- Products
- Learn
- Local User Groups
- Partners
- More
Welcome to Maestro Masters!
Talk to Masters, Engage with Masters, Be a Maestro Master!
Join our TechTalk: Malware 2021 to Present Day
Building a Preventative Cyber Program
ZTNA Buyer’s Guide
Zero Trust essentials for your most valuable assets
Be a CloudMate!
Check out our cloud security exclusive space!
Check Point's Cyber Park is Now Open
Let the Games Begin!
As YOU DESERVE THE BEST SECURITY
Upgrade to our latest GA Jumbo
CheckFlix!
All Videos In One Space
My Company has a number of Small Business customers who are relying on basic internet connections from Comcast, Fios, Charter, etc... for their primary internet. Most of these Customers already have a primary Internet Gateway/Router that they purchased or rent. My company provides Managed Security Services and these Customers are interested in Firewall solutions but aren't willing to change their existing setups. They want something dropped inline that doesn't change their setup.
We're wondering if there is an Architecture with Layer 2 Transparent bridging on some ports that will work in this setup. This would require a device to Bridge Traffic to the Gateway (pass the DHCP request) then have some capability to also communicate outbound for updates/management with only one DHCP lease. One port would need to be Layer 3 to get a routable IP and point to a Gateway for internet updates.
Use Case would be:
INTERNET-->CHECKPOINT FW-->INTERNET ROUTER --> LAN
Does anyone know if this is possible with any Checkpoint UTM devices?
Based on this article: Bridge Mode it sounds like this could be possible, but I'm not clear.
The article section that is interesting:
Security Gateways with a bridge interface can support Layer 3 routing over non-bridged interfaces. If you configure a bridge interface with an IP address for one Security Gateway (not a cluster), the bridge functions as a regular Layer 3 interface. It participates in IP routing decisions on the gateway and supports Layer 3 routing.
The following diagram shows a sample topology:
Item | Description |
1 | Switch |
2 | Router |
Security Gateway Firewall bridging Layer-2 traffic | |
3 | Management interface (inspects first packet) |
4 | eth1 (inspects first packet again) |
5 | eth2 |
6 | Bridge interface - Management traffic drops |
7 | Security Management Server |
When a Layer-3 management interface sends traffic through the firewall, the traffic is dropped because it cannot inspect the same packet again.
Use the procedure for the applicable Security Gateway version.
Yes, you can do what you describe.
However, there is an issue that you will run into where the gateway will reject its own management traffic due to "local interface spoofing."
This can be overcome with the following SK: When configuring two interfaces in Bridge Mode, traffic is dropped due to "local interface spoofing"
However, we are working on a more turnkey solution solution called SandBlast Now.
It was presented at our recent CPX 360 events.
If you're interested, I can connect you with the relevant parties.
That would be fantastic if possible. This is an extremely high priority for us so I would love to speak to anyone involved.
I’ve already given your details to the relevant parties.
You should be contacted shortly if you haven’t been already.
About CheckMates
Learn Check Point
Advanced Learning
YOU DESERVE THE BEST SECURITY