https://community.checkpoint.com/t5/Firewall-and-Security-Management/Get-interfaces-or-manually-add-an-interface-is-there-any/m-p/244089#M62901 <P>With over 100 interfaces (VLAN's) it is still a lot of changes to push. And the time increases on some sort of exponential scale with the number of interfaces involved.</P> Tue, 18 Mar 2025 15:44:04 GMT Hugo_vd_Kooij 2025-03-18T15:44:04Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Get-interfaces-or-manually-add-an-interface-is-there-any/m-p/243646#M62894 <P>Hi Team,</P><P>I'd like to understand if there is any functional difference between adding interfaces in Network Topology manually against using 'Get Interfaces' feature.</P><P>We used to add all interfaces manually. It worked, no issues.</P><P>Recently I tried to create a GRE tunnel on a cluster (R81.20). I followed&nbsp;sk169794. The only difference was that I added GRE interfaces manually instead of using 'Get Interfaces with Topology'.</P><P>GRE tunnel was up and running however all GRE packets sent by a cluster member were sent with the active cluster member physical interface IP as a source, not VIP.</P><P>I've been told that running 'Get Interfaces with Topology' and installing policy should solve the issue.&nbsp;I ran 'Get Interfaces with Topology' however that created about a hundred configuration changes and I'm not happy to publish them.</P><P>I always believed that 'Get Interfaces' is a helpful shortcut used to make all interface name/ip/spoofing group/etc creation easier. Is there anything else that happens behind the scene?</P><P>Regards,</P><P>Pawel</P> Wed, 12 Mar 2025 13:13:04 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Get-interfaces-or-manually-add-an-interface-is-there-any/m-p/243646#M62894 Pawel_ 2025-03-12T13:13:04Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Get-interfaces-or-manually-add-an-interface-is-there-any/m-p/243996#M62895 <P>I fail to see how Get Interfaces with Topology would resolve this issue.<BR />I assume Cluster NAT isn't happening on GRE traffic.<BR /><BR /></P> Mon, 17 Mar 2025 19:35:08 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Get-interfaces-or-manually-add-an-interface-is-there-any/m-p/243996#M62895 PhoneBoy 2025-03-17T19:35:08Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Get-interfaces-or-manually-add-an-interface-is-there-any/m-p/244027#M62896 <P>Hi <a href="https://community.checkpoint.com/t5/user/viewprofilepage/user-id/11697">@Pawel_</a>;<BR /><BR />Here is a comparison between adding interfaces manually in Network Topology and using the 'Get Interfaces' feature in SmartConsole:</P> <P><STRONG>Manual Configuration:</STRONG> <BR />Recommended for environments where precision and customization are critical, especially for special interfaces like loopback interfaces.<BR />Allows for the inclusion of special interfaces like loopback interfaces, which are not retrieved by the 'Get Interfaces' feature.</P> <P><STRONG>Get Interfaces Feature:</STRONG> <BR />Suitable for environments where efficiency and consistency are prioritized, and the number of interfaces is manageable.<BR />Automatically retrieves and configures multiple interfaces quickly, saving time. There is a higher chance of configuration errors due to manual input.<BR />Does not retrieve interfaces without assigned IP addresses (e.g., 0.0.0.0 or 127.0.0.1) or loopback interfaces.</P> Tue, 18 Mar 2025 07:45:48 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Get-interfaces-or-manually-add-an-interface-is-there-any/m-p/244027#M62896 HeikoAnkenbrand 2025-03-18T07:45:48Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Get-interfaces-or-manually-add-an-interface-is-there-any/m-p/244038#M62897 <P>Thank you for the reply.</P><P>That's exactly what I thought and I wasn't happy to follow the support recommendation and mess up my current config.</P><P>I had also created a manual NAT for GRE traffic however it did not work, neither.</P><P>Finally I decided to give up and moved GRE to other vendor devices.</P><P>Thank you again.</P><P>&nbsp;</P> Tue, 18 Mar 2025 08:52:35 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Get-interfaces-or-manually-add-an-interface-is-there-any/m-p/244038#M62897 Pawel_ 2025-03-18T08:52:35Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Get-interfaces-or-manually-add-an-interface-is-there-any/m-p/244039#M62898 <P>Hi,</P><P>Got it, so 'Get Interfaces' is just an automatic way that helps to avoid configuration errors. If the interfaces are manually configured correctly 'Get Interfaces' should not bring any additional value.</P><P>Thank you for your reply.</P> Tue, 18 Mar 2025 08:56:11 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Get-interfaces-or-manually-add-an-interface-is-there-any/m-p/244039#M62898 Pawel_ 2025-03-18T08:56:11Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Get-interfaces-or-manually-add-an-interface-is-there-any/m-p/244066#M62899 <P>Correct.&nbsp; One other note that I mention in my classes is to NEVER do a "Get interfaces with topology" on an existing gateway that is in production, since as you saw doing so may attempt to reconfigure the topology of dozens or hundreds of interfaces and get you into anti-spoofing trouble.&nbsp; Use "Get interfaces without topology" on production gateways instead then manually verify the topology settings for any new interfaces.&nbsp; "Get interfaces with topology" is fine for a new gateway you are deploying that is not in production yet, but you'll still need to manually verify the topology settings of all interfaces.</P> Tue, 18 Mar 2025 13:04:20 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Get-interfaces-or-manually-add-an-interface-is-there-any/m-p/244066#M62899 Timothy_Hall 2025-03-18T13:04:20Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Get-interfaces-or-manually-add-an-interface-is-there-any/m-p/244069#M62900 <P>There are specific cases. For instance, VTI implementation asks you to perform a "Get interfaces without topology" as you can't create them manually, which is always a great feeling to have when clicking on this option on a production environment.</P> Tue, 18 Mar 2025 13:21:42 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Get-interfaces-or-manually-add-an-interface-is-there-any/m-p/244069#M62900 Alex- 2025-03-18T13:21:42Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Get-interfaces-or-manually-add-an-interface-is-there-any/m-p/244089#M62901 <P>With over 100 interfaces (VLAN's) it is still a lot of changes to push. And the time increases on some sort of exponential scale with the number of interfaces involved.</P> Tue, 18 Mar 2025 15:44:04 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Get-interfaces-or-manually-add-an-interface-is-there-any/m-p/244089#M62901 Hugo_vd_Kooij 2025-03-18T15:44:04Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Get-interfaces-or-manually-add-an-interface-is-there-any/m-p/244093#M62902 <P>Get interfaces without topology would simply "fetch" whats on the OS level.&nbsp;</P> <P>Andy</P> Tue, 18 Mar 2025 16:52:39 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Get-interfaces-or-manually-add-an-interface-is-there-any/m-p/244093#M62902 the_rock 2025-03-18T16:52:39Z