topic Re: Virtual System bridge interfaces in Firewall and Security Management

Virtual System bridge interfaces

DPB_Point — Thu, 21 Mar 2019 17:45:37 GMT

Hello team,

I have been configuring some gateways in bridge mode with "inter-vlan multibridging" i mean:

3 bridge interfaces with the following squeme:

bridge 1 = bond2.10 and bond3.100

bridge 2 = bond2.20 and bond3.200

bridge 3 = bond2.30 and bond3.300

I had no problems with this configuration and the gateways bridge the traffic correctly between the corresponding vlan subinterfaces. By definition:

Bridging two interfaces causes every Ethernet frame that is received on one bridge port to be transmitted to the other port. Thus, the two bridge ports participate in the same Broadcast domain (which is different from router ports behavior).

Only two interfaces can be connected by a single Bridge interface. These two interfaces can then be thought of as a two-ports switch. Each port can be a physical, VLAN, or bond device.

I have tried to configure the same scenario in a VirtualSystem and I found the following limitation:

I have a VSX cluster and I followed this procedure:

1. Configure 2 bond interfaces in each VSX member:

add bonding group 2

set bonding group 2 mode 8023AD

set interface eth1-01

state on set interface eth1-02 state on

add bonding group 2 interface eth1-01

add bonding group 2 interface eth1-02

Set interface bond2 comments Outside

The same configuration with bond3.

2. I created the VLAN interfaces in the VSX Cluster via SmartClient. Then, when I create the VS, I select bridge mode, and then I add, for example, bond2.2 and bond 3.200. Vlan 2 is the outside vlan and vlan 200 is the inside vlan (both are in the same ip address range). The purpose of this is to bridge these vlan interfaces in order to force L2 traffic to pass through the VS.

The problem is that when I try to add more bondX.y interfaces to the virtualsystem and click accept an ERROR is prompted: Something like interfaces vlan must be created in pairs for bridge.

I have read in VSX admin guide:

To configure the external and internal interfaces:

In Virtual System Network Configuration page for the Separate Interfaces template in bridge mode, select the interfaces for the internal and external networks from the list.
If the selected interface is a VLAN interface, enter the same VLAN tag in both the external and internal VLAN Tag fields. This field is not available for non-VLAN interfaces.

So after some tests I get the conclusion that in VS you can:

* Configure only one intervlan bridge interface (different vlan in external and internal interfaces)

* Configure multi-bridge interfaces with same vlan tag for internal and external interfaces.

Limitation:

* Configure multi-bridge interfaces with different vlan in external and internal interfaces (as you can do in standard gateway operation)

Is this correct? Do you know the reason that we cannot configure this on VirtualSystems?

Thank you in advance.

Re: Virtual System bridge interfaces

Vladimir — Thu, 21 Mar 2019 20:52:34 GMT

Have you tried using vSwitch as the intermediary?

Re: Virtual System bridge interfaces

PhoneBoy — Fri, 22 Mar 2019 05:19:55 GMT

Are you trying to add more than one bridge to a VS?
I believe a given VS can only have one.

Re: Virtual System bridge interfaces

DPB_Point — Fri, 22 Mar 2019 08:37:03 GMT

Yes, by definition it seems I can configure it in active-active mode with same vlan tag:

Multi Bridges

This feature is supported only in R77.30 and higher, for VSX Gateways, and VSX clusters in Active/Active Bridge mode.

Multi Bridge allows traffic from many different VLANs to move over one Virtual System in Bridge mode. In a Virtual System in Bridge mode, you can add physical and VLAN interfaces. When you add more than two VLAN interfaces, Multi Bridge is automatically enabled. Configure the same VLAN tag on each set of two interfaces to make them bridged.

Requirements for Multi Bridge interfaces:

All interfaces must be VLANs.
You can make multiple bridges only between two VLAN trunks.
You can add up to 64 pairs of VLAN interfaces for one Multi-bridge.
Those two VLAN trunks must be used together, and not with other VLAN trunks, in other Virtual Systems in Bridge mode or Multi Bridges.
For example, you define eth1.10, eth2.10, eth1.20, eth2.20. Now the VLAN trunks, eth1 and eth2, cannot be used with other VLAN trunks on other Virtual Systems in Bridge mode: eth1.30 cannot bridge with eth3.30.

I tried this and it works but it is not exactly what I need. I am trying to migrate from other environment that can work with virtual contexts, multibridges and vlan translation but I cannot find the correct way to configure this in checkpoint.

Thanks!

Re: Virtual System bridge interfaces

DPB_Point — Fri, 22 Mar 2019 08:39:58 GMT

Do you mean to connect inside and outside trunks links directly to a Vswitch and then change the tags there in order to match the gateway bridge interfaces? I don't know if I understand you right.

Re: Virtual System bridge interfaces

PhoneBoy — Fri, 22 Mar 2019 15:50:08 GMT

A diagram of what exactly you're trying to achieve would help tremendously.

Re: Virtual System bridge interfaces

Vladimir — Fri, 22 Mar 2019 16:57:33 GMT

Given the limitations described in the "multi bridge" section it appears that you may have to use a dedicated VS for each VLAN translation instance.

Alternatively, translate them outside of the VSX.

Re: Virtual System bridge interfaces

DPB_Point — Sun, 24 Mar 2019 11:56:24 GMT

Sure, will be like this. Endusers, for example in VLAN2, have their default gateway 192.168.1.254 in vlan 200 (who knows all the routes to get to remote networks). As we want to have the minimum impact in network design, we separate the ip network in two broadcast domains (vlan 2 and 200) and we bridge them at Checkpoint firewall in order to force this traffic to pass through it.

Re: Virtual System bridge interfaces

DPB_Point — Sun, 24 Mar 2019 12:01:38 GMT

Thank you for your reply. I think that using a VS per Bridge will not be cost effective (vs licenses) and will be hard manageable. I think we will need to change the network design, separate networks physically or translate vlans outside the VSX as you said.

Re: Virtual System bridge interfaces

DPB_Point — Tue, 02 Apr 2019 11:54:56 GMT

Hi mate! @PhoneBoy I don't know if you saw the network diagram. Thank you!

Re: Virtual System bridge interfaces

PhoneBoy — Tue, 02 Apr 2019 14:21:05 GMT

I saw the diagram.
As others have said, you will need to use a VS per VLAN translation or translate them outside of VSX.

Re: Virtual System bridge interfaces

DPB_Point — Tue, 02 Apr 2019 14:52:50 GMT

Thanks!!!

Re: Virtual System bridge interfaces

CyberBreaker — Wed, 25 Mar 2020 16:08:59 GMT

Hi Guys,

I am deploying also a VS in bridge mode between two switches and I need to form the OSPF between the switches but I am having issues.

In the VS side, I setup the following interfaces to form the bridge using smart console.

br10

- eth1.200 (trunk)

- eth2.200 (trunk)

br20

- eth1.300 (trunk)

- eth2.300 (trunk)

In the switch side, I configure an SVI per VLAN. Then I configure the uplinks as trunk ports. This way, the OSPF is not forming and I do not see any traffic passing in the firewall.

However, when I configure the uplink ports of the switch to an access port for example access to vlan 200, the OSPF is forming and I can see traffic now in the firewall.

I would like to know what did I missed? The switchport should be working when I set it to trunk because my firewall interfaces are also in trunk mode as well.

Re: Virtual System bridge interfaces

DPB_Point — Wed, 25 Mar 2020 16:22:11 GMT

I think this is not related with this post.
I don't know if I understand your config. I think you need something like:

Bond1: eth1 + eth2

Create two bond subinterfaces:
bond1.200
bond1.300

Then bridge that two subinterfaces:
br10: Vlan200 and vlan300 have the same address range and the bridge will tag and untag packets between the two bound interfaces.

After this you must be able to see packets flowing through your firewall. Please, after changing the configuration run in CLI: >fw monitor -e 'accept host(YourSwitchIP);' and paste here the output. You can check it with tcpdump(from expert) too.
You must see the packet flowing through the 4 inspection points iIoO.

Re: Virtual System bridge interfaces

Jeff_Gao — Sun, 13 Sep 2020 12:17:30 GMT

@DPB_Point

What are the configuration of port1 and port2,thanks!