Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
806
Views
0
Helpful
4
Replies

Remove Gateway from Firewall

wallacec@br.ibm.com
Level 1
Level 1

‎12-04-2017 02:01 AM - edited ‎03-08-2019 12:58 PM

In my network today, firewalls are the routers, the default gateway of all networks, so that all traffic between networks is forced through the firewall. What we now want is to take the routing to the core, but still forcing all the traffic through the firewall. How can I do this?

Labels:
0 Helpful
4 Replies 4

Seb Rupik
VIP Alumni
VIP Alumni

‎12-04-2017 02:16 AM

Hi there,

You could configure your firewall to operate at Layer2/ "transparent mode".

 

Do you need to pass all inter-VLAN traffic through a firewall? Even it they are at the same security level? You could look group your VLANs together in VRFs based on security level or network function. Any inter-VRF traffic could be sent via the firewalls.

 

Or perhaps you could look at Cisco TrustSec, depending on your router hardware and level of inspection you require, policy enforcement could be done on the router without the need for traffic to go via a firewall.

 

cheers,

Seb.

0 Helpful

wallacec@br.ibm.com
Level 1
Level 1
In response to Seb Rupik

‎12-04-2017 02:54 AM

Thanks for the help Seb Rupik. Yes, we need to route all inter-vlan traffic through the firewall as it is a prerequisite for the security sector. Our core is a N7K and the firewalls are checkpoint.

0 Helpful

Seb Rupik
VIP Alumni
VIP Alumni
In response to wallacec@br.ibm.com

‎12-04-2017 04:29 AM

Checkpoint firewalls can be configured in bridge mode. However many interface you have currently used, you will need to double as you will need to configure the interface pairs to be bridged.

Looking at the Checkpoint documents I can only see examples of bridging physical interfaces (not sub-interfaces) so perhaps this is not a scalable solution and not applicable to your deployment.

 

The N7K does support TrustSec, but you would also need ISE to manage the configuration, which may be outside the budget of your project?

 

cheers,

Seb.

0 Helpful

paul driver
VIP
VIP

‎12-04-2017 04:09 AM - edited ‎12-04-2017 04:10 AM

Hello

1) Take the L3 interfaces off the Fw and apply them to the L3 switch.

2) Add static routes on the fw pointing back to the L3 switch for return traffic to the Lan subnets ( or use an IGP)
3) On the l3 switch add a default static route pointing to the FW Handoff.

 

res
Paul


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card