topic Re: FW in L2 in Firewall and Security Management

FW in L2

Matlu — Fri, 28 Feb 2025 14:01:08 GMT

Hello,

We have a FW that we want to work in transparent mode, to avoid making sudden changes in our network.

We have enabled 2 fiber interfaces (Eth1-1 and Eth1-2) in bridge mode, which we understand is the way to make the FW work in L2.

The intention is that the FW only performs web filtering to the LAN of our headquarters.

Some questions

Is it necessary to pull the topology from the SmartConsole, and should the Interfaces that are in bridge mode also be seen from here?

If we only want the appliance to perform web filter control to the LAN, is it necessary to have the FW blade of our appliance enabled?

FW: R82 - JHF 10

Thank you for your answers.

Re: FW in L2

Chris_Atkinson — Fri, 28 Feb 2025 14:16:07 GMT

Review the documentation here:

https://sc1.checkpoint.com/documents/R82/WebAdminGuides/EN/CP_R82_Installation_and_Upgrade_Guide/Content/Topics-IUG/Configuring-Single-Security-Gateway-in-Bridge-Mode.htm?Highlight=Bridge

Re: FW in L2

Matlu — Fri, 28 Feb 2025 14:26:28 GMT

Hello.

This is the documentation I was looking at, but I wondered since I started reading the documentation, if the interfaces that one sets in the GAIA Portal as bridge mode, should or should not be pulled from the SmartConsole in the topology part.

So if I have 1, 2, or many interfaces in bridge, the topology still has to be pulled from the SmartConsole, right?

Regards.

Re: FW in L2

AkosBakos — Fri, 28 Feb 2025 14:34:30 GMT

Hi @Matlu

Double-check the mentioned documentaions, especially the topoligy settings.

Long story short:

Q1: yes

Q2: yes. BTW you can't have a GW appliance without firewall enabled from my point of view. (grayed out)

Akos

Re: FW in L2

the_rock — Fri, 28 Feb 2025 14:34:43 GMT

Q1 -> yes

Q2 -> fw blade is enabled by default when object is created

Andy

Re: FW in L2

PhoneBoy — Fri, 28 Feb 2025 17:22:57 GMT

Firewall blade is always required to be enabled.
Topology on the Bridge Mode interface should be External.

Re: FW in L2

Matlu — Sat, 01 Mar 2025 00:04:37 GMT

Hello, Mate

Before putting the FW CP, the network topology is something like this.

When we put the FW CP, the topology changes to this model.

So to be sure to apply the changes correctly, both Eth1-1 and Eth1-2 interfaces must be configured as “External”, right?

Because currently they look like “This Network”.

A DUMB question, but if the interfaces in the topology are not “configured” in the right way, can this cause traffic problems?

Thank you for your help. 🙂

Re: FW in L2

the_rock — Sat, 01 Mar 2025 00:07:24 GMT

No dumb questions my friend. Technically, if you do get interfaces WITHOUT topology, it should fetch the right info. However, if something is incorrect, yes, it could cause issues, but considering its in bridge mode, you might be okay.

Andy

Re: FW in L2

Matlu — Sat, 01 Mar 2025 00:35:08 GMT

Buddy,

Thanks for getting back to me.

In my scenario, and based on PhoneBoy's comment, my Eth1-1 and Eth1-2 interfaces do you think it is “mandatory” to put them in “External” mode both interfaces?

In this FW, I only have 1 more interface connected, which is the MGMT port, and it is in the topology as “External”.

Apart from that interface, I don't have another one (I don't take into account the maas_tunnel interface, since my FW is hooked to a Smart-1 Cloud).

Cheers.

Re: FW in L2

the_rock — Sat, 01 Mar 2025 00:37:04 GMT

Yes, I believe they would need to be set as external, correct.

Andy

Re: FW in L2

Matlu — Thu, 06 Mar 2025 00:39:28 GMT

Hello,

We have inherited a FW that is configured to work as a L2 device, the goal is that this device only does “Web Filters” but we have had problems with the loss of some services when testing, something that should not happen, since we are working 2 interfaces in bridge mode.

A query in my scenario I currently have 4 interfaces

Eth1-1
Eth1-2
Mgmt
maas_tunnel

Currently the FW goes out to the Internet through the “Mgmt” interface, and it is important to mention that this FW is hooked to a Smart-1 Cloud.

I have reviewed the documentation, and the following section causes me doubts.

Can I have the 2 interface topology configured in External mode?

The interface that gives output to the Internet to the CP device, should be if or if, one of the interfaces that is in bridge mode?

Cheers. 🙂

Re: FW in L2

the_rock — Thu, 06 Mar 2025 02:30:49 GMT

Hey bro,

If routing is correct, just do get interfaces without topology and it would give right output.

Andy

Re: FW in L2

Matlu — Thu, 06 Mar 2025 02:36:01 GMT

Hey Buddy.

Is it no longer necessary to configure 1 of the 2 interfaces that are in bridge mode, as “External”?

The objective is that this FW works in L2, that it does not “intervene” at the routing level.
We only want the device to make web filters with the URL Filtering blade.

Cheers. 🙂

Re: FW in L2

the_rock — Thu, 06 Mar 2025 02:43:02 GMT

Thats right, as long as bridge interface is external.

Andy

Re: FW in L2

PhoneBoy — Thu, 06 Mar 2025 23:40:34 GMT

If the interfaces "touch" the external network (directly or indirectly), they should be marked external.
That includes most L2 deployments.

Why is your management interface external?
How does it fit into the overall topology of the environment?

Re: FW in L2

Matlu — Thu, 06 Mar 2025 23:55:11 GMT

Hello,

The goal is that the box, works as a “Web Filter” with the URLF+APPC blade.

They configured the “Mgmt” interface as “External” as I was informed, because of the fact that the box needs to be able to reach the Internet to be updating the engine of the mentioned blades, and also because of the fact that this box is hooked to a Smart-1 Cloud, so it needs the output to the Internet.

At the end of the day, this box only has 4 interfaces:

2 Interfaces in bridge mode, Eth1-1 and Eth1-2.
1 “Mgmt” interface
1 LOM interface

So, does it make sense to you, that the MGMT interface is “configured” as “External”?

Cheers.

Re: FW in L2

PhoneBoy — Fri, 07 Mar 2025 00:01:54 GMT

How does the Management interface reach the Internet?
Does the traffic have to traverse the L2 bridge on this gateway?
If so, it can (should) be internal and you'll have to apply: https://support.checkpoint.com/results/sk/sk105899

Re: FW in L2

Matlu — Fri, 07 Mar 2025 00:28:18 GMT

This box reaches the Internet through a default route.

IP MGMT: 10.123.119.46
IP Gateway: 10.123.119.34

Above our CP box, there is an F5 equipment, which is the one that does the NAT to our IP so that it can go out to the Internet.

The box could not be without Internet because it is hooked to a Smart-1 Cloud, and if we remove the output to the Internet, we understand that we will lose the management from our Tenant.

Now, as for the internal network traffic, effectively, this traffic must go through the bridge interfaces, without trying to go through the MGMT.

The objective of the box having Internet is related to not losing management of the equipment from the Tenant, and that the signatures of all the blades are kept up to date, besides that the box can know that there are new JHF packages for its installation.

Regards.

Re: FW in L2

the_rock — Fri, 07 Mar 2025 01:36:01 GMT

Can you send what topology looks like at the moment?

Andy

Re: FW in L2

PhoneBoy — Fri, 07 Mar 2025 16:23:14 GMT

So the Management interface is reaching the Internet not through the L2 bridge?
Topology impacts a few things:

Anti-spoofing (doesn't make sense in this configuration)
The "Internet" object (if used, probably shouldn't in this configuration)
Threat Prevention scope (which might require a tweak to the profile, but not relevant since not used currently)

External should be fine here aside from the above issues.