This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Andreas
Participant
Participant
‎2019-06-06 04:20 AM

VSX route propagation with more then one vSwitch

Hi all

I have a question to the feature "propagate route to adjacent Virtual Devices".

Lets assume we have three external vs: Inbound-vs, Outbound-vs and VPN-vs

This three VS are in a vSwitch sandwich, one vSwitch for the external subnet and one for internal transit LAN leading to internal VS with internal networks.

The question is now: How does Check Point decided through which of the two vSwitch traffic is routet from one DMZ to the other? (Random, vs-id, higher ip, ...)

In our setup the routes are propagated through the external vSwitch. This works as consequently for all interfaces the external vSwitch is chosen and no asynch routing occurs. From a security point of view and also architectural considerations, this is not the desired path. For example traffic is coming encrpyted over VPN to the VPN-vs and is sent clear text over the external interface to the DMZ of the Outbound-vs. Assuming the two vs are on another physical VSX host, the traffic is sent over a physical switch, which is exposed to the internet. Not so good.

Of course, we could disable the feature and manually route through the internal transit vSwitch. As of now, it looks like we have to go that way.

Is there a way to force check point to choose the internal vSwitch for the propagated routes?

Imho check point should never use an external interface to route traffic. The information, that these interfaces are external is given in the topology. That might be an RFE.

What do you think about the topic?

0 Kudos
1 Reply
PhoneBoy
Admin
Admin
‎2019-06-09 05:03 PM

A diagram might be helpful to visualize this.
The route that propagates when you use "propagate route to adjacent Virtual Devices" is the wrp interface between the VS and the Switch.
If you have two routes to the same destination using different paths, not sure how it decides which one to use.
In any case, static routes seem like the best idea here.
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events
    Top