This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Satyam1
Participant
‎2021-10-14 12:49 PM

General question about firewalls

Hi Guys,
I am extreme beginner on firewalls and network. I have a question, which will sound very naive. My brother company has around 500 employees in the same branch where he works. They have two firewalls in HA and then switches and then their servers. They run many web applications in their servers and a large amount of data is uploaded to the internal storages from internal endpoints.

They have multiple 16G and 25G network cards in their server, storage, switches and firewalls and they have 3 ILL line 2x500 Mbps and 1x350 Mbps.

My question is why do they need 25G interfaces in the firewalls? For servers, storage and swithes I can understand, since a lot of data is moved internally. But internal data can be routed through switches and their fastest ILL is 500Mbps. Since internal data dosen't need firewall to move around, so whats the use for 25G interfaces? Even most companies I have seen with fast ILL is 1Gbps, so shouldn't 1Gbps interface on firewall is enough, since data that come and goes through internet cannot be more than their ILL spped ? In general whats the use of firewall interfaces with higher gigabit speed than the ILL ?

0 Kudos
2 Replies
Chris_Atkinson
Employee Employee
Employee
‎2021-10-14 03:00 PM

Is the firewall an appliance or open server?

Often depends on the role of the FW i.e. DMZ or Internal east-west segmentation etc

Perhaps also the switches predominant port type is favoured for standardization vs others needing different equipment/models?

CCSM R77/R80/ELITE
Marcel_Gramalla
Advisor
‎2021-10-14 10:52 PM

Chris already mentioned a few points. We (1500 employees in the HQ) use two separate Firewall Clusters. One is for DMZ/Internet use so every subnet/vlan is routed on the Firewalls and not the Switches because we only want to allow minimum access between those subnets and DMZ servers are reachable from the Internet most of the time. In this case we are using 10G interfaces because we need more speed than just the Internet connection.

A valid point is also that most Core Switches where the Firewalls are connected are Fiber only and you really don't want 1G Transceivers in there. So you choose 10G or even 25G depending on the Switch or available Ports.

The second Cluster is for separating internal networks between each other. This is fairly new for us but also forces us to use the Firewalls as the routing instance and not the Switches. In that case we have 25G Interfaces on that Firewall as there can be very high traffic for Backups etc. It also allows us to use the IPS feature between internal networks.

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events