This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
D_TK
Advisor
‎2023-01-31 06:29 PM

LOM question

Wondering where most folks put the LOM port for an appliance - private network, publicly reachable but post firewall, or directly on the public network, flat to the firewall?

For years i've been putting mine on the private side, but i can see a ton of value placing them flat to the firewall on the public side.  For instance, at every location the ISP provides me a /29 for the handoff of which i immediately use 4 or the 6 public IPs - their gw, VIP, real-1, real-2.  So i have just enough IPs to place the LOM ports there.  But....are they hardened enough to be in a free fire zone?  Assume i'm using a complex password - any options to harden even more?

Appreciate your feedback.

 

 

 

0 Kudos
3 Replies
the_rock
Legend
Legend
‎2023-01-31 07:52 PM

Every customer I know does it on the LAN side, so if we ever need it, it has to be accessed via remote access VPN. In all honesty, in all my years dealing with CP, I had to use it probably 4 times max. Personally, but this is just me, I would not put it on publicly accessible IP address. The reason I say that is simply due to the fact you wont have a need for anyone to access the LOM portal often enough in the first place.

0 Kudos
CE_SE
Employee Alumnus
Employee Alumnus
‎2023-01-31 08:26 PM

In theory Yes you could put the LOM on an external public IP. You could potential lock it down via other methods of authentication and provide access to only specific IP addresses (your home IP static and/or jump PC within your organization) Though I'm not sure I still would feel comfortable doing that. I much rather have a true out of band solution for all my hardware (router, switches, FWs, etc) 

Here is the LOM guide if you didn't already have it.

https://dl3.checkpoint.com/paid/73/733690c295a61c638b41ebd8ce744428/CP_Smart-1_5_6_7_13_15_16_21_23_...

the_rock
Legend
Legend
‎2023-01-31 09:03 PM
In response to CE_SE

Good point @CE_SE 

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events