Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Travais_Sookoo
Explorer
Jump to solution

Can TX gateways in transparent block?

Hello 'mates,

As the subject asks, I would like to deploy a pair of Sec Gateways with IPS, ASPam, AV, TE and TX but the interfaces bridged and directly connected to another firewall and switch, inline to all traffic coming a high security network.

Will the Sec Gateway device be able to block any traffic deemed to be high risk based on the blades and TX or will it be monitor only?

0 Kudos
1 Solution

Accepted Solutions
Pablo_Barriga
Advisor

Hello Gateways support this deployments

BladeSupported in Bridge
Gateway mode?
Supported in Bridge
VSX mode?
FirewallYesYes
IPSYesYes
URL FilteringYesYes
Data Loss PreventionYesNo
Anti-BotYesYes
Anti-VirusYesYes
Application ControlYesYes
HTTPS InspectionYes (1)No
Identity AwarenessYesNo
Threat Emulation -
ThreatCloud emulation
YesYes in Active/Active Bridge Mode

No in Active/Standby Bridge Mode
Threat Emulation -
Local emulation
YesNo in all Bridge Modes
Threat Emulation -
Remote emulation
YesYes in Active/Active Bridge Mode

No in Active/Standby Bridge Mode
UserCheckYesNo
QoSYes (see sk89581)No (see sk79700)
HTTP / HTTPS proxyYesNo
SMTP / HTTP / FTP / POP3 Security ServersYesNo
Client AuthenticationYesNo
User AuthenticationYesNo

Sandblast Inline Mode supports this configurations

  • Background
    • Allows to use "Prevent" action and "Ask" action (with UserCheck) in the Threat Prevention policy to block traffic before it goes to the internal computer.
  • Deployment with a Mail Transfer Agent (MTA):
    Mail Transfer Agent (MTA) is needed:
    If you need to inspect SMTP over TLS traffic
    If you need to use the "Prevent" action for SMTP over TLS traffic
    If you need to perform Threat Extraction on SMTP traffic
  • Deployment in Bridge Mode:
    • SandBlast TE Appliance is connected in Bridge Mode performs emulation.
      Other existing Security Gateway perform FireWall, NAT and other functions.
  • Deployment with Proxy / ICAP Server:
    • A Proxy / ICAP Server collects files and sends then via ICAP to SandBlast TE Appliance for emulation.

View solution in original post

4 Replies
Vladimir
Champion
Champion

I believe you'll be able to use a subset of features to block threats, but the most important limitations of the bridge mode are the absence of support for HTTPS inspection and Identity Awareness.

0 Kudos
Pablo_Barriga
Advisor

Hello Gateways support this deployments

BladeSupported in Bridge
Gateway mode?
Supported in Bridge
VSX mode?
FirewallYesYes
IPSYesYes
URL FilteringYesYes
Data Loss PreventionYesNo
Anti-BotYesYes
Anti-VirusYesYes
Application ControlYesYes
HTTPS InspectionYes (1)No
Identity AwarenessYesNo
Threat Emulation -
ThreatCloud emulation
YesYes in Active/Active Bridge Mode

No in Active/Standby Bridge Mode
Threat Emulation -
Local emulation
YesNo in all Bridge Modes
Threat Emulation -
Remote emulation
YesYes in Active/Active Bridge Mode

No in Active/Standby Bridge Mode
UserCheckYesNo
QoSYes (see sk89581)No (see sk79700)
HTTP / HTTPS proxyYesNo
SMTP / HTTP / FTP / POP3 Security ServersYesNo
Client AuthenticationYesNo
User AuthenticationYesNo

Sandblast Inline Mode supports this configurations

  • Background
    • Allows to use "Prevent" action and "Ask" action (with UserCheck) in the Threat Prevention policy to block traffic before it goes to the internal computer.
  • Deployment with a Mail Transfer Agent (MTA):
    Mail Transfer Agent (MTA) is needed:
    If you need to inspect SMTP over TLS traffic
    If you need to use the "Prevent" action for SMTP over TLS traffic
    If you need to perform Threat Extraction on SMTP traffic
  • Deployment in Bridge Mode:
    • SandBlast TE Appliance is connected in Bridge Mode performs emulation.
      Other existing Security Gateway perform FireWall, NAT and other functions.
  • Deployment with Proxy / ICAP Server:
    • A Proxy / ICAP Server collects files and sends then via ICAP to SandBlast TE Appliance for emulation.
Travais_Sookoo
Explorer

Much thanks Pablo Barriga and https://community.checkpoint.com/people/highe19f56cc9-7e21-4ec2-8189-286599ead4d8

As a reference, the quoted excerpt is sk101371

Vladimir
Champion
Champion

Pablo's answer makes sense if the bridge mode is non-transparent, i.e. you'll have to assign the IP to the bridge in order to utilize HTTPS inspection, IA, DLP, and other functionality relying on it.

As you've mentioned "transparent" in the header of your question, I've supplied the limitations associated with it.

Cheers,

Vladimir

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events