https://community.checkpoint.com/t5/Firewall-and-Security-Management/Checkpoint-interface-topology/m-p/266268#M52575 <P>One of the core security features of the product is Anti-Spoofing.<BR />For anti-spoofing to work, topology must be defined.<BR />The topology includes all the networks reachable from that interface.</P> <P>This can either be done manually or as part of "Get Interfaces with Topology" though you should only use this option before the gateway goes into production.<BR />This has been discussed here among other places:&nbsp;<A href="https://community.checkpoint.com/t5/General-Topics/Get-interface/m-p/246503" target="_blank">https://community.checkpoint.com/t5/General-Topics/Get-interface/m-p/246503</A>&nbsp;</P> Tue, 30 Dec 2025 23:42:56 GMT PhoneBoy 2025-12-30T23:42:56Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Checkpoint-interface-topology/m-p/266246#M52573 <P>Hi team,&nbsp;</P><P>Can I know difference between get interface with topology and without topology meaning. And when we use this, tell me scenario.</P> Tue, 30 Dec 2025 16:50:27 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Checkpoint-interface-topology/m-p/266246#M52573 Prathmesh131992 2025-12-30T16:50:27Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Checkpoint-interface-topology/m-p/266268#M52575 <P>One of the core security features of the product is Anti-Spoofing.<BR />For anti-spoofing to work, topology must be defined.<BR />The topology includes all the networks reachable from that interface.</P> <P>This can either be done manually or as part of "Get Interfaces with Topology" though you should only use this option before the gateway goes into production.<BR />This has been discussed here among other places:&nbsp;<A href="https://community.checkpoint.com/t5/General-Topics/Get-interface/m-p/246503" target="_blank">https://community.checkpoint.com/t5/General-Topics/Get-interface/m-p/246503</A>&nbsp;</P> Tue, 30 Dec 2025 23:42:56 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Checkpoint-interface-topology/m-p/266268#M52575 PhoneBoy 2025-12-30T23:42:56Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Checkpoint-interface-topology/m-p/266275#M52578 <P>When you get interfaces with topology, Check Point will automatically generate objects for the anti-spoofing settings.<BR />They will be linked to the interfaces, but may not be visible in the Object Tree. Check:<BR /><BR /><A href="https://support.checkpoint.com/results/sk/sk126872" target="_blank">sk126872 - Some Network objects are not visible in the SmartConsole object list</A><BR /><BR />Something to be aware of if you want to use these objects in a policy.</P> Wed, 31 Dec 2025 08:01:13 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Checkpoint-interface-topology/m-p/266275#M52578 Martijn 2025-12-31T08:01:13Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Checkpoint-interface-topology/m-p/266276#M52579 <P>Since I encountered problems here and there a long time ago when importing with topology, I have never done it again since then, and the point mentioned that objects are automatically created that I create myself has prevented me from doing it again to this day. But for beginners, I would always recommend importing with topology first and learning how to use as feature correctly.</P> Wed, 31 Dec 2025 09:55:05 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Checkpoint-interface-topology/m-p/266276#M52579 Vincent_Bacher 2025-12-31T09:55:05Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Checkpoint-interface-topology/m-p/266283#M52582 <P>I personally never do get interface with topology, as that would reset it all to what fw "thinks" should be defined...its way safer (in my opinion) to do without topology and as long as you set it per routing option, you are good to go, since if something changes on that interface subnet, no need to do anything, it would update it for you.</P> <P>Below is what Im referring to and its always good idea to assign the zone as well.</P> <P>Also, in simple words, anti spoofing is there so say if interface subnet is on 10.10.10.0/24 and traffic comes from 192.x.x something, it would get dropped.</P> <P><A href="https://sc1.checkpoint.com/documents/R82/SmartConsole_OLH/EN/Topics-OLH/ZvkmnUK_XluBBIIAw1mF3A2.htm?cshid=ZvkmnUK_XluBBIIAw1mF3A2" target="_blank">Interface - Topology Settings</A></P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Screenshot_1.png" style="width: 400px;"><img src="https://community.checkpoint.com/t5/image/serverpage/image-id/32594i3D1BEABFF8EDB3A4/image-size/medium?v=v2&amp;px=400" role="button" title="Screenshot_1.png" alt="Screenshot_1.png" /></span></P> <P> </P> Wed, 31 Dec 2025 14:20:26 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Checkpoint-interface-topology/m-p/266283#M52582 the_rock 2025-12-31T14:20:26Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Checkpoint-interface-topology/m-p/266285#M52584 <P>With dynamic routes, better to either turn it off, not really recommended or as you have said use "Network defined by routes", but ultimately need to keep an eye on it, and would suggest not using prevent mode straight away if you have critical services.</P> Wed, 31 Dec 2025 14:36:30 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Checkpoint-interface-topology/m-p/266285#M52584 genisis__ 2025-12-31T14:36:30Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Checkpoint-interface-topology/m-p/266286#M52585 <P>100%</P> Wed, 31 Dec 2025 14:37:25 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Checkpoint-interface-topology/m-p/266286#M52585 the_rock 2025-12-31T14:37:25Z