CPUG: The Check Point User Group

Resources for the Check Point Community, by the Check Point Community.


** Announcing the #CPUGchallenge **

I'm very happy to announce that CPUG will be hosting "The CPUG Challenge" during CPX this year.
It promises to be a fun and interesting event that will test (and maybe even expand) your knowledge of Check Point.
Whether or not you plan to attend CPX, we have something for you. Please check out this post or the CPUGchallenge.com web site for more information. -E

 

Results 1 to 3 of 3

Thread: "External" addresses should be considered internal

  1. #1
    Join Date
    2015-10-12
    Posts
    2
    Rep Power
    0

    Default "External" addresses should be considered internal

    Ok I'm not quite getting this topology thing. Perhaps I didn't phrase my issue right, but I hope you get what I mean anyway.

    We have 2 sites, both with a standalone 4200 appliance with Gaia 77.30 installed. These sites are connected through a EVPN (MPLS) setup.
    Consider the following example:

    Click image for larger version. 

Name:	2GY3DZW.jpg 
Views:	34 
Size:	30.8 KB 
ID:	1210

    The interfaces on both appliances that lead to the 172.16.1.0/24 network, are set to 'Internal' in both topologies, because, in my opinion, they shouldn't be considered external. Now, when I have traffic traveling from one of the internal networks on site A to an internal network on site B (192.168.1.1 to 10.0.1.1) or vice versa, the appliance considers this traffic from an external source, thus being processed by my IPS and Application/URL filtering blades. I don't want that.

    I want my appliance on site A to realize that data coming from 10.0.1.1 is internal traffic, and the same goes for site B receiving traffic from 192.168.1.1.

    How do I configure this?

  2. #2
    Join Date
    2013-09-25
    Location
    Bucharest
    Posts
    537
    Rep Power
    4

    Default Re: "External" addresses should be considered internal

    Did you try using Network Exceptions on IPS blade menu?

  3. #3
    Join Date
    2015-10-12
    Posts
    2
    Rep Power
    0

    Default Re: "External" addresses should be considered internal

    Quote Originally Posted by laf_c View Post
    Did you try using Network Exceptions on IPS blade menu?
    I did not, because it's not just the IPS blade that's involved when traffic is considered internal <> external. For example, I have SIP traffic between the 2 sites and it's being processed by the Application/URL filtering blade, which I don't want.

    I've failed to mention that the networks of site B are added to the interface group on the external interface on site A, and vice versa.

    Click image for larger version. 

Name:	EXilbyg.png 
Views:	9 
Size:	17.2 KB 
ID:	1216

    But I'm still seeing traffic coming from site A going to site B being processed by the Application/URL filtering blade.

    Click image for larger version. 

Name:	xEheu3e.png 
Views:	11 
Size:	70.9 KB 
ID:	1217

Similar Threads

  1. External to Internal NAT goes back out on External interface
    By Magoo in forum NAT (Network Address Translation)
    Replies: 5
    Last Post: 2012-08-22, 16:18
  2. changing internal addresses
    By cpbox in forum Clustering (Security Gateway HA and ClusterXL)
    Replies: 2
    Last Post: 2011-08-30, 02:31
  3. Strange NAT problem. Both the firewalls internal and external addresses used
    By pemuller in forum NAT (Network Address Translation)
    Replies: 3
    Last Post: 2011-06-10, 15:58
  4. 2 outside addresses NAT'd to 1 internal
    By bkeaver in forum NAT (Network Address Translation)
    Replies: 5
    Last Post: 2007-09-20, 08:45
  5. 1 External interface with 2 IP Addresses
    By slash85 in forum Topology Issues
    Replies: 10
    Last Post: 2007-02-15, 07:10

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •