09-23-2021 12:27 PM
Hello
Wondering if anyone had a common practice of which inbound ports I should block on the edge internet router that is connected to the ISP. I will block any host from the WWW to IP addresses on my L3 device, like the circuit interfaces and SVIs. I will block any incoming snmp, telnet, ntp and block all tcp and udp using those ports. Can anyone suggest more?
Thank you!
Solved! Go to Solution.
09-23-2021 07:23 PM
We'll let the FW do most of the blocking but the internet edge router will deny any snmp, telnet, and 9996 Netflow traffic from coming inbound or outbound from the edge router. The edge router is the first device, then the Firewall.
Thanks all...
09-23-2021 01:28 PM
Its all varies based on the requirement, since FW is statefull, you allow from inside to outside, from outside to inside - only allowed based on the requirement,(do not allow anything is not secured) - until any specific requirement.
09-25-2021 01:25 PM
Yes, the Checkpoint Firewalls will do most of the blocking but the internet edge L3 switchstack sits in between the WWW and the Firewalls. Therefore, I would just need to block somethings in ACL format that will prtect the switch since it is exposed to the WWW.
09-23-2021 01:43 PM
Hello,
basically, I would block anything, everything, With e.g. a zone based firewall, you could selectively allow only SSH or stuff you need for management.
09-23-2021 07:23 PM
We'll let the FW do most of the blocking but the internet edge router will deny any snmp, telnet, and 9996 Netflow traffic from coming inbound or outbound from the edge router. The edge router is the first device, then the Firewall.
Thanks all...
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide