This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
ABOUT CHECKMATES & FAQ
Create a Post
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Help

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
nas696
Explorer
‎2022-05-02 07:21 AM

2 different domain controllers

Hi All,

i am facing an issue we have recently merged with another company who are now connected with our network lan base via there switch to our core switch, so any dns request they send it goes to core switch -> dmz  -> server switch -> DC, what i want and also the other company want that any dns request they send it goes to core switch -> dmz  ->checkpoint firewall-> server switch -> DC, vice versa, i have eth4 of checkpoint connted to dmz so when i send a request from my DC it reaches to the firewall but not to dmz.

i have created a policy, as well as no nat rule, in smart log i can see icmp source from my dc 192.168.1.1 to destination dc 172.168.1.1, but when they send a request from 172.168.1.1 to 192.168.1.1 no traffic in the logs. 

i am a bit confused can please anyone guide me.

cheers

Labels
0 Kudos
3 Replies
Sorin_Gogean
Advisor
‎2022-05-04 12:02 AM

Hello, 

My recommendation would be:

"another company who are now connected with our network lan base via there switch to our core switch" - hopefully they are using another Vlan in order to separate their traffic from your traffic....

From this part I understand that you all are sharing same network infrastructure - that is a BIG NO until you take-over all their infrastructure/systems/machines (etc) - "any dns request they send it goes to core switch -> dmz  -> server switch -> DC" .

As you stated, "any dns request they send it goes to core switch -> dmz  ->checkpoint firewall-> server switch -> DC", that can happen if you terminate those connections in the firewall, so the L3 will be the FWL and not the Core or smth else.

If you can sketch how your Lan/Core connects to the FWL and DMZ, we could say more.

 

Thank you,

0 Kudos
nas696
Explorer
‎2022-05-04 03:42 AM
In response to Sorin_Gogean

"another company who are now connected with our network lan base via there switch to our core switch" - hopefully they are using another Vlan in order to separate their traffic from your traffic.... lets say they have clients 10.0.0./16, there dc is 192.168.0.1, when there clients send a request to access one of our servers 172.28.129.2 request first goes to there dns which forwards the request to our dns 172.28.129.4 to access 172.28.129.2 do i need to create a vlan 8 for 10.0.0./16 or vlan8 192.168.0.1

what they doing is a conditional forwarder on there dns to our dns.

0 Kudos
Sorin_Gogean
Advisor
‎2022-05-05 10:00 PM
In response to nas696

Like I said earlier, you need to separate their network from your network.

In the end it's about separation on the network level, because like you are today, I don't see an user from their network to be forced to go over the FWL towards your network,  just by doing DNS requests. 

Yes DNS servers are linked through the DNS forwarder, but that doesn't force the traffic to go over the FWL.

 

So again, sketch smth on how your network looks so we have a better understanding and we'll be able to point you in the right direction.

0 Kudos