topic Re: What is the difference between interface topologies: Internet and Internal default route based? in Firewall and Security Management

What is the difference between interface topologies: Internet and Internal default route based?

AlekzNet — Fri, 27 Dec 2024 22:18:50 GMT

Hi All,

What is the difference between the following interface topologies:

- Internet
- Internal -> network defined by the routes (the default route is configured on this interface)

Any references to the documentation/SKs?

How is it working in the real life?

I'm asking because I discovered some strange behaviours...

Thank you in advance!

Re: What is the difference between interface topologies: Internet and Internal default route based?

the_rock — Sat, 28 Dec 2024 00:16:11 GMT

Internet is chosen when interface is considered external.

Re: What is the difference between interface topologies: Internet and Internal default route based?

AlekzNet — Sat, 28 Dec 2024 00:30:43 GMT

My question is about the difference in firewall's behaviour.

Re: What is the difference between interface topologies: Internet and Internal default route based?

the_rock — Sat, 28 Dec 2024 00:36:58 GMT

It all depends on the routing really. Internal IP can also be chosen as external interface.

Re: What is the difference between interface topologies: Internet and Internal default route based?

AlekzNet — Sat, 28 Dec 2024 00:39:11 GMT

That's what my question is about exactly 😉 :

> It all depends on the routing really. Internal IP can also be chosen as external interface.

> Internal -> network defined by the routes (the default route is configured on this interface)

Re: What is the difference between interface topologies: Internet and Internal default route based?

the_rock — Sat, 28 Dec 2024 00:42:32 GMT

Network defined by routes...all that literally means is that if topology changes, no need to do anything or install policy. I always recommend that option.

Re: What is the difference between interface topologies: Internet and Internal default route based?

AlekzNet — Sat, 28 Dec 2024 01:02:49 GMT

Again, this is perfectly fine and understandable. But that does not answer my question 😊

Re: What is the difference between interface topologies: Internet and Internal default route based?

the_rock — Sat, 28 Dec 2024 01:11:20 GMT

Your question was difference in fw behavior. If selected Internet, interface will be considered as external, 2nd option would be internal. Sorry if Im not understanding something else 🙂

Re: What is the difference between interface topologies: Internet and Internal default route based?

AlekzNet — Sat, 28 Dec 2024 01:21:32 GMT

The question is: If an internal interface has the default route configured through it, how would it be different from an external interface?

In other words. Two scenarios:

1. 3 ifaces: 1 Internet with the default route, 2 internals
2. 3 ifaces: all internals, but one of them has the default route.

Will there be any difference in how the firewall will treat the traffic going towards the default gateway? If yes, what is it?
Is it documented anywhere?
What is happening IRL?

Additional related questions:
- What does it mean, that the interface is internal or external? (Provided the routes are the same and/or the anti-spoofing is turned off)
- What is different in the traffic processing?
- Is it documented anywhere?

Re: What is the difference between interface topologies: Internet and Internal default route based?

the_rock — Sat, 28 Dec 2024 01:33:41 GMT

NOW I get it 🙂

AFAIK, regardless how interfaces are configured, routing will work depending on the IP address. So say for lots of firewalls, external interface can be configured as internal IP, but routing can still go through it.

In your examples, say scenario 1, DG can be actual ISP upstream router and scenario 2 can be just lab ip address.

But, maybe someone else can correct me if Im wrong.

Good question btw!

Difference in traffic processing? Maybe give an example. Is it documented anywhere? Not sure this would be specifically.

Andy

Re: What is the difference between interface topologies: Internet and Internal default route based?

AlekzNet — Sat, 28 Dec 2024 02:00:35 GMT

I'm asking this question, because I stumbled upon some very unexpected behaviour here: https://community.checkpoint.com/t5/Security-Gateways/How-to-disable-local-anti-spoofing-in-R81-20-cluster-with/m-p/236833/highlight/true#M45923

Hence, I'd like to know how it's supposed to work first. And if it does not work so IRL, another CP case is in order.

Re: What is the difference between interface topologies: Internet and Internal default route based?

the_rock — Sat, 28 Dec 2024 02:07:14 GMT

I cant comment without knowing specifics, but from my experience, 9 times out of 10, anti spoofing has to do with assymetric routing.

Andy

Re: What is the difference between interface topologies: Internet and Internal default route based?

AlekzNet — Sat, 28 Dec 2024 02:09:50 GMT

Anti-spoofing is turned off.

Re: What is the difference between interface topologies: Internet and Internal default route based?

the_rock — Sat, 28 Dec 2024 02:33:32 GMT

If so, I would run ip r g on various ip addresses and make sure its right.

ie:

ip r g 8.8.8.8

Re: What is the difference between interface topologies: Internet and Internal default route based?

AlekzNet — Sat, 28 Dec 2024 03:09:14 GMT

Again, this is not what the question is about 😄

Re: What is the difference between interface topologies: Internet and Internal default route based?

the_rock — Sat, 28 Dec 2024 03:11:08 GMT

K, I give up then 😃😃

Re: What is the difference between interface topologies: Internet and Internal default route based?

Jarvis_Lin — Sat, 28 Dec 2024 05:23:27 GMT

The firewall's application rules and threat prevention rules distinguish between external and internal traffic based on the defined topology settings.

For instance, the internet object in application rules and the protected scope configuration in anti-virus / threat emulation settings determine inspection based on the defined topology.

Re: What is the difference between interface topologies: Internet and Internal default route based?

the_rock — Sat, 28 Dec 2024 13:05:42 GMT

Thats true, but then CP is not like Fortinet, where you have to define interfaces in the rules, so thats why I was saying it all depends on how routes are configured.

Re: What is the difference between interface topologies: Internet and Internal default route based?

AlekzNet — Sat, 28 Dec 2024 23:46:27 GMT

I stated it already: there is a default route through the interface in question in both cases.

Re: What is the difference between interface topologies: Internet and Internal default route based?

AlekzNet — Mon, 30 Dec 2024 15:22:26 GMT

> the protected scope configuration

By default the protected scope is "Any".

> the internet object in application rules and the protected scope configuration in anti-virus / threat emulation settings determine inspection based on the defined topology.

In other words, you are stating, that AV/AB/IPS signatures will work differently, if the the interface is assigned to the internal or external topology, right? What is this difference? Provided the IPS and firewall rules are all "Any"s?