https://community.checkpoint.com/t5/General-Topics/About-external-interfaces/m-p/173189#M28892 <P><a href="https://community.checkpoint.com/t5/user/viewprofilepage/user-id/73441">@fjulianom</a>&nbsp;It's safe to do "get interfaces" in production. It won't take effect until you accept, publish and push the policy. Just make sure you don't publish anything and discard it. Usually, the only interface marked as "External" is the one linked to your default route. The logic is quite basic. I tend to switch most interfaces to "defined by routes".</P> <P>External in this regard is in the context of the firewall. Is the traffic behind or in front of the firewall? On a firewall connected to the Internet, the external interface would normally be the one the firewall itself uses for outbound traffic. Even if you have DMZ networks with public IP addresses, you usually mark them as "Internal" and add the option "Interface Leads to DMZ". This ensures that Threat Prevention Policies will treat your DMZ subnets like they are external adding additional protection by default.</P> Wed, 01 Mar 2023 13:02:18 GMT RamGuy239 2023-03-01T13:02:18Z https://community.checkpoint.com/t5/General-Topics/About-external-interfaces/m-p/172634#M28793 <P>Hi experts,</P><P>&nbsp;</P><P>I have read this article&nbsp;<A href="https://sc1.checkpoint.com/documents/R80.30/SmartConsole_OLH/EN/html_frameset.htm?topic=documents/R80.30/SmartConsole_OLH/EN/ZvkmnUK_XluBBIIAw1mF3A2" target="_blank" rel="noopener">Interface - Topology Settings</A>&nbsp;but still I can't understand how an external interface is defined. When a new firewall is set up, or if I do a "Get interfaces with topology", the external interfaces are those which are gateways for static routes? For example, if I have this in GAIA:</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="gaia.PNG" style="width: 769px;"><img src="https://community.checkpoint.com/t5/image/serverpage/image-id/19768i51260E206FFD5605/image-size/large?v=v2&amp;px=999" role="button" title="gaia.PNG" alt="gaia.PNG" /></span></P><P>Gateways for 10.129.254.10 and 10.129.255.10 are interfaces eth10 and eth11, respectively. Does this mean eth10 and eth11 will be external, and the rest of interfaces will be internal?</P><P>What exactly does it mean "...calculated from the topology of the gateway"?</P><P><EM><STRONG>Internet (External)</STRONG>&nbsp;or&nbsp;<STRONG>This Network (Internal)&nbsp;</STRONG><STRONG>-&nbsp;</STRONG>This is the default setting. It is automatically calculated from the topology of the gateway.</EM></P><P>&nbsp;</P><P><SPAN>Regards,</SPAN></P><P><SPAN>Julián</SPAN></P> Fri, 24 Feb 2023 11:12:35 GMT https://community.checkpoint.com/t5/General-Topics/About-external-interfaces/m-p/172634#M28793 fjulianom 2023-02-24T11:12:35Z https://community.checkpoint.com/t5/General-Topics/About-external-interfaces/m-p/172667#M28797 <P>When you do Get Interfaces with Topology, whichever interface has the default route is set to External. Antispoofing groups are built for all the other interfaces containing network objects for the networks which route out that interface.</P> <P>In most situations, you should only use External and Internal &gt; Network Defined by Routes. Manually managing your antispoofing topology is a great way to shoot yourself in the foot over and over forever.</P> Fri, 24 Feb 2023 15:55:14 GMT https://community.checkpoint.com/t5/General-Topics/About-external-interfaces/m-p/172667#M28797 Bob_Zimmerman 2023-02-24T15:55:14Z https://community.checkpoint.com/t5/General-Topics/About-external-interfaces/m-p/172670#M28798 <P>Hi Bob,</P><P>&nbsp;</P><P>Ok, but in my case only one interface has the default route (eth11), the other one (eth10) has static routes, and both of them appear as Internet (External):</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="624330CC-402C-4E42-B4C6-71540BFB185B.png" style="width: 502px;"><img src="https://community.checkpoint.com/t5/image/serverpage/image-id/19776iC814B19A5F4302CB/image-size/medium?v=v2&amp;px=400" role="button" title="624330CC-402C-4E42-B4C6-71540BFB185B.png" alt="624330CC-402C-4E42-B4C6-71540BFB185B.png" /></span></P><P>Shouldn’t eth10 appear as Internal?</P><P>&nbsp;</P><P>Regards,</P><P>Julian</P> Fri, 24 Feb 2023 17:07:37 GMT https://community.checkpoint.com/t5/General-Topics/About-external-interfaces/m-p/172670#M28798 fjulianom 2023-02-24T17:07:37Z https://community.checkpoint.com/t5/General-Topics/About-external-interfaces/m-p/172683#M28802 <P>Hey Julian,</P> <P>2 questions:</P> <P>1) What happens if you click "get interfaces without topology"?</P> <P>2) What IP is defined for internal interface?</P> <P>Andy</P> Fri, 24 Feb 2023 19:30:58 GMT https://community.checkpoint.com/t5/General-Topics/About-external-interfaces/m-p/172683#M28802 the_rock 2023-02-24T19:30:58Z https://community.checkpoint.com/t5/General-Topics/About-external-interfaces/m-p/173112#M28877 <P>Hi Andy,</P><P>&nbsp;</P><P>I don't understand your questions:</P><P>&nbsp;</P><P>1. I can't do a "get interfaces...", the firewall is in production.</P><P>2. What internal interface do you refer to?</P><P>&nbsp;</P><P>Regards,</P><P>Julián</P> Wed, 01 Mar 2023 07:41:20 GMT https://community.checkpoint.com/t5/General-Topics/About-external-interfaces/m-p/173112#M28877 fjulianom 2023-03-01T07:41:20Z https://community.checkpoint.com/t5/General-Topics/About-external-interfaces/m-p/173189#M28892 <P><a href="https://community.checkpoint.com/t5/user/viewprofilepage/user-id/73441">@fjulianom</a>&nbsp;It's safe to do "get interfaces" in production. It won't take effect until you accept, publish and push the policy. Just make sure you don't publish anything and discard it. Usually, the only interface marked as "External" is the one linked to your default route. The logic is quite basic. I tend to switch most interfaces to "defined by routes".</P> <P>External in this regard is in the context of the firewall. Is the traffic behind or in front of the firewall? On a firewall connected to the Internet, the external interface would normally be the one the firewall itself uses for outbound traffic. Even if you have DMZ networks with public IP addresses, you usually mark them as "Internal" and add the option "Interface Leads to DMZ". This ensures that Threat Prevention Policies will treat your DMZ subnets like they are external adding additional protection by default.</P> Wed, 01 Mar 2023 13:02:18 GMT https://community.checkpoint.com/t5/General-Topics/About-external-interfaces/m-p/173189#M28892 RamGuy239 2023-03-01T13:02:18Z https://community.checkpoint.com/t5/General-Topics/About-external-interfaces/m-p/173986#M29055 <P>Hi RamGuy239,</P><P>&nbsp;</P><P>I didn't forget this topic. I wanted to do a "get interfaces" but I had this error because for some reason I have some interfaces locked:</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="error.PNG" style="width: 448px;"><img src="https://community.checkpoint.com/t5/image/serverpage/image-id/19985i424D87D715D76A71/image-size/large?v=v2&amp;px=999" role="button" title="error.PNG" alt="error.PNG" /></span></P><P>So I open a TAC case to solve this. Anyway, I have been investigating my firewall configuration and I think I have two external interfaces because I have<SPAN>&nbsp;the default route via eth11, eth10 has static routes, but in the PBR section eth10 is used as default route, this makes more sense.</SPAN></P><P>&nbsp;</P><P><SPAN>Regards,</SPAN></P><P><SPAN>Julián</SPAN></P> Wed, 08 Mar 2023 07:22:36 GMT https://community.checkpoint.com/t5/General-Topics/About-external-interfaces/m-p/173986#M29055 fjulianom 2023-03-08T07:22:36Z https://community.checkpoint.com/t5/General-Topics/About-external-interfaces/m-p/174061#M29070 <P>Hi&nbsp;<SPAN>Hi RamGuy239,</SPAN></P><P>&nbsp;</P><P><SPAN>I solved the problem. I was able to do "Get interfaces" and after doing it, both interfaces appeared as external. As said before,&nbsp;I think these two interfaces are external because I have&nbsp;the default route via eth11, eth10 has static routes, but in the PBR section eth10 is used as default route.</SPAN></P><P>&nbsp;</P><P><SPAN>Regards,</SPAN></P><P><SPAN>Julián</SPAN></P> Wed, 08 Mar 2023 15:45:39 GMT https://community.checkpoint.com/t5/General-Topics/About-external-interfaces/m-p/174061#M29070 fjulianom 2023-03-08T15:45:39Z https://community.checkpoint.com/t5/General-Topics/About-external-interfaces/m-p/174064#M29072 <P>I saw your answer to my post just now, apologies. Well, this can be topic for discussion, but I will throw in my 2 cents. Personally, I always suggest to do get interfaces without topology, specially in production. Plus I believe its good idea to use option "network defined by routes", because thats CP recommended way to begin with. Please refer to below:</P> <P><A href="https://sc1.checkpoint.com/documents/R80.30/SmartConsole_OLH/EN/html_frameset.htm?topic=documents/R80.30/SmartConsole_OLH/EN/ZvkmnUK_XluBBIIAw1mF3A2" target="_blank">https://sc1.checkpoint.com/documents/R80.30/SmartConsole_OLH/EN/html_frameset.htm?topic=documents/R80.30/SmartConsole_OLH/EN/ZvkmnUK_XluBBIIAw1mF3A2</A></P> <P>Cheers,</P> <P>&nbsp;</P> <P>Andy</P> Wed, 08 Mar 2023 15:52:22 GMT https://community.checkpoint.com/t5/General-Topics/About-external-interfaces/m-p/174064#M29072 the_rock 2023-03-08T15:52:22Z