Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
strou
Explorer

Using security zone with security policies

Hi,

I am a beginner with checkpoint.

Here is my question: When you use security zones as a source or destination in your security policies, does checkpoint limits the ip addresses to those matching the connected subnet of the interface bound to the security zone? Or does it allow any ip address coming from that interface?

Thanks,

Steve

0 Kudos
3 Replies
Marcel_Gramalla
Advisor

I think it will allow any connection from the interface as you only tell the gateway which interface belongs to zone XY if you don't use address spoofing. But you should enable address spoofing and with that every connection from an unknown IP will be dropped even before the security policy. You can choose to only include the network where the Cluster IP resides in or choose "defined by routes" or even select a group of subnets if you have that use case.

0 Kudos
genisis__
Leader Leader
Leader

I believe looks at the topology related to the interface therefore the directly connected interface and any routes via that interfaces are in scope for  the zone.

 

0 Kudos
JozkoMrkvicka
Mentor
Mentor

It is also important to note if the interface is marked in Topology as External or Internal.

Kind regards,
Jozko Mrkvicka
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events