Checkpoint ClusterXL VIP interface?

I know both will work but wanted to get some feedback on best practices and security considerations. Note - we also have DDoS protection/scubbing on the /24 range. As a result is it safer to use the first option?

 

 

0 Kudos
3 Replies
_Val_
Admin
Admin
‎2022-05-24 04:42 AM

Usually, external routable IPs are scares and expensive, so people are trying to be as economical as possible when defining the external subnet. But if you have /24, knock yourself out and have a party 🙂

From where I stand, these settings are not related to security but to networking.

0 Kudos
Chris_Atkinson
Employee
Employee
‎2022-05-24 05:03 AM

Either way but routing the addresses towards the firewall and removing a reliance on proxy-arp gets my vote.

Also since you raised the DDoS topic you may opt only to route the used addresses and send the others to Null.

0 Kudos
Sorin_Gogean
Advisor
‎2022-05-24 01:01 PM

My 2cents,

Even if an /24 sounds BIG, you will soon exhaust it 😁.

I would split it in many subnets, one for routing, one for DMZ, etc etc.

As for size of the splits, think loong run plans...

 

Thx,

0 Kudos