https://community.checkpoint.com/t5/Firewall-and-Security-Management/Mgmt-traffice-cannot-cross-bridge-interface-double-inspection/m-p/169485#M30685 <P>We have done all the changes as advised by this&nbsp;<SPAN>SK105899. I suspect this kernel parameter 'fwx_bridge_reroute_enabled=1' could be the cause, but I stand to be guided. Maybe you can also expound more on what this parameter does. What would be gateway behavior&nbsp;if we remove this parameter? </SPAN></P><P><SPAN>Unfortunately topology change is not possible in the short-term, hence why we are looking for a solution on Checkpoint itself.</SPAN></P> Sat, 28 Jan 2023 07:48:22 GMT chinchira 2023-01-28T07:48:22Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Mgmt-traffice-cannot-cross-bridge-interface-double-inspection/m-p/116238#M16385 <P>Hello&nbsp;anyone,</P><P>I hope that the Mgmt interface update signature traffic can traverse the bridge interface of the same Security Gateway, I refer to SK105899, and add the following kernel data,</P><P>[Expert@R81:0]# cat $PPKDIR/boot/modules/simkern.conf<BR /># Deprecated location.<BR /># Any change should be made at /opt/CPppak-R81/conf/simkern.conf<BR />sim_anti_spoofing_enabled=0<BR />[Expert@R81:0]# cat $FWDIR/boot/modules/fwkern.conf<BR />fw_local_interface_anti_spoofing=0<BR />fw_antispoofing_enabled=0<BR />fwx_bridge_reroute_enabled=1</P><P>At this point, I still cannot update, and I get the following message (fw ctl zdebug + drop)</P><P>@;3558;[cpu_1];[fw4_2];fw_log_drop_ex: Packet proto=6 172.16.13.192:43355 -&gt; 96.7.254.216:443 dropped by fw_reroute_bridge_fold Reason: Bridge reroute, cksum is wrong;<BR />@;3565;[cpu_1];[fw4_2];fw_log_drop_ex: Packet proto=6 172.16.13.192:43355 -&gt; 96.7.254.216:443 dropped by fw_reroute_bridge_fold Reason: Bridge reroute, cksum is wrong;<BR />@;3578;[cpu_1];[fw4_2];fw_log_drop_ex: Packet proto=6 172.16.13.192:43355 -&gt; 96.7.254.216:443 dropped by fw_reroute_bridge_fold Reason: Bridge reroute, cksum is wrong;<BR />@;3604;[cpu_1];[fw4_2];fw_log_drop_ex: Packet proto=6 172.16.13.192:43355 -&gt; 96.7.254.216:443 dropped by fw_reroute_bridge_fold Reason: Bridge reroute, cksum is wrong;<BR />@;3680;[cpu_2];[fw4_1];fw_log_drop_ex: Packet proto=6 172.16.13.192:26677 -&gt; 96.7.254.216:443 dropped by fw_reroute_bridge_fold Reason: Bridge reroute, cksum is wrong;<BR />@;3686;[cpu_2];[fw4_1];fw_log_drop_ex: Packet proto=6 172.16.13.192:26677 -&gt; 96.7.254.216:443 dropped by fw_reroute_bridge_fold Reason: Bridge reroute, cksum is wrong;<BR />@;3699;[cpu_2];[fw4_1];fw_log_drop_ex: Packet proto=6 172.16.13.192:26677 -&gt; 96.7.254.216:443 dropped by fw_reroute_bridge_fold Reason: Bridge reroute, cksum is wrong;<BR />@;3725;[cpu_2];[fw4_1];fw_log_drop_ex: Packet proto=6 172.16.13.192:26677 -&gt; 96.7.254.216:443 dropped by fw_reroute_bridge_fold Reason: Bridge reroute, cksum is wrong;</P><P>I am currently running R81 GA version, and the problem also occurs in R80.40<BR />Can anyone assist me in solving this problem?</P> Mon, 19 Apr 2021 04:30:05 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Mgmt-traffice-cannot-cross-bridge-interface-double-inspection/m-p/116238#M16385 Alvin 2021-04-19T04:30:05Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Mgmt-traffice-cannot-cross-bridge-interface-double-inspection/m-p/116347#M16414 <P>Recommend a TAC case here.</P> Mon, 19 Apr 2021 18:50:46 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Mgmt-traffice-cannot-cross-bridge-interface-double-inspection/m-p/116347#M16414 PhoneBoy 2021-04-19T18:50:46Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Mgmt-traffice-cannot-cross-bridge-interface-double-inspection/m-p/169404#M30660 <P>I am having a similar problem where am getting the same drop message. Please share how this was resolved.</P><P>Thanks.</P> Fri, 27 Jan 2023 11:41:50 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Mgmt-traffice-cannot-cross-bridge-interface-double-inspection/m-p/169404#M30660 chinchira 2023-01-27T11:41:50Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Mgmt-traffice-cannot-cross-bridge-interface-double-inspection/m-p/169433#M30670 <P>Did you already try the solution from&nbsp;<SPAN>SK105899?</SPAN></P> <P><SPAN>Double-inspection is otherwise not supported by SXL (sk172204) and you should review the topology/routing.</SPAN></P> <P>&nbsp;</P> Fri, 27 Jan 2023 15:50:19 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Mgmt-traffice-cannot-cross-bridge-interface-double-inspection/m-p/169433#M30670 Chris_Atkinson 2023-01-27T15:50:19Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Mgmt-traffice-cannot-cross-bridge-interface-double-inspection/m-p/169485#M30685 <P>We have done all the changes as advised by this&nbsp;<SPAN>SK105899. I suspect this kernel parameter 'fwx_bridge_reroute_enabled=1' could be the cause, but I stand to be guided. Maybe you can also expound more on what this parameter does. What would be gateway behavior&nbsp;if we remove this parameter? </SPAN></P><P><SPAN>Unfortunately topology change is not possible in the short-term, hence why we are looking for a solution on Checkpoint itself.</SPAN></P> Sat, 28 Jan 2023 07:48:22 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Mgmt-traffice-cannot-cross-bridge-interface-double-inspection/m-p/169485#M30685 chinchira 2023-01-28T07:48:22Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Mgmt-traffice-cannot-cross-bridge-interface-double-inspection/m-p/178593#M32710 <P>Hi Chinchira,</P><P>I got the same error message. Do you have solution for this?</P><P>Thanks in advance,</P><P>Akos</P> Thu, 20 Apr 2023 08:50:40 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Mgmt-traffice-cannot-cross-bridge-interface-double-inspection/m-p/178593#M32710 AkosBakos 2023-04-20T08:50:40Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Mgmt-traffice-cannot-cross-bridge-interface-double-inspection/m-p/178594#M32711 <P>I would recommend a TAC case here.</P> Thu, 20 Apr 2023 09:00:45 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Mgmt-traffice-cannot-cross-bridge-interface-double-inspection/m-p/178594#M32711 G_W_Albrecht 2023-04-20T09:00:45Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Mgmt-traffice-cannot-cross-bridge-interface-double-inspection/m-p/178603#M32712 <P>Hi,</P><P>I hope this issue will be solved quickly. <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P><P>Akos</P> Thu, 20 Apr 2023 09:50:10 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Mgmt-traffice-cannot-cross-bridge-interface-double-inspection/m-p/178603#M32712 AkosBakos 2023-04-20T09:50:10Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Mgmt-traffice-cannot-cross-bridge-interface-double-inspection/m-p/178967#M32791 <P>It seems the issue have been solved:</P><P>We use only 2 out of the 4 kernerparameters (why should we use not relevant key-pairs??)</P><P><A href="https://support.checkpoint.com/results/sk/sk105899" target="_blank" rel="noopener">https://support.checkpoint.com/results/sk/sk105899</A></P><P>fw_local_interface_anti_spoofing=0</P><P>fw_antispoofing_enabled=0</P><P>fwx_bridge_reroute_enabled=1</P><P>fwx_perform_gateway_hide=0</P><P>Conclusion: all of the four key-pairs are needed</P> Mon, 24 Apr 2023 16:51:03 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Mgmt-traffice-cannot-cross-bridge-interface-double-inspection/m-p/178967#M32791 AkosBakos 2023-04-24T16:51:03Z