AnsweredAssumed Answered

What is Check Point's solution for RPC traffic on Internal firewall?

Question asked by William Chang on Nov 22, 2017
Latest reply on Nov 28, 2017 by William Chang

We are using Check Point firewall appliance running in R80.10 as the gateway for vlans to manage the east-west traffic internally. We are looking for a solution to move to software define approach like vSEC.

 

However, the real world software define solution is not the same as most demo showed in the conference with simple 3 tiers: Web->App->DB. One thing most people will encounter is the Windows RPC traffic.

 

Check Point has a layer 4 protocol called "ALL_DCE_RPC" which covers all RPC traffic. However, using that protocol in your rule will disable the SecureXL acceleration for all the rules after that rule (Although I still don't have an answer from my Diamond about if use this rule in the inline layer, whether it will just disable the SecureXL for the rules within the inline layer or it will disable all the rules after the inline layer as well).

 

Check Point has an application called "DCE-RPC Protocol" using that, you will not see "xxx disables template offloads from rule yyy" message when you run "fwaccel stat". However, when you run "fwaccel stats -s", you still see majority of your traffic either in "F2Fed" or "PXL" categories. In order to use this application, you will need to turn on the application control blade.

 

If you read sk32578, a lot of traffic are not accelerated when you turn on advanced blades like application/URL filtering.

 

Check Point market R80.10 "unified rules" as their answer to Palo Alto. My question here is what's Check Point answer for utilization vSEC to control the traffic like RPC without greatly impact the performance?

Outcomes