CPUG: The Check Point User Group

Resources for the Check Point Community, by the Check Point Community.


I'd like to thank everyone involved for making "The CPUG Challenge" a great success.
We helped a lot of people see and learn a bit more about R80.10, while having some fun.
We will be using this success to try and bring more events to more locations soon. -E

 

Results 1 to 6 of 6

Thread: FW rules within the same subnet

  1. #1
    Join Date
    2017-03-17
    Posts
    2
    Rep Power
    0

    Default FW rules within the same subnet

    Let’s say we have 2 hosts within the same subnet (10.0.0.1 and 10.0.0.2 under a /24 broadcast).

    Both hosts are connected directly to a CheckPoint firewall. The CheckPoint firewall is the default gateway for those 2 hosts. By default, when these 2 hosts talk to each other, is the FW security rules applied?

    If not, is there a way to “force” the 2 hosts to pass through the security rules first? The goal is to completely isolate those 2 hosts, even if they are on the same subnet.

  2. #2
    Join Date
    2009-04-30
    Location
    Colorado, USA
    Posts
    1,987
    Rep Power
    11

    Default Re: FW rules within the same subnet

    Quote Originally Posted by CP_User00 View Post
    Let’s say we have 2 hosts within the same subnet (10.0.0.1 and 10.0.0.2 under a /24 broadcast).

    Both hosts are connected directly to a CheckPoint firewall. The CheckPoint firewall is the default gateway for those 2 hosts. By default, when these 2 hosts talk to each other, is the FW security rules applied?
    In your case no, the hosts will talk to each other directly assuming their subnet masks are correct so the firewall cannot stop them. But traffic that does happen to "hairpin" or "u-turn" an interface of the firewall will have the security policy applied; if using automatic NAT setup for hide NAT however, a special NAT rule is included that prohibits hide NAT being applied for traffic hairpinning an interface like this.


    If not, is there a way to “force” the 2 hosts to pass through the security rules first? The goal is to completely isolate those 2 hosts, even if they are on the same subnet.
    The best way to do this is to set up two interfaces of the firewall as a bridge, then ensure the two hosts in question are each located on a separate physical interface that is part of the same bridge group. See sk101371.

    The "hack" way to do it is:

    Assume firewall interface IP is 10.0.0.254/24
    Host 1 IP address/mask 10.0.0.1/24, DG 10.0.0.254, add static route 10.0.0.2/32 -> 10.0.0.254
    Host 2 IP address/mask 10.0.0.2/24, DG 10.0.0.254, add static route 10.0.0.1/32 -> 10.0.0.254

    This will force all traffic between those two hosts through the firewall with policy enforcement being applied. Note that if the users of the hosts have admin rights they can manipulate their local routing table and avoid the isolating effect. With bridge mode mentioned above the host users cannot avoid the firewall when talking to each other, and they won't need the host-based static routes.
    --
    My book "Max Power: Check Point Firewall Performance Optimization"
    now available via http://maxpowerfirewalls.com.

  3. #3
    Join Date
    2017-03-17
    Posts
    2
    Rep Power
    0

    Default Re: FW rules within the same subnet

    Quote Originally Posted by ShadowPeak.com View Post
    In your case no, the hosts will talk to each other directly assuming their subnet masks are correct so the firewall cannot stop them. But traffic that does happen to "hairpin" or "u-turn" an interface of the firewall will have the security policy applied; if using automatic NAT setup for hide NAT however, a special NAT rule is included that prohibits hide NAT being applied for traffic hairpinning an interface like this.



    The best way to do this is to set up two interfaces of the firewall as a bridge, then ensure the two hosts in question are each located on a separate physical interface that is part of the same bridge group. See sk101371.

    The "hack" way to do it is:

    Assume firewall interface IP is 10.0.0.254/24
    Host 1 IP address/mask 10.0.0.1/24, DG 10.0.0.254, add static route 10.0.0.2/32 -> 10.0.0.254
    Host 2 IP address/mask 10.0.0.2/24, DG 10.0.0.254, add static route 10.0.0.1/32 -> 10.0.0.254

    This will force all traffic between those two hosts through the firewall with policy enforcement being applied. Note that if the users of the hosts have admin rights they can manipulate their local routing table and avoid the isolating effect. With bridge mode mentioned above the host users cannot avoid the firewall when talking to each other, and they won't need the host-based static routes.
    Not honestly crazy about the bridge mode idea, and it might get messy with more hosts added. Would NATing both hosts force the firewall to go through its FW ruleset..?

    Otherwise, would creating a subnet for each host also force the FW rules to be applied? Something like 10.0.0.1/30, 10.0.0.4/30 for example?

    Other firewall can achieve this by creating a separate "zone" on each of the interfaces the hosts are connected to, and therefore FW rules would be applied, meaning traffic between the 2 hosts can completely be controlled.

    For CP, since the FW is actually doing the routing, and since both hosts would not be able to communicate or do anything else if the FW is down, am surprised that those same hosts cannot be forced to go through the FW ruleset..

  4. #4
    Join Date
    2009-04-30
    Location
    Colorado, USA
    Posts
    1,987
    Rep Power
    11

    Default Re: FW rules within the same subnet

    Quote Originally Posted by CP_User00 View Post
    Not honestly crazy about the bridge mode idea, and it might get messy with more hosts added. Would NATing both hosts force the firewall to go through its FW ruleset..?

    Otherwise, would creating a subnet for each host also force the FW rules to be applied? Something like 10.0.0.1/30, 10.0.0.4/30 for example?
    Traffic that enters a firewall interface will be inspected, but the IP stack on the host in question needs to send it there first. Yes setting up two different /30 subnets as you mentioned above would work, as the host would realize the other host is not directly reachable and send it to the MAC address of the firewall default gateway. The firewall does not directly control that decision made by the IP stack on the host.


    Other firewall can achieve this by creating a separate "zone" on each of the interfaces the hosts are connected to, and therefore FW rules would be applied, meaning traffic between the 2 hosts can completely be controlled.

    For CP, since the FW is actually doing the routing, and since both hosts would not be able to communicate or do anything else if the FW is down, am surprised that those same hosts cannot be forced to go through the FW ruleset..
    The hosts' IP address and mask configuration can force the traffic through the firewall, or bridge mode can make it a physical requirement to pass through the firewall to get anywhere else. There are some other tricks one can play with proxy ARP and such but those are your two choices.
    --
    My book "Max Power: Check Point Firewall Performance Optimization"
    now available via http://maxpowerfirewalls.com.

  5. #5
    Join Date
    2006-07-28
    Location
    New Zealand
    Posts
    2,465
    Rep Power
    13

    Default Re: FW rules within the same subnet

    I've done it that way described above (with /32 routes on the hosts). You have to combine it with private VLANs, or protected ports, or similar.

    But it's pretty ugly. If you don't want those hosts to communicate, why did you put them in the same subnet?

  6. #6
    Join Date
    2006-03-08
    Location
    Lausanne
    Posts
    907
    Rep Power
    12

    Default Re: FW rules within the same subnet

    Interesting design.

    There are two cases when it is even supported:

    1. Fw in a bridge mode
    2. VPN-1 edge when several internal ports are configured to be a switch.

    In any other situation, you want to have a single interface per ethernet broadcast domain
    -------------

    Valeri Loukine
    CCMA, CCSM, CCSI
    http://checkpoint-master-architect.blogspot.com/

Similar Threads

  1. Replies: 2
    Last Post: 2012-04-09, 16:22
  2. R71.30 Global Properties Implied Rules 2 new rules
    By avilT in forum Miscellaneous
    Replies: 3
    Last Post: 2011-05-30, 04:12
  3. CP-Openswan, subnet-subnet works, subnet-0.0.0.0/0 does not
    By Paul Wouters in forum Interoperability
    Replies: 5
    Last Post: 2010-09-28, 14:38
  4. Eventia Reporter R65 - Rules UID instead of Rules names
    By limprota in forum Eventia Analyzer/Reporter/SmartView Reporter
    Replies: 1
    Last Post: 2009-03-06, 20:27
  5. Replies: 2
    Last Post: 2006-03-17, 16:05

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •