Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Bernardes
Advisor
Advisor
Jump to solution

Inspection packets in the same VLAN

Hello Mates!

I'd like to ask a silly question. I have an environment where the firewall performs VLAN routing, and all VLANs pass through a layer 2 switch before reaching the firewall.

When I send a packet from a machine in one VLAN to a machine in another VLAN, the packet needs to be routed by the firewall, and I can see the packets passing through the interface on tcpdump, and I also see them in the logs of SmartConsole.

But when I send packets between machines in the same VLAN, I see the packets passing through the firewall interface on tcpdump, but there are no logs in SmartConsole for this traffic.

So, my question is: are these packets between machines in the same VLAN inspected by the firewall or only when they go from one network to another?

0 Kudos
2 Solutions

Accepted Solutions
HeikoAnkenbrand
Champion Champion
Champion

You only see the packages with tcpdump, because the interface is switched to promiscuous mode.

In a layer 3 firewall:
In  same VLAN, the packets from computer a to b should not be visible on the firewall interface
as they are passed directly between the systems. This means that the packages are not inspected.

Only packets routed to another network (in your case other VLAN) are inspected on a layer 3  firewall.

➜ CCSM Elite, CCME, CCTE ➜ www.checkpoint.tips

View solution in original post

HeikoAnkenbrand
Champion Champion
Champion

With a layer 3 firewall you cannot inspect the traffic in the same VLAN between two systems.

You could only install endpoint protection (for example  Check Point Harmony) on all systems in the same VLAN.

➜ CCSM Elite, CCME, CCTE ➜ www.checkpoint.tips

View solution in original post

6 Replies
Chris_Atkinson
Employee Employee
Employee

From what you've described you typically wouldn't see the traffic within the same VLAN arrive at or traverse the firewall if your L2 switch is behaving normally.

For that you might otherwise have the firewall operating in bridge mode between two switches or L2 segments.

 

CCSM R77/R80/ELITE
HeikoAnkenbrand
Champion Champion
Champion

You only see the packages with tcpdump, because the interface is switched to promiscuous mode.

In a layer 3 firewall:
In  same VLAN, the packets from computer a to b should not be visible on the firewall interface
as they are passed directly between the systems. This means that the packages are not inspected.

Only packets routed to another network (in your case other VLAN) are inspected on a layer 3  firewall.

➜ CCSM Elite, CCME, CCTE ➜ www.checkpoint.tips
Bernardes
Advisor
Advisor

@HeikoAnkenbrandthank you very much! It was exactly what I needed to know. So if I need to inspect this traffic on the same VLAN what would  I need to do?

0 Kudos
HeikoAnkenbrand
Champion Champion
Champion

With a layer 3 firewall you cannot inspect the traffic in the same VLAN between two systems.

You could only install endpoint protection (for example  Check Point Harmony) on all systems in the same VLAN.

➜ CCSM Elite, CCME, CCTE ➜ www.checkpoint.tips
Bob_Zimmerman
Authority
Authority

First, think very hard before actually doing this, as it's really rare, so not many people will know how to troubleshoot it effectively. You could easily wind up shooting yourself in the foot forever.

There actually is some network witchery you can do to forcibly insert the firewall between every endpoint in a given VLAN, but it depends on the switch supporting a feature called "private VLANs". This feature breaks normal Ethernet forwarding behavior for frames with an unknown destination MAC. You specify certain ports as "isolated" ports and others as "promiscuous" ports. A device on an isolated port can talk to all devices on promiscuous ports, a device on a promiscuous port can talk to all devices on isolated ports, all promiscuous ports can talk to each other, and no isolated ports can talk to each other. This provides the guarantee of isolation. You would then tweak the endpoints to use a /32 netmask, which would cause them to route through their default gateway to get to any address.

It's also possible to do with MPLS switches using route designators and route targets. While this method is based entirely on normal MPLS forwarding behavior, there are even fewer people who understand that than private VLANs.

0 Kudos
Bernardes
Advisor
Advisor

Thank you all for your help! You are amazing as always!

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events