CPUG: The Check Point User Group

Resources for the Check Point Community, by the Check Point Community.


I'd like to thank everyone involved for making "The CPUG Challenge" a great success.
We helped a lot of people see and learn a bit more about R80.10, while having some fun.
We will be using this success to try and bring more events to more locations soon. -E

 

Results 1 to 13 of 13

Thread: R80 zones

  1. #1
    Join Date
    2006-11-21
    Posts
    2
    Rep Power
    0

    Default R80 zones

    Hi!

    Any information, will zones be supported on pre R80 gateways?
    Logs shows some zone information already for example at R77.

    --Arzka

  2. #2
    Join Date
    2009-04-30
    Location
    Colorado, USA
    Posts
    2,019
    Rep Power
    12

    Default Re: R80 zones

    Quote Originally Posted by Arzka View Post
    Hi!

    Any information, will zones be supported on pre R80 gateways?
    Logs shows some zone information already for example at R77.

    --Arzka
    Based on what I've seen, I'm pretty sure the answer to this is no. Strangely enough, embedded Gaia (600/1100 series) supports the use of security zones pre-R80 but regular Gaia does not.
    --
    My book "Max Power: Check Point Firewall Performance Optimization"
    now available via http://maxpowerfirewalls.com.

  3. #3
    Join Date
    2005-08-14
    Location
    Gig Harbor, WA, USA
    Posts
    2,327
    Rep Power
    15

    Default R80 zones

    A lot of the newer policy constructs in R80 management will require R80 gateway.
    SMB devices, in their various forms, have supported this concept for a while.
    http://phoneboy.com
    Unless otherwise noted, views expressed are my own

  4. #4
    Join Date
    2006-11-21
    Posts
    2
    Rep Power
    0

    Default Re: R80 zones

    Quote Originally Posted by ShadowPeak.com View Post
    Based on what I've seen, I'm pretty sure the answer to this is no. Strangely enough, embedded Gaia (600/1100 series) supports the use of security zones pre-R80 but regular Gaia does not.
    For example R77.30 gw log information field tells:
    inzone: Local
    outzone: External
    service_id: https

    So in some way it is zone aware already...but who knows...

    objects.C has place for zone information at interfaces:
    :security_zone ()


    --Arzka

  5. #5
    Join Date
    2009-04-30
    Location
    Colorado, USA
    Posts
    2,019
    Rep Power
    12

    Default Re: R80 zones

    Quote Originally Posted by Arzka View Post
    For example R77.30 gw log information field tells:
    inzone: Local
    outzone: External
    service_id: https

    So in some way it is zone aware already...but who knows...

    objects.C has place for zone information at interfaces:
    :security_zone ()


    --Arzka
    Right, but a Security Zone cannot be directly assigned to a non-embedded Gaia firewall's interface in the Dashboard and subsequently referenced in a policy for enforcement. The Zone is inferred from the firewall's antispoofing topology.
    --
    My book "Max Power: Check Point Firewall Performance Optimization"
    now available via http://maxpowerfirewalls.com.

  6. #6
    Join Date
    2011-08-02
    Location
    http://spikefishsolutions.com
    Posts
    1,321
    Rep Power
    8

    Default Re: R80 zones

    Quote Originally Posted by ShadowPeak.com View Post
    Right, but a Security Zone cannot be directly assigned to a non-embedded Gaia firewall's interface in the Dashboard and subsequently referenced in a policy for enforcement. The Zone is inferred from the firewall's antispoofing topology.
    Gaia embedded also can use DNS masquerading, which is super helpful for VPNs. Just edit the network object and check "make this resolvable via dns" or whatever that option is. Then make the name of the object fqdn.

  7. #7
    Join Date
    2005-12-13
    Posts
    10
    Rep Power
    0

    Default Re: R80 zones

    Zones are promised for R80.10 and are already included in EA of R80.10

  8. #8
    Join Date
    2006-03-08
    Location
    Lausanne
    Posts
    959
    Rep Power
    12

    Default Re: R80 zones

    Looking at R80.10 EA, you can create new Security Zones, but they are still absolutely to any GW below R80. In latter, however, you can attach interfaces to your zones, and then it is quite interesting

    Click image for larger version. 

Name:	Screen Shot 2017-03-09 at 10.11.37.jpg 
Views:	55 
Size:	69.0 KB 
ID:	1215
    Attached Thumbnails Attached Thumbnails Click image for larger version. 

Name:	Screen Shot 2017-03-09 at 10.06.30.jpg 
Views:	41 
Size:	41.3 KB 
ID:	1214  
    Last edited by varera; 2017-03-09 at 05:13.
    -------------

    Valeri Loukine
    CCMA, CCSM, CCSI
    http://checkpoint-master-architect.blogspot.com/

  9. #9
    Join Date
    2006-04-27
    Location
    Twillight zone
    Posts
    985
    Rep Power
    12

    Default Re: R80 zones

    I am still on EA from December/Jan, in that one it wasn't possible to use zones in NAT policy. Is that still the case in the newer builds?

  10. #10
    Join Date
    2009-04-30
    Location
    Colorado, USA
    Posts
    2,019
    Rep Power
    12

    Default Re: R80 zones

    Quote Originally Posted by abusharif View Post
    I am still on EA from December/Jan, in that one it wasn't possible to use zones in NAT policy. Is that still the case in the newer builds?
    Still not supported in the R80.10 EA code drop earlier this week and probably won't happen in R80.10. NAT Security Zones would have made conversion of NAT policies from zone-based firewalls and Cisco (with their "interface pair" NAT approach) a piece of cake. Not sure why this limitation exists, but I'd speculate that trying to retrofit Security Zone support to the NAT code which hasn't really needed to change much since the 90's would not be a minor undertaking.

    There are additional, uh, "tools" in regards to other firewall vendor(s) in R80.10 but support for zones in NAT policies sure would have helped anyway.
    --
    My book "Max Power: Check Point Firewall Performance Optimization"
    now available via http://maxpowerfirewalls.com.

  11. #11
    Join Date
    2006-04-27
    Location
    Twillight zone
    Posts
    985
    Rep Power
    12

    Default Re: R80 zones

    Quote Originally Posted by ShadowPeak.com View Post
    Still not supported in the R80.10 EA code drop earlier this week and probably won't happen in R80.10. NAT Security Zones would have made conversion of NAT policies from zone-based firewalls and Cisco (with their "interface pair" NAT approach) a piece of cake. Not sure why this limitation exists, but I'd speculate that trying to retrofit Security Zone support to the NAT code which hasn't really needed to change much since the 90's would not be a minor undertaking.

    There are additional, uh, "tools" in regards to other firewall vendor(s) in R80.10 but support for zones in NAT policies sure would have helped anyway.
    Ah thats a shame, but hey compared to previous versions, what they have done up till now is huge step in right direction


    Thanks for confirming this


    ps. Also, if i recall correctly, dynamic objects (new fqdn stuff) can't be used in NAT policy either ds.

  12. #12
    Join Date
    2005-08-14
    Location
    Gig Harbor, WA, USA
    Posts
    2,327
    Rep Power
    15

    Default Re: R80 zones

    Quote Originally Posted by abusharif View Post
    Also, if i recall correctly, dynamic objects (new fqdn stuff) can't be used in NAT policy either ds.
    That is correct.
    For kicks I tried adding the new FQDN object type into the NAT rulebase and policy install kicked back an error.
    http://phoneboy.com
    Unless otherwise noted, views expressed are my own

  13. #13
    Join Date
    2006-03-08
    Location
    Lausanne
    Posts
    959
    Rep Power
    12

    Default Re: R80 zones

    Quote Originally Posted by PhoneBoy View Post
    That is correct.
    For kicks I tried adding the new FQDN object type into the NAT rulebase and policy install kicked back an error.
    Not only that. Try using .www.google.com object and see what's happens. It is never matched. There is some kind of an issue with FQDN, starting from they should not have a dot at the beginning. Some f tested objects work, some others fail miserably. Any FQDN done for an SSL-enabled site does not work, with and without HTTPS inspection.

    I have big concerns for FQDN with R80.10
    -------------

    Valeri Loukine
    CCMA, CCSM, CCSI
    http://checkpoint-master-architect.blogspot.com/

Similar Threads

  1. "fw stat" and "cpstat fw" show different time zones
    By cciesec2006 in forum Check Point SecurePlatform (SPLAT)
    Replies: 0
    Last Post: 2008-10-24, 09:33

Tags for this Thread

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •