Thursday, January 27, 2011

Checkpoint UTM Firewall Clusters Part 2 - Anti-Spoofing

The first problem I ran into with the Checkpoints is the built in anti-spoofing technology. Refer to my last post to get a sense of the topology: Checkpoint UTM Firewall Clusters Part 1

Here's the diagram again:

Anyway, the problem is internal routes. In my example, I have a layer 3 switch handling internal routing. The steps are:

1. Log into each Checkpoint cluster member and add static routes. You can use either ssh with the sysconfig utility, or use a web browser and go to each firewall (typically port 4434.) In this example case, you'll add:

subnet netmask gateway

Note that is the layer 3 switch.

2. Create subnet objects for each of the internal networks/VLANs.

Ignore CP_default_Office, it's part of the demo network config.

3. If you look at the cluster interface topology, you'll see:

And if we drill down further:

And further into the internal interface (where our corp, eng, QA, and colo interfaces reside behind:

And now to the "Topology tab"

Topology anti-spoofing config

This configuration will block the eng, qa, and corp subnets. Depending on the configuration, the Co-Lo net may never need to talk to anything that the firewall manages (DMZ1, etc.) But, better safe than sorry.
4. Create a simple group and include all four subnets:

5. Now, go back to the topology anti-spoofing config in step 3 and modify it to use the group you created.

There, anti-spoofing should work correctly. Make sure NAT is configured properly!

No comments: