CPUG: The Check Point User Group

Resources for the Check Point Community, by the Check Point Community.


First, I hope you're all well and staying safe.
Second, I want to give a "heads up" that you should see more activity here shortly, and maybe a few cosmetic changes.
I'll post more details to the "Announcements" forum soon, so be on the lookout. -E

 

Page 1 of 2 12 LastLast
Results 1 to 20 of 31

Thread: VLAN no CheckPoint NGX 65

  1. #1
    Join Date
    2006-05-02
    Posts
    76
    Rep Power
    17

    Default VLAN no CheckPoint NGX 65

    Amigos,

    Estou com um NGX 65 e gostaria de habilitar o suporte a VLAN, eu fiz isso via web console (depois testei via command line) e não consigo acessar a rede da VLAN, será que preciso ter o SecurePlataform PRO para isso ??

    Abraços,
    Renato.

  2. #2
    Join Date
    2009-06-10
    Location
    NE Ohio
    Posts
    1,202
    Rep Power
    15

    Default Re: VLAN no CheckPoint NGX 65

    I don't speak Spanish, but from translate.google.com, you are wanting to have VLANs go into SPLAT. Why would you want to do this? Each interface should plug into a single VLAN. Or maybe I'm missing something...

  3. #3
    Join Date
    2009-04-14
    Location
    Ottawa, Ontario, Canada
    Posts
    319
    Rep Power
    14

    Default Re: VLAN no CheckPoint NGX 65

    VLANs can be added via the sysconfig utility, I believe.

    The point being that the physical port is divided between logical interfaces.

    -Pierre

  4. #4
    Join Date
    2009-06-10
    Location
    NE Ohio
    Posts
    1,202
    Rep Power
    15

    Default Re: VLAN no CheckPoint NGX 65

    Quote Originally Posted by plamy View Post
    VLANs can be added via the sysconfig utility, I believe.

    The point being that the physical port is divided between logical interfaces.

    -Pierre
    I fully understand VLANs, and this case it would be trunking right up to the firewall. I guess Firewall-1 uses the IPs to filter, not the physical NICs themselves.

    I would still be worried about this, as now both VLANs are obviously on the same internal switch behind the firewall. If that is no concern, then why VLAN it anyway? Just route it at that point. For example, would you trunk both your internal and DMZ interfaces right up to the firewall?

  5. #5
    Join Date
    2006-02-09
    Location
    Charleston, SC
    Posts
    1,172
    Rep Power
    18

    Default Re: VLAN no CheckPoint NGX 65

    Quote Originally Posted by belvdr View Post
    I fully understand VLANs, and this case it would be trunking right up to the firewall. I guess Firewall-1 uses the IPs to filter, not the physical NICs themselves.

    I would still be worried about this, as now both VLANs are obviously on the same internal switch behind the firewall. If that is no concern, then why VLAN it anyway? Just route it at that point. For example, would you trunk both your internal and DMZ interfaces right up to the firewall?
    I have many vlans in my physical interfaces. This is common practice for purposes of segregation.

    Let me give you a good example: My wireless network resides behind a single interface. (I would post a visio but it has my real info in it and I'm too lazy to edit it)

    3 Subnets on eth0:
    eth0 = 1.1.1.0/24 = Management Net, all wireless infrastructure is in this subnet
    eth0.1 = 1.1.2.0/22 = Trusted wireless VLAN
    eth0.2 = 1.1.7.0/24 = Guest wireless VLAN

    Both firewalls are connected to a standalone switch on trunked ports. Traffic for the management IPs is untagged. Traffic for either wireless segment is tagged. The default route for each subnet is the VIP on the gateway for that IP segment.

    The Cisco APs support multiple segments based on 802.1q tagging, so all of those ports connected to the APs (through the previously mentioned standalone switch) are trunked. The switches and APs have IPs for management purposes in VLAN1, which only admins and monitoring servers can get to via firewall rules.

    The trusted segment has firewall rules that allow communication to everything on the wired network as well as the same site2site access.

    The guest network however has a negate rule that lets it get to everything except my encryption domain. I even use an external DNS (4.4.4.2) in my DHCP scope for that segment. No traffic can go from this wireless segment to anything else at my site(s).

    I could go into more detail but I think you should be able to see the purpose now.
    There's no place like 127.0.0.1

  6. #6
    Join Date
    2006-05-02
    Posts
    76
    Rep Power
    17

    Default Re: VLAN no CheckPoint NGX 65

    Quote Originally Posted by belvdr View Post
    I don't speak Spanish, but from translate.google.com, you are wanting to have VLANs go into SPLAT. Why would you want to do this? Each interface should plug into a single VLAN. Or maybe I'm missing something...
    Hi, this ins´t Spanish, but Portuguese. ;)

    I need use VLAN in CheckPoint because my firewall have 12 NICs and I can´t plug anymore.. I configured in CISCO switch 2 VLANs and configured this VLANs in CheckPoint NIC (eth3) but there are some errors.

    In CISCO switch I saw this log:

    2009 Oct 07 12:09:46 GMT-2 -02:00 %DTP-5-NONTRUNKPORTON:Port 11/18 has become non-trunk
    2009 Oct 07 12:09:46 GMT-2 -02:00 %PAGP-5-PORTFROMSTP:Port 11/18 left bridge port 11/18
    2009 Oct 07 12:09:55 GMT-2 -02:00 %DTP-5-TRUNKPORTON:Port 11/18 has become dot1q trunk
    2009 Oct 07 12:10:10 GMT-2 -02:00 %PAGP-5-PORTTOSTP:Port 11/18 joined bridge port 11/18


    Looks like the firewall, some times, use trunk and "loose" the trunk....

    Someone have idea about this strange error ??

    Regards,
    Renato.

  7. #7
    Join Date
    2006-05-02
    Posts
    76
    Rep Power
    17

    Default Re: VLAN no CheckPoint NGX 65

    Quote Originally Posted by plamy View Post
    VLANs can be added via the sysconfig utility, I believe.

    The point being that the physical port is divided between logical interfaces.

    -Pierre
    Yes, you can use sysconfig for this configuration but you can use web GUI for this too...

    [ ]´s
    Renato.

  8. #8
    Join Date
    2009-06-10
    Location
    NE Ohio
    Posts
    1,202
    Rep Power
    15

    Default Re: VLAN no CheckPoint NGX 65

    Quote Originally Posted by lammbo View Post
    I could go into more detail but I think you should be able to see the purpose now.
    I understand what you are saying but isn't VLAN hopping a concern? Would you also do the same for your internal network and DMZ? Maybe I'm just a bit too concerned that something will go wrong. I'm just not that trusting of VLANs in terms of security.

    Quote Originally Posted by renato_rj View Post
    Hi, this ins´t Spanish, but Portuguese. ;)
    My apologies...

    Quote Originally Posted by renato_rj View Post
    I need use VLAN in CheckPoint because my firewall have 12 NICs and I can´t plug anymore.. I configured in CISCO switch 2 VLANs and configured this VLANs in CheckPoint NIC (eth3) but there are some errors.

    In CISCO switch I saw this log:

    2009 Oct 07 12:09:46 GMT-2 -02:00 %DTP-5-NONTRUNKPORTON:Port 11/18 has become non-trunk
    2009 Oct 07 12:09:46 GMT-2 -02:00 %PAGP-5-PORTFROMSTP:Port 11/18 left bridge port 11/18
    2009 Oct 07 12:09:55 GMT-2 -02:00 %DTP-5-TRUNKPORTON:Port 11/18 has become dot1q trunk
    2009 Oct 07 12:10:10 GMT-2 -02:00 %PAGP-5-PORTTOSTP:Port 11/18 joined bridge port 11/18


    Looks like the firewall, some times, use trunk and "loose" the trunk....

    Someone have idea about this strange error ??

    Regards,
    Renato.
    Have you forced the port into trunk mode:

    Code:
    switchport mode trunk
    switchport trunk encaps dot1q
    switchport trunk allowed vlans <vlan1>,<vlan2>,<vlan3>,etc

  9. #9
    Join Date
    2006-05-02
    Posts
    76
    Rep Power
    17

    Default Re: VLAN no CheckPoint NGX 65

    Quote Originally Posted by belvdr View Post

    My apologies...
    Hi,

    Don´t worry, this confusion between Portuguese and Spanish is very normal... ;)

    Quote Originally Posted by belvdr View Post

    Code:
    switchport mode trunk
    switchport trunk encaps dot1q
    switchport trunk allowed vlans <vlan1>,<vlan2>,<vlan3>,etc
    Yes, I do it... :(

    Thanks,
    Renato.
    Last edited by renato_rj; 2009-10-07 at 10:53.

  10. #10
    Join Date
    2009-06-10
    Location
    NE Ohio
    Posts
    1,202
    Rep Power
    15

    Default Re: VLAN no CheckPoint NGX 65

    Did you also disable spanning-tree (i.e. spanning-tree portfast)?

  11. #11
    Join Date
    2006-02-09
    Location
    Charleston, SC
    Posts
    1,172
    Rep Power
    18

    Default Re: VLAN no CheckPoint NGX 65

    Quote Originally Posted by belvdr View Post
    I understand what you are saying but isn't VLAN hopping a concern?
    Slightly, but when you're out of interfaces and have to do subs what else can you do.

    Quote Originally Posted by belvdr View Post
    Would you also do the same for your internal network and DMZ?
    No, DMZs and Internal nets are on different physical ports. DMZs allow inbound traffic and internals do not. So IF someone hacks, they hack into another DMZ. Plus, my switches are on an entirely different subnet this makes it very much harder.

    Quote Originally Posted by belvdr View Post
    Maybe I'm just a bit too concerned that something will go wrong.
    Yes

    Quote Originally Posted by belvdr View Post
    I'm just not that trusting of VLANs in terms of security.
    At some point, like when you run out of physical interfaces, you have to. So you reduce the risk by writing good rules to restrict access (which you should be doing anyway) and grouping DMZs and the like together on the same interface.

    I do this at sites that have passed PCI certification. Even as big of a pain as PCI cert is to get, even their auditors see it as mitigated risk when it's properly planned and restricted.
    There's no place like 127.0.0.1

  12. #12
    Join Date
    2006-05-02
    Posts
    76
    Rep Power
    17

    Default Re: VLAN no CheckPoint NGX 65

    Quote Originally Posted by belvdr View Post
    Did you also disable spanning-tree (i.e. spanning-tree portfast)?
    No, I don´t disable...
    Last edited by renato_rj; 2009-10-07 at 13:19.

  13. #13
    Join Date
    2009-06-10
    Location
    NE Ohio
    Posts
    1,202
    Rep Power
    15

    Default Re: VLAN no CheckPoint NGX 65

    Disable spanning tree. The firewall is not a switch (it's a router) so STP is not useful here.

  14. #14
    Join Date
    2006-05-02
    Posts
    76
    Rep Power
    17

    Default Re: VLAN no CheckPoint NGX 65

    Quote Originally Posted by belvdr View Post
    Disable spanning tree. The firewall is not a switch (it's a router) so STP is not useful here.
    But the Firewall don´t need the VLAN TAG (transported by STP) ?

    [ ]´s
    Renato.

  15. #15
    Join Date
    2009-06-10
    Location
    NE Ohio
    Posts
    1,202
    Rep Power
    15

    Default Re: VLAN no CheckPoint NGX 65

    STP is only needed between switches so as not to create a loop in one broadcast domain. A router splits broadcast domains.

    Also, you can tag VLANs without using STP. STP's sole responisibility is to prevent loops.

    Someone please correct me if I'm wrong here.

  16. #16
    Join Date
    2006-05-02
    Posts
    76
    Rep Power
    17

    Default Re: VLAN no CheckPoint NGX 65

    Quote Originally Posted by belvdr View Post
    Disable spanning tree. The firewall is not a switch (it's a router) so STP is not useful here.
    I disabled STP, but the problem continue...

    :(

  17. #17
    Join Date
    2009-06-10
    Location
    NE Ohio
    Posts
    1,202
    Rep Power
    15

    Default Re: VLAN no CheckPoint NGX 65

    Are you getting the same (or any) errors in the switch log now?

  18. #18
    Join Date
    2006-05-02
    Posts
    76
    Rep Power
    17

    Default Re: VLAN no CheckPoint NGX 65

    Quote Originally Posted by belvdr View Post
    Are you getting the same (or any) errors in the switch log now?
    Yes, the same errors...

  19. #19
    Join Date
    2009-06-10
    Location
    NE Ohio
    Posts
    1,202
    Rep Power
    15

    Default Re: VLAN no CheckPoint NGX 65

    Quote Originally Posted by renato_rj View Post
    Yes, the same errors...
    Do you have IPs only on the VLAN subinterfaces? You should not have an IP on the physical interface (eth0).

  20. #20
    Join Date
    2008-09-02
    Location
    Luxembourg, Luxembourg
    Posts
    156
    Rep Power
    15

    Default Re: VLAN no CheckPoint NGX 65

    Hi all,

    Just dropping by..

    One thing no one asked was : Are you sure your trunking configuration is matching each side ?

    To go a little further, belvdr is right about the VLAN hopping risk if you use a non tagged "default" VLAN in your trunk. Therefore, the best practice is to give each VLAN a specific ID that you'll ALWAYS tag in each trunk it goes through. The errors you show are typically coming from non matching trunk configurations.

    Anyway, the best way for us to help you is dropping the 802.1Q related configuration you use on each side. Of course, for security purpose if public IPs are used: please do not mention them.

    Cheers.

    Tom

    Ps: For those who are interested in assessing the real risk of VLAN hopping and other switch-based tricks, I recommend reading the following book :

    LAN Switch Security: What Hackers Know About Your Switches

Page 1 of 2 12 LastLast

Similar Threads

  1. Checkpoint - Inter VLAN routing
    By eightzero in forum Miscellaneous
    Replies: 5
    Last Post: 2010-04-30, 02:59
  2. VLAN configuration in NGX 65
    By renato_rj in forum Miscellaneous
    Replies: 3
    Last Post: 2009-10-08, 10:50
  3. Cluster HA VLAN
    By gluperini in forum Clustering (Security Gateway HA and ClusterXL)
    Replies: 3
    Last Post: 2007-07-11, 01:58
  4. VLAN tagging and FW1 NGX 6.0
    By elblindo in forum Sun Solaris
    Replies: 2
    Last Post: 2006-08-08, 03:29
  5. 802.1q vlan on Windows
    By al00ha in forum Miscellaneous
    Replies: 8
    Last Post: 2006-02-13, 03:36

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •