This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Travais_Sookoo
Explorer
‎2017-11-20 06:28 AM
Jump to solution

Can TX gateways in transparent block?

Hello 'mates,

As the subject asks, I would like to deploy a pair of Sec Gateways with IPS, ASPam, AV, TE and TX but the interfaces bridged and directly connected to another firewall and switch, inline to all traffic coming a high security network.

Will the Sec Gateway device be able to block any traffic deemed to be high risk based on the blades and TX or will it be monitor only?

0 Kudos
1 Solution

Accepted Solutions
Pablo_Barriga
Advisor
‎2017-11-20 03:41 PM
Jump to solution

Hello Gateways support this deployments

BladeSupported in Bridge
Gateway mode?		Supported in Bridge
VSX mode?
FirewallYesYes
IPSYesYes
URL FilteringYesYes
Data Loss PreventionYesNo
Anti-BotYesYes
Anti-VirusYesYes
Application ControlYesYes
HTTPS InspectionYes (1)No
Identity AwarenessYesNo
Threat Emulation -
ThreatCloud emulation		YesYes in Active/Active Bridge Mode

No in Active/Standby Bridge Mode
Threat Emulation -
Local emulation		YesNo in all Bridge Modes
Threat Emulation -
Remote emulation		YesYes in Active/Active Bridge Mode

No in Active/Standby Bridge Mode
UserCheckYesNo
QoSYes (see sk89581)No (see sk79700)
HTTP / HTTPS proxyYesNo
SMTP / HTTP / FTP / POP3 Security ServersYesNo
Client AuthenticationYesNo
User AuthenticationYesNo

Sandblast Inline Mode supports this configurations

  • Background
    • Allows to use "Prevent" action and "Ask" action (with UserCheck) in the Threat Prevention policy to block traffic before it goes to the internal computer.
  • Deployment with a Mail Transfer Agent (MTA):
    Mail Transfer Agent (MTA) is needed:
    If you need to inspect SMTP over TLS traffic
    If you need to use the "Prevent" action for SMTP over TLS traffic
    If you need to perform Threat Extraction on SMTP traffic
  • Deployment in Bridge Mode:
    • SandBlast TE Appliance is connected in Bridge Mode performs emulation.
      Other existing Security Gateway perform FireWall, NAT and other functions.
  • Deployment with Proxy / ICAP Server:
    • A Proxy / ICAP Server collects files and sends then via ICAP to SandBlast TE Appliance for emulation.

View solution in original post

4 Replies
Vladimir
Champion
Champion
‎2017-11-20 07:35 AM
Jump to solution

I believe you'll be able to use a subset of features to block threats, but the most important limitations of the bridge mode are the absence of support for HTTPS inspection and Identity Awareness.

0 Kudos
Pablo_Barriga
Advisor
‎2017-11-20 03:41 PM
Jump to solution

Hello Gateways support this deployments

BladeSupported in Bridge
Gateway mode?		Supported in Bridge
VSX mode?
FirewallYesYes
IPSYesYes
URL FilteringYesYes
Data Loss PreventionYesNo
Anti-BotYesYes
Anti-VirusYesYes
Application ControlYesYes
HTTPS InspectionYes (1)No
Identity AwarenessYesNo
Threat Emulation -
ThreatCloud emulation		YesYes in Active/Active Bridge Mode

No in Active/Standby Bridge Mode
Threat Emulation -
Local emulation		YesNo in all Bridge Modes
Threat Emulation -
Remote emulation		YesYes in Active/Active Bridge Mode

No in Active/Standby Bridge Mode
UserCheckYesNo
QoSYes (see sk89581)No (see sk79700)
HTTP / HTTPS proxyYesNo
SMTP / HTTP / FTP / POP3 Security ServersYesNo
Client AuthenticationYesNo
User AuthenticationYesNo

Sandblast Inline Mode supports this configurations

  • Background
    • Allows to use "Prevent" action and "Ask" action (with UserCheck) in the Threat Prevention policy to block traffic before it goes to the internal computer.
  • Deployment with a Mail Transfer Agent (MTA):
    Mail Transfer Agent (MTA) is needed:
    If you need to inspect SMTP over TLS traffic
    If you need to use the "Prevent" action for SMTP over TLS traffic
    If you need to perform Threat Extraction on SMTP traffic
  • Deployment in Bridge Mode:
    • SandBlast TE Appliance is connected in Bridge Mode performs emulation.
      Other existing Security Gateway perform FireWall, NAT and other functions.
  • Deployment with Proxy / ICAP Server:
    • A Proxy / ICAP Server collects files and sends then via ICAP to SandBlast TE Appliance for emulation.
Travais_Sookoo
Explorer
‎2017-11-21 06:07 AM
In response to Pablo_Barriga
Jump to solution

Much thanks Pablo Barriga and https://community.checkpoint.com/people/highe19f56cc9-7e21-4ec2-8189-286599ead4d8

As a reference, the quoted excerpt is sk101371

Vladimir
Champion
Champion
‎2017-11-21 06:14 AM
Jump to solution

Pablo's answer makes sense if the bridge mode is non-transparent, i.e. you'll have to assign the IP to the bridge in order to utilize HTTPS inspection, IA, DLP, and other functionality relying on it.

As you've mentioned "transparent" in the header of your question, I've supplied the limitations associated with it.

Cheers,

Vladimir

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events