This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Bernardes
Advisor
Advisor
‎2023-04-02 05:16 AM
Jump to solution

Inspection packets in the same VLAN

Hello Mates!

I'd like to ask a silly question. I have an environment where the firewall performs VLAN routing, and all VLANs pass through a layer 2 switch before reaching the firewall.

When I send a packet from a machine in one VLAN to a machine in another VLAN, the packet needs to be routed by the firewall, and I can see the packets passing through the interface on tcpdump, and I also see them in the logs of SmartConsole.

But when I send packets between machines in the same VLAN, I see the packets passing through the firewall interface on tcpdump, but there are no logs in SmartConsole for this traffic.

So, my question is: are these packets between machines in the same VLAN inspected by the firewall or only when they go from one network to another?

0 Kudos
2 Solutions

Accepted Solutions
HeikoAnkenbrand
MVP Platinum
MVP Platinum
‎2023-04-02 09:53 AM
Jump to solution

You only see the packages with tcpdump, because the interface is switched to promiscuous mode.

In a layer 3 firewall:
In  same VLAN, the packets from computer a to b should not be visible on the firewall interface
as they are passed directly between the systems. This means that the packages are not inspected.

Only packets routed to another network (in your case other VLAN) are inspected on a layer 3  firewall.

➜ CCSM Elite, CCME, CCTE ➜ www.checkpoint.tips

View solution in original post

HeikoAnkenbrand
MVP Platinum
MVP Platinum
‎2023-04-02 10:29 AM
In response to Bernardes
Jump to solution

With a layer 3 firewall you cannot inspect the traffic in the same VLAN between two systems.

You could only install endpoint protection (for example  Check Point Harmony) on all systems in the same VLAN.

➜ CCSM Elite, CCME, CCTE ➜ www.checkpoint.tips

View solution in original post

6 Replies
Chris_Atkinson
MVP Platinum CHKP MVP Platinum CHKP
MVP Platinum CHKP
‎2023-04-02 05:24 AM
Jump to solution

From what you've described you typically wouldn't see the traffic within the same VLAN arrive at or traverse the firewall if your L2 switch is behaving normally.

For that you might otherwise have the firewall operating in bridge mode between two switches or L2 segments.

 

CCSM R77/R80/ELITE
HeikoAnkenbrand
MVP Platinum
MVP Platinum
‎2023-04-02 09:53 AM
Jump to solution

You only see the packages with tcpdump, because the interface is switched to promiscuous mode.

In a layer 3 firewall:
In  same VLAN, the packets from computer a to b should not be visible on the firewall interface
as they are passed directly between the systems. This means that the packages are not inspected.

Only packets routed to another network (in your case other VLAN) are inspected on a layer 3  firewall.

➜ CCSM Elite, CCME, CCTE ➜ www.checkpoint.tips
Bernardes
Advisor
Advisor
‎2023-04-02 10:18 AM
In response to HeikoAnkenbrand
Jump to solution

@HeikoAnkenbrandthank you very much! It was exactly what I needed to know. So if I need to inspect this traffic on the same VLAN what would  I need to do?

0 Kudos
HeikoAnkenbrand
MVP Platinum
MVP Platinum
‎2023-04-02 10:29 AM
In response to Bernardes
Jump to solution

With a layer 3 firewall you cannot inspect the traffic in the same VLAN between two systems.

You could only install endpoint protection (for example  Check Point Harmony) on all systems in the same VLAN.

➜ CCSM Elite, CCME, CCTE ➜ www.checkpoint.tips
Bob_Zimmerman
MVP Gold
MVP Gold
‎2023-04-04 04:33 PM
In response to Bernardes
Jump to solution

First, think very hard before actually doing this, as it's really rare, so not many people will know how to troubleshoot it effectively. You could easily wind up shooting yourself in the foot forever.

There actually is some network witchery you can do to forcibly insert the firewall between every endpoint in a given VLAN, but it depends on the switch supporting a feature called "private VLANs". This feature breaks normal Ethernet forwarding behavior for frames with an unknown destination MAC. You specify certain ports as "isolated" ports and others as "promiscuous" ports. A device on an isolated port can talk to all devices on promiscuous ports, a device on a promiscuous port can talk to all devices on isolated ports, all promiscuous ports can talk to each other, and no isolated ports can talk to each other. This provides the guarantee of isolation. You would then tweak the endpoints to use a /32 netmask, which would cause them to route through their default gateway to get to any address.

It's also possible to do with MPLS switches using route designators and route targets. While this method is based entirely on normal MPLS forwarding behavior, there are even fewer people who understand that than private VLANs.

0 Kudos
Bernardes
Advisor
Advisor
‎2023-04-04 05:59 AM
Jump to solution

Thank you all for your help! You are amazing as always!

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events