VLAN no CheckPoint NGX 65

[renato_rj]

Amigos,

Estou com um NGX 65 e gostaria de habilitar o suporte a VLAN, eu fiz isso via web console (depois testei via command line) e não consigo acessar a rede da VLAN, será que preciso ter o SecurePlataform PRO para isso ??

Abraços,
Renato.

[belvdr]

I don't speak Spanish, but from translate.google.com, you are wanting to have VLANs go into SPLAT. Why would you want to do this? Each interface should plug into a single VLAN. Or maybe I'm missing something...

[plamy]

VLANs can be added via the sysconfig utility, I believe.

The point being that the physical port is divided between logical interfaces.

-Pierre

[belvdr]

VLANs can be added via the sysconfig utility, I believe.

The point being that the physical port is divided between logical interfaces.

-Pierre

I fully understand VLANs, and this case it would be trunking right up to the firewall. I guess Firewall-1 uses the IPs to filter, not the physical NICs themselves.

I would still be worried about this, as now both VLANs are obviously on the same internal switch behind the firewall. If that is no concern, then why VLAN it anyway? Just route it at that point. For example, would you trunk both your internal and DMZ interfaces right up to the firewall?

[lammbo]

I fully understand VLANs, and this case it would be trunking right up to the firewall. I guess Firewall-1 uses the IPs to filter, not the physical NICs themselves.

I would still be worried about this, as now both VLANs are obviously on the same internal switch behind the firewall. If that is no concern, then why VLAN it anyway? Just route it at that point. For example, would you trunk both your internal and DMZ interfaces right up to the firewall?

I have many vlans in my physical interfaces. This is common practice for purposes of segregation.

Let me give you a good example: My wireless network resides behind a single interface. (I would post a visio but it has my real info in it and I'm too lazy to edit it)

3 Subnets on eth0:
eth0 = 1.1.1.0/24 = Management Net, all wireless infrastructure is in this subnet
eth0.1 = 1.1.2.0/22 = Trusted wireless VLAN
eth0.2 = 1.1.7.0/24 = Guest wireless VLAN

Both firewalls are connected to a standalone switch on trunked ports. Traffic for the management IPs is untagged. Traffic for either wireless segment is tagged. The default route for each subnet is the VIP on the gateway for that IP segment.

The Cisco APs support multiple segments based on 802.1q tagging, so all of those ports connected to the APs (through the previously mentioned standalone switch) are trunked. The switches and APs have IPs for management purposes in VLAN1, which only admins and monitoring servers can get to via firewall rules.

The trusted segment has firewall rules that allow communication to everything on the wired network as well as the same site2site access.

The guest network however has a negate rule that lets it get to everything except my encryption domain. I even use an external DNS (4.4.4.2) in my DHCP scope for that segment. No traffic can go from this wireless segment to anything else at my site(s).

I could go into more detail but I think you should be able to see the purpose now.

[renato_rj]

I don't speak Spanish, but from translate.google.com, you are wanting to have VLANs go into SPLAT. Why would you want to do this? Each interface should plug into a single VLAN. Or maybe I'm missing something...

Hi, this ins´t Spanish, but Portuguese. ;)

I need use VLAN in CheckPoint because my firewall have 12 NICs and I can´t plug anymore.. I configured in CISCO switch 2 VLANs and configured this VLANs in CheckPoint NIC (eth3) but there are some errors.

In CISCO switch I saw this log:

2009 Oct 07 12:09:46 GMT-2 -02:00 %DTP-5-NONTRUNKPORTON:Port 11/18 has become non-trunk
2009 Oct 07 12:09:46 GMT-2 -02:00 %PAGP-5-PORTFROMSTP:Port 11/18 left bridge port 11/18
2009 Oct 07 12:09:55 GMT-2 -02:00 %DTP-5-TRUNKPORTON:Port 11/18 has become dot1q trunk
2009 Oct 07 12:10:10 GMT-2 -02:00 %PAGP-5-PORTTOSTP:Port 11/18 joined bridge port 11/18


Looks like the firewall, some times, use trunk and "loose" the trunk....

Someone have idea about this strange error ??

Regards,
Renato.

[renato_rj]

VLANs can be added via the sysconfig utility, I believe.

The point being that the physical port is divided between logical interfaces.

-Pierre

Yes, you can use sysconfig for this configuration but you can use web GUI for this too...

[ ]´s
Renato.

[belvdr]

I could go into more detail but I think you should be able to see the purpose now.

I understand what you are saying but isn't VLAN hopping a concern? Would you also do the same for your internal network and DMZ? Maybe I'm just a bit too concerned that something will go wrong. I'm just not that trusting of VLANs in terms of security.

Hi, this ins´t Spanish, but Portuguese. ;)

My apologies...

I need use VLAN in CheckPoint because my firewall have 12 NICs and I can´t plug anymore.. I configured in CISCO switch 2 VLANs and configured this VLANs in CheckPoint NIC (eth3) but there are some errors.

In CISCO switch I saw this log:

2009 Oct 07 12:09:46 GMT-2 -02:00 %DTP-5-NONTRUNKPORTON:Port 11/18 has become non-trunk
2009 Oct 07 12:09:46 GMT-2 -02:00 %PAGP-5-PORTFROMSTP:Port 11/18 left bridge port 11/18
2009 Oct 07 12:09:55 GMT-2 -02:00 %DTP-5-TRUNKPORTON:Port 11/18 has become dot1q trunk
2009 Oct 07 12:10:10 GMT-2 -02:00 %PAGP-5-PORTTOSTP:Port 11/18 joined bridge port 11/18


Looks like the firewall, some times, use trunk and "loose" the trunk....

Someone have idea about this strange error ??

Regards,
Renato.

Have you forced the port into trunk mode:

Code:

switchport mode trunk
switchport trunk encaps dot1q
switchport trunk allowed vlans <vlan1>,<vlan2>,<vlan3>,etc

[renato_rj]

My apologies...

Hi,

Don´t worry, this confusion between Portuguese and Spanish is very normal... ;)

Code:

switchport mode trunk
switchport trunk encaps dot1q
switchport trunk allowed vlans <vlan1>,<vlan2>,<vlan3>,etc

Yes, I do it... :(

Thanks,
Renato.

[belvdr]

Did you also disable spanning-tree (i.e. spanning-tree portfast)?

[lammbo]

I understand what you are saying but isn't VLAN hopping a concern?

Slightly, but when you're out of interfaces and have to do subs what else can you do.

Would you also do the same for your internal network and DMZ?

No, DMZs and Internal nets are on different physical ports. DMZs allow inbound traffic and internals do not. So IF someone hacks, they hack into another DMZ. Plus, my switches are on an entirely different subnet this makes it very much harder.

Maybe I'm just a bit too concerned that something will go wrong.

Yes

I'm just not that trusting of VLANs in terms of security.

At some point, like when you run out of physical interfaces, you have to. So you reduce the risk by writing good rules to restrict access (which you should be doing anyway) and grouping DMZs and the like together on the same interface.

I do this at sites that have passed PCI certification. Even as big of a pain as PCI cert is to get, even their auditors see it as mitigated risk when it's properly planned and restricted.

[renato_rj]

Did you also disable spanning-tree (i.e. spanning-tree portfast)?

No, I don´t disable...

[belvdr]

Disable spanning tree. The firewall is not a switch (it's a router) so STP is not useful here.

[renato_rj]

Disable spanning tree. The firewall is not a switch (it's a router) so STP is not useful here.

But the Firewall don´t need the VLAN TAG (transported by STP) ?

[ ]´s
Renato.

[belvdr]

STP is only needed between switches so as not to create a loop in one broadcast domain. A router splits broadcast domains.

Also, you can tag VLANs without using STP. STP's sole responisibility is to prevent loops.

Someone please correct me if I'm wrong here.

[renato_rj]

Disable spanning tree. The firewall is not a switch (it's a router) so STP is not useful here.

I disabled STP, but the problem continue...

:(

[belvdr]

Are you getting the same (or any) errors in the switch log now?

[renato_rj]

Are you getting the same (or any) errors in the switch log now?

Yes, the same errors...

[belvdr]

Yes, the same errors...

Do you have IPs only on the VLAN subinterfaces? You should not have an IP on the physical interface (eth0).

[TommyBoay]

Hi all,

Just dropping by..

One thing no one asked was : Are you sure your trunking configuration is matching each side ?

To go a little further, belvdr is right about the VLAN hopping risk if you use a non tagged "default" VLAN in your trunk. Therefore, the best practice is to give each VLAN a specific ID that you'll ALWAYS tag in each trunk it goes through. The errors you show are typically coming from non matching trunk configurations.

Anyway, the best way for us to help you is dropping the 802.1Q related configuration you use on each side. Of course, for security purpose if public IPs are used: please do not mention them.

Cheers.

Tom

Ps: For those who are interested in assessing the real risk of VLAN hopping and other switch-based tricks, I recommend reading the following book :

LAN Switch Security: What Hackers Know About Your Switches