topic Firewall Blocking Routing Between Internal Networks in Network Security

Firewall Blocking Routing Between Internal Networks

mjh686 — Fri, 21 Feb 2020 14:27:55 GMT

I ran into an issue a while back that I fixed, but couldn't understand why it was occuring. I manage a pretty standard network that goes ISP->Firewall->L3 Core Switch->distribution switches. My issue was that the firewall was blocking routing between internal subnets, my question is why, in terms of, why is internal traffic even being inspected/blocked by the firewall if the L3 core is supposed to be doing the internal routing? (all traffic has to traverse through the L3 before hitting the firewall) Why doesn't it just get routed internal with out even hitting the firewall? I assume this is a function of the routing protocols involved and not the hardware/software, because I have now ran into this issue in two different hardware setups that had the same topology.

Re: Firewall Blocking Routing Between Internal Networks

Flavio Miranda — Tue, 10 Oct 2017 13:59:26 GMT

Hi,

I´d say that this depends on the setup. If traffic pass to firewall it is expected that it denies if not allowed.

What you did to solve the problem could tell what the problem was. Without a more in depth knowledge about your environment it is hard to say anything.

Re: Firewall Blocking Routing Between Internal Networks

mjh686 — Tue, 10 Oct 2017 17:05:57 GMT

I have vlan gateways all set on the L3 switch with the default gateway of the L3 going to the Firewall, so I assumed because routing was enabled and vlans configured, that the L3 would do all the internal routing with out consulting the firewall. All the internal traffic has to hit the L3 befire it goes to the firewall, since the firewall only has one LAN connection, and it is on its own vlan/subnet connected directly to the L3. I had to add the internal subnets to the firewall to get them to route internally.

Re: Firewall Blocking Routing Between Internal Networks

Flavio Miranda — Tue, 10 Oct 2017 17:13:38 GMT

This "L3 switch with the default gateway of the L3 going to the Firewall" could be the problem with Internal routing is not properly configured. If L3 does not find a route to the destination, it would send the packet to Firewall.

Would be nice if you could share the routing table of all L3 switches.