topic Re: Allow all VLANs on a Bridge Interface in Firewall and Security Management

Allow all VLANs on a Bridge Interface

Matlu — Mon, 31 Mar 2025 19:00:02 GMT

Hello, Mates.

Is there a way to configure in the “Bridge Mode” interface of a FW CP, the option to allow all VLANS?

I have 1 box with 2 interfaces in bridge mode.

This box is in the middle of 2 Routers, which currently have configured on the ports that connects them, multiple VLANs.

So, I want the br1 interface that has my 2 physical interfaces to “allow all these VLANs without any exception”.

The routers currently pass more than 30 VLANs, and manually making 1 bridge group for each VLAN is not very productive.

Is there a way to make the br1 interface that has the 2 physical interfaces as such, “allow” all VLANs?

Greetings.

Re: Allow all VLANs on a Bridge Interface

PhoneBoy — Mon, 31 Mar 2025 21:01:47 GMT

From what I remember, if you just create a bridge with just the physical interfaces, it will pass all the VLANs.
That's basically what this SK does while telling you to also disable bridge anti-spoofing (needed in this case): https://support.checkpoint.com/results/sk/sk34312

Re: Allow all VLANs on a Bridge Interface

Matlu — Mon, 31 Mar 2025 21:45:34 GMT

Hello.

If I apply the SK, how can you validate that the change has actually been made and has the value recommended in the document?

To disable Anti-Spoofing, set the global parameter fw_bridge_antispoofing to 0.

[Expert@Hostname] # fw ctl set int fw_bridge_antispoofing 0

Note: This configuration will be lost after the reboot. To set it to be permanent, run:

[Expert@Hostname]# echo "fw_bridge_antispoofing=0">> $FWDIR/modules/fwkern.conf

Thanks.

Re: Allow all VLANs on a Bridge Interface

PhoneBoy — Mon, 31 Mar 2025 21:57:58 GMT

To confirm the setting

[Expert@Hostname] # fw ctl get int fw_bridge_antispoofing

Re: Allow all VLANs on a Bridge Interface

Matlu — Tue, 01 Apr 2025 20:52:56 GMT

Hello,

The option to validate the current antispoofing status does not seem to work.

Is the command you shared correct?

[Expert@FW-WF:0]#
[Expert@FW-WF:0]# fw ctl get int fw_bridge_antispoofing
Get operation failed: failed to get parameter fw_bridge_antispoofing
get: Operation failed
Killed

Cheers.

Re: Allow all VLANs on a Bridge Interface

PhoneBoy — Tue, 01 Apr 2025 20:55:48 GMT

The only reason you get that is the kernel variable referenced doesn't exist.
Which means this SK is not correct, at least on current versions.
However, I think you should be ok if you disable anti-sppofing on the relevant bridge interface in SmartConsole.

Re: Allow all VLANs on a Bridge Interface

Matlu — Tue, 01 Apr 2025 21:14:55 GMT

So it should be enough if I remove the Antispoofing on the 2 interfaces that form the br1?

Because in the topology of the GW from the SmartConsole, there is no “br1” interface, but the 2 interfaces that make the “br1” appear.

Re: Allow all VLANs on a Bridge Interface

PhoneBoy — Tue, 01 Apr 2025 21:31:53 GMT

I believe you are correct: disable anti-spoofing on the two interfaces that make up br1.

If traffic originating from the gateway itself flows over the bridge, you will have to make other adjustments to account for "local interface anti-spoofing."
For that, see: https://support.checkpoint.com/results/sk/sk105899
If I'm understanding this correctly these steps disable anti-spoofing globally (not just on the bridge interface), among other things.