FireWall-1 FAQ: Creating Multiple Encryption Domains
Please note: This content was from when I was operating my FireWall-1 FAQ site, which I stopped operating in August 2005. For some reason people still have links to this stuff on the Internet that people are still clicking on.
I am making this information available again AS IS. Given how old this information is, it is likely wildly inaccurate. I have no plans to update this information.
If you're still running versions of Check Point VPN-1/FireWall-1 where this information is still relevant to you, do yourself a favor and upgrade to a more recent release. If you happen to be running a current release and the information is useful, it's by happenstance :)
It is not possible to set up multiple encryption domains for the same firewall. Nor is there any real case where this would be necessary. It’s the encryption domain which indicates that this firewall should receive encrypted packets for the hosts it protects. As such, your encryption domain is everything behind your firewall.
However, connections to and from sites are still mediated by the rulebase. It is here that you specify the access allowed via the tunnel. You can set up your rules so one site has access to one group of hosts and another side has access to a different group of hosts. Each group is then a subset of the encryption domain. The only thing that changes is how you set up your encryption rules.
Consider the following example:
- MySite’s encryption domain is 10.0.0.0/24
- SiteA’s encryption domain is 172.16.0.0/24
- SiteB’s encryption domain is 192.168.0.0/24
Generally, your rulebase would look like this:
| Source | Destination | Service | Action |
|---|---|---|---|
| MySite-encdomain | SiteA-encdomain & SiteB-encdomain | Any | Encrypt |
| SiteB-encdomain & SiteA-encdomain | MySite-encdomain | Any | Encrypt |
Many firewall admins prefer to create groups including either the networks or hosts containing the nodes on each side. This group is set as both the source and destination. However, it requires that the service access is symmetric. A rulebase could look like this:
| Source | Destination | Service | Action |
|---|---|---|---|
| SiteAallowed-encgroup | SiteAallowed-encgroup | CIFS, HTTP | Encrypt |
| SiteBallowed-encgroup | SiteBallowed-encgroup | termserv | Encrypt |
However, if one site should have more access than another, this syntax can’t be used. However, it’s still a good idea to create groups.
| Source | Destination | Service | Action |
|---|---|---|---|
| SiteAhostsAllowed | extranet-server | HTTP | Encrypt |
| extranet-server | SiteAhostsAllowed | CIFS | Encrypt |
As a side note, Check Point recommends using networks and address ranges whenever possible rather than a lot of hosts etc for performance reasons.
