CPUG: The Check Point User Group

Resources for the Check Point Community, by the Check Point Community.


Tim Hall has done it again! He has just released the 2nd edition of "Max Power".
Rather than get into details here, I urge you to check out this announcement post.
It's a massive upgrade, and well worth checking out. -E

 

Results 1 to 4 of 4

Thread: Check point DLP Deployment

  1. #1
    Join Date
    2012-08-27
    Posts
    4
    Rep Power
    0

    Default Check point DLP Deployment

    Hi,

    I am planning to deploy DLP in our network in cluster mode. We have Nokia running in Cluster Active passive mode with VRRP enabled. It is connected to switches running HSRP. So we want to connect DLP in between these two devices.
    Whichever mode is DLP working in, we are not sure about some point which we would like you to clear ,


    1) When DLP port connected towards switch goes down, the port connected towards Nokia IP690 is still up, hence Nokia will not do failover unless its port is physically down, as well as the passive firewall doesn't entertain network traffic.(We have tested this scenario with single nokia box (Switch->DLP->Nokia).When cable connecting DLP and Switch was removed, the interface connecting to Nokia is still up. In our environment Nokia will not failover as the interface is in UP status.

    2) Nokia has other segments as well. If any other interface of Nokia goes down it will failover itself. Hence the traffic will start flowing through Passive(Now active) Firewall. How DLP will behave in this situation?


    Our main query is which mode should we connect the two DLP appliance (Active-Passive, Active-Active, or Standalone)to fulfill our requirement without hindering the network traffic flow.

  2. #2
    Join Date
    2007-06-04
    Posts
    3,303
    Rep Power
    17

    Default Re: Check point DLP Deployment

    As you are running VRRP pair for the Nokia then I am going with the basis that there is a layer 2 connection between the two devices locations or they are at the same location.

    The way that I would look at doing this is


    Nokia Nokia
    | |
    | |
    Switch ------------ Switch
    | |
    | |
    DLP DLP
    | |
    | |
    Switch ------------- Switch

    Where says switch between the Nokia and DLP then can either be a switch or a VLAN on swicthes. This way the VRRP between the two Nokia's is unaffected by the DLP side and can always see each other unless there is a break in the connection between the Nokia and the Switch/VLAN that connects them to the DLP.

  3. #3
    Join Date
    2012-08-27
    Posts
    4
    Rep Power
    0

    Default Re: Check point DLP Deployment

    Hi,

    Thanks for your reply.

    Please refer the diagram below which we are trying to configure in our test lab before going in to the production. This is how we have made test Lab. All the device are running in HA.

    Please note the traffic is flowing through Sw1-->DLP1-->Nokia1-->

    Nokia1--------Nokia 2
    | |
    | |
    DLP1-----------DLP2
    | |
    | |
    Switch1(L3)---Switch2(L3)

    My query is as below.

    1) If the connectivity between Sw1 and the DLP1 goes down, then the traffic will be directed from Sw2 to DLP 2. But then how the Nokia Firewall will get Failover as the connectivity between DLP1 & Nokia 1 is still Up.

    2) As per current scenario after failure of the link between Sw1 and DLP1, the traffic will flow from DLP2 to Nokia2. But as per my knowledge Nokia1 is still active state so traffic coming towards Nokia2 will be ignore.


    can you please suggest us on above query.


    Thanks & Regards,
    Rohit M. Vaidya

  4. #4
    Join Date
    2007-06-04
    Posts
    3,303
    Rep Power
    17

    Default Re: Check point DLP Deployment

    Your diagram is how I believed you were connecting up. I believe that the DLP to DLP is just a sync link with VRRP updates pass through from Nokia1 to DLP1 to Switch1 to Switch2 to DLP2 to Nokia2

    As you have determined correctly then when the interfaces on the Nokia drops then the firewalls will failover as the VRRP priority is configured in Monitored Circuit so that will affect the VRRP priority given out in the VRRP updates.

    This is why when the other interfaces drop then the failover occurs as then the Nokia 2 gets the higher VRRP prioroty and so Nokia 1 recognises that Nokia 2 should be Master.

    If the interfaces on the Nokia 1 and Nokia 2 are all active then the VRRP priority are not changed so you get no failover.

    If the cable between the switch and dlp fail, then the VRRP updates on the Nokia - DLP interfaces will not be recieved at the other Nokia making Nokia1 and Nokia 2 active for that Interface. Other interfaces will still see the VRRP updates and as the Monitored Circuit configuration will not adjust the VRRP Priority then the other interfaces will see Nokia 1 as being the Active Box and Nokia 2 being Backup.

    What you would see then is the following

    Traffic leaves Switch2 and is then forwarded via the DLP2 which arrives at Nokia2 which will be Active for that Interface ( it cannot see Nokia1 on that interface so will be active on that interface ). Nokia 2 will then forward the traffic on. The response will come back however to Nokia 1 as that is the active unit for the interfaces facing the other networks connected. It will then try and forward the reply which will fail as the DLP1 to Switch1 is down and so the connection to the network is not available, so service is affected

    You won't get a VRRP failover to occur unless the VRRP priority of Nokia 1 and Nokia 2 agree that Nokia 2 should become active. For this then either an interface on the Nokia needs to drop and the Monitor Circuit adjusts the priority accordingly or the firewall monitor causes the failover. By dropping a cable not directly connected to the Nokia then neither of this parameters is met so you won't get a failover.

    Hence why I suggested having connection via a Switch so that if the DLP to Switch goes down then the Nokia isn't affected. Ok you will get Switch 2 to DLP 2 to Nokia 1 but that traffic flow is better then having no traffic available at all. Using Ling Aggregation between the two switches solves the issue of the Switch to Switch connection being lost.

    On your topology then I cannot see how can affect a VRRP transition on the Nokia's by removing a cable between the DLP and Switch, no matter which mode the DLP is configured in.

Similar Threads

  1. Replies: 3
    Last Post: 2012-05-17, 20:48
  2. Check Point Class
    By caldweel in forum Introductions
    Replies: 0
    Last Post: 2012-03-10, 03:42
  3. Check Point DLP
    By dominodan in forum Data Loss Prevention Blade (DLP))
    Replies: 0
    Last Post: 2010-04-29, 17:17
  4. Check Point Secure Platform (SPLAT) Deployment Position in Parsippany, NJ
    By Steve West in forum Employment/Consulting Opportunities For Check Point Administrators
    Replies: 0
    Last Post: 2008-07-11, 09:48

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •