- Products
- Learn
- Local User Groups
- Partners
- More
Check Point Jump-Start Online Training
Now Available on CheckMates for Beginners!
Why do Hackers Love IoT Devices so Much?
Join our TechTalk on Aug 17, at 5PM CET | 11AM EST
Welcome to Maestro Masters!
Talk to Masters, Engage with Masters, Be a Maestro Master!
ZTNA Buyer’s Guide
Zero Trust essentials for your most valuable assets
The SMB Cyber Master
Boost your knowledge on Quantum Spark SMB gateways!
As YOU DESERVE THE BEST SECURITY
Upgrade to our latest GA Jumbo
CheckFlix!
All Videos In One Space
Hi All,
i am facing an issue we have recently merged with another company who are now connected with our network lan base via there switch to our core switch, so any dns request they send it goes to core switch -> dmz -> server switch -> DC, what i want and also the other company want that any dns request they send it goes to core switch -> dmz ->checkpoint firewall-> server switch -> DC, vice versa, i have eth4 of checkpoint connted to dmz so when i send a request from my DC it reaches to the firewall but not to dmz.
i have created a policy, as well as no nat rule, in smart log i can see icmp source from my dc 192.168.1.1 to destination dc 172.168.1.1, but when they send a request from 172.168.1.1 to 192.168.1.1 no traffic in the logs.
i am a bit confused can please anyone guide me.
cheers
Hello,
My recommendation would be:
"another company who are now connected with our network lan base via there switch to our core switch" - hopefully they are using another Vlan in order to separate their traffic from your traffic....
From this part I understand that you all are sharing same network infrastructure - that is a BIG NO until you take-over all their infrastructure/systems/machines (etc) - "any dns request they send it goes to core switch -> dmz -> server switch -> DC" .
As you stated, "any dns request they send it goes to core switch -> dmz ->checkpoint firewall-> server switch -> DC", that can happen if you terminate those connections in the firewall, so the L3 will be the FWL and not the Core or smth else.
If you can sketch how your Lan/Core connects to the FWL and DMZ, we could say more.
Thank you,
"another company who are now connected with our network lan base via there switch to our core switch" - hopefully they are using another Vlan in order to separate their traffic from your traffic.... lets say they have clients 10.0.0./16, there dc is 192.168.0.1, when there clients send a request to access one of our servers 172.28.129.2 request first goes to there dns which forwards the request to our dns 172.28.129.4 to access 172.28.129.2 do i need to create a vlan 8 for 10.0.0./16 or vlan8 192.168.0.1
what they doing is a conditional forwarder on there dns to our dns.
Like I said earlier, you need to separate their network from your network.
In the end it's about separation on the network level, because like you are today, I don't see an user from their network to be forced to go over the FWL towards your network, just by doing DNS requests.
Yes DNS servers are linked through the DNS forwarder, but that doesn't force the traffic to go over the FWL.
So again, sketch smth on how your network looks so we have a better understanding and we'll be able to point you in the right direction.
About CheckMates
Learn Check Point
Advanced Learning
YOU DESERVE THE BEST SECURITY