Unable to get bridge mode working in R80.10 Checkpoint VM

ravikush11 — Wed, 28 Aug 2019 04:06:53 GMT

Hi all,

I have installed an evaluation version of All-in-one R80.10 Checkpoint Firewall in a VM.

I don't have Smart Console in our setup, so I have done all the configuration using Gaia CLI.

Following is the configuration I have done:

set interface eth1 state on
set interface eth2 state on
add bridging group 0
add bridging group 0 interface eth1
add bridging group 0 interface eth2

mgmt add host name "Mgmt" ip-address "10.0.2.2"
mgmt add access-rule layer "Network" name "Management Rule" source "Mgmt" service.1 "ssh" service.2 "https" position "top" action "Accept"
mgmt add access-rule layer "Network" name "FW-rule" source "All_Internet" service "any" position.below "Management Rule" action "Accept"
mgmt publish
mgmt install-policy policy-package "Standard"

But I am facing one issue, the bridge is not forwarding the traffic received on eth1 to eth2. I have tried disabling anti-spoofing also but it didn't help.

fw ctl set int fw_local_interface_anti_spoofing 0
fw ctl set int fw_antispoofing_enabled 0

The fw monitor logs shows only inbound traffic.

eth1:i0 (IP Options Strip (in))[1010]: 1.2.3.4 -> 19.19.19.5 (UDP) len=1010 id=1
eth1:i1 (Stateless verifications (in))[1010]: 1.2.3.4 -> 19.19.19.5 (UDP) len=1010 id=1
eth1:i2 (fw multik misc proto forwarding)[1010]: 1.2.3.4 -> 19.19.19.5 (UDP) len=1010 id=1
eth1:i3 (SecureXL conn sync)[1010]: 1.2.3.4 -> 19.19.19.5 (UDP) len=1010 id=1
eth1:i4 (fw VM inbound )[1010]: 1.2.3.4 -> 19.19.19.5 (UDP) len=1010 id=1
eth1:I5 (SecureXL inbound)[1010]: 1.2.3.4 -> 19.19.19.5 (UDP) len=1010 id=1
eth1:I6 (fw SCV inbound)[1010]: 1.2.3.4 -> 19.19.19.5 (UDP) len=1010 id=1
eth1:I7 (passive streaming (in))[1010]: 1.2.3.4 -> 19.19.19.5 (UDP) len=1010 id=1
eth1:I8 (TCP streaming (in))[1010]: 1.2.3.4 -> 19.19.19.5 (UDP) len=1010 id=1
eth1:I9 (IP Options Restore (in))[1010]: 1.2.3.4 -> 19.19.19.5 (UDP) len=1010 id=1
eth1:I10 (Chain End)[1010]: 1.2.3.4 -> 19.19.19.5 (UDP) len=1010 id=1
eth1:i0 (IP Options Strip (in))[1010]: 1.2.3.4 -> 19.19.19.5 (UDP) len=1010 id=1
eth1:i1 (Stateless verifications (in))[1010]: 1.2.3.4 -> 19.19.19.5 (UDP) len=1010 id=1
eth1:i2 (fw multik misc proto forwarding)[1010]: 1.2.3.4 -> 19.19.19.5 (UDP) len=1010 id=1
eth1:i3 (SecureXL conn sync)[1010]: 1.2.3.4 -> 19.19.19.5 (UDP) len=1010 id=1
eth1:i4 (fw VM inbound )[1010]: 1.2.3.4 -> 19.19.19.5 (UDP) len=1010 id=1
eth1:I5 (SecureXL inbound)[1010]: 1.2.3.4 -> 19.19.19.5 (UDP) len=1010 id=1
eth1:I6 (fw SCV inbound)[1010]: 1.2.3.4 -> 19.19.19.5 (UDP) len=1010 id=1
eth1:I7 (passive streaming (in))[1010]: 1.2.3.4 -> 19.19.19.5 (UDP) len=1010 id=1
eth1:I8 (TCP streaming (in))[1010]: 1.2.3.4 -> 19.19.19.5 (UDP) len=1010 id=1
eth1:I9 (IP Options Restore (in))[1010]: 1.2.3.4 -> 19.19.19.5 (UDP) len=1010 id=1
eth1:I10 (Chain End)[1010]: 1.2.3.4 -> 19.19.19.5 (UDP) len=1010 id=1

Can anyone please suggest what I am missing in the configuration?

Re: Unable to get bridge mode working in R80.10 Checkpoint VM

Maarten_Sjouw — Wed, 28 Aug 2019 07:52:00 GMT

Be aware that when you have an ip address that will be showing up on more than one network interfaces the VM switches will mess it up with their security settings. You will probably need to disable all security settings on those ports.

topic Unable to get bridge mode working in R80.10 Checkpoint VM in API / CLI Discussion

Unable to get bridge mode working in R80.10 Checkpoint VM

Re: Unable to get bridge mode working in R80.10 Checkpoint VM