This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Andrew-OCD
Contributor
‎2024-08-02 02:08 AM

Cisco SDA & VXLAN

Dear CheckMates,

I have a customer who is going to use Cisco SDA with VXLAN for deployment of new greenfield sites (this is already decided).

They wish to use the SGT provided in the VXLAN headers to be able to create policies in their R81.20 Security Gateways.

We are currently investigating how to get this working by trying to install the Check Point Identity Collector and integrating it with the Cisco ISE.  This is proving to be harder than expected. I will open a dedicated topic on that subject if our latest attempts fail.

In the meantime, I was wondering if there was any way to use the VXLAN capabilities of the R81.20 SG directly without having to get an IDC involved?

All ideas/suggestions are welcomed.

Andrew

Labels
0 Kudos
4 Replies
D_W
Advisor
‎2024-08-02 01:32 PM

I do not think SGT/TrustSec is working without IDC.
You need the IDC to learn the SGTs mapped to the IP address.
You need CloudGuard to learn what SGTs are configured on the ISE (via SmartConsole DataCenter Object).
Then you can create Access Roles based on the SGT and use it in the Policy.

About the Cisco SDA+VXLAN part. Funnily enough I also have sort of this in mind to connect specific sites to the HQ via VXLAN.
Short explanation:
New Site connected via MPLS to the HQ.
Main Objective: minimize hardware usage on the site.
Idea: create a VXLAN between the site switch (Cisco Catalyst 9500) and the HQ Check Point. VXLAN terminates on the HQ Check Point and based on the SGTs the sites devices are allowed to access the HQ LAN.
I do not know if this is even possible.

What is the specific objective of your customer?

0 Kudos
Andrew-OCD
Contributor
‎2024-08-07 02:46 PM
In response to D_W

My customer is looking to deploy a greenfield site using all the fancy SDA possibilities provided by the Cisco SDA solution and the network(s) will be routed through the Checkpoint R81.20 SG to the WAN.

 

Very simple network:-

Rest of the World ---WAN -- CKP SG -- DMZ -- SDA network

So all the SDA elements are behind the DMZ interface and the only other interface in use is a Management interface (at this time). The future plan is to run this in ClusterXL mode.

0 Kudos
the_rock
MVP Platinum
MVP Platinum
‎2024-08-02 04:42 PM

I think maybe simple network diagram with objectives would help us, for sure.

Andy

Best,
Andy
0 Kudos
D_W
Advisor
‎2024-08-05 06:49 AM
In response to the_rock

 

image.png

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events