topic Re: Get interface in General Topics

Get interface

RemoteUser — Tue, 15 Apr 2025 12:05:15 GMT

what is the difference between get interface with topology and without?
which one is better to use? and why?

Re: Get interface

PhoneBoy — Tue, 15 Apr 2025 16:53:13 GMT

Get Interfaces is generally safer as it only adds detected interfaces to the gateway object without setting or changing any configuration related to them.
Get Interfaces With Topology will actually set the anti-spoofing configuration based on what it can see in the device's routing table.
Problem is: duplicate and sometimes hidden objects are created as part of this process.
Which is why using Get Interfaces With Topology is generally not considered best practice to use outside of an initial configuration.

Re: Get interface

the_rock — Tue, 15 Apr 2025 16:56:33 GMT

Phoneboy explained it exactly how it is. For your reference, I would strongly recommend to use without topology. Below are settings its referring to.

Andy

Interface - Topology Settings

Understanding Topology

An interface can be defined as being External (leading to the Internet) or Internal (leading to the LAN).

The type of network that the interface Leads To:

Internet (External) or This Network (Internal) - This is the default setting. It is automatically calculated from the topology of the gateway. To update the topology of an internal network after changes to static routes, click Network Management > Get Interfaces in the General Properties window of the gateway.
Override - Override the default setting.

If you Override the default setting:

Internet (External) - All external/Internet addresses
This Network (Internal) -
- Not Defined - All IP addresses behind this interface are considered a part of the internal network that connects to this interface
- Network defined by the interface IP and Net Mask - Only the network that directly connects to this internal interface
- Network defined by routes - The gateway dynamically calculates the topology behind this interface. If the network changes, there is no need to click "Get Interfaces" and install a policy.
- Specific - A specific network object (a network, a host, an address range, or a network group) behind this internal interface
- Interface leads to DMZ - The DMZ that directly connects to this internal interface

VPN Tunnel Interfaces

If the interface is part of a VPN Tunnel

, then the interface Leads To a Point to Point network. The interface is one end of the point to point connection. All traffic in the network behind the interface is part of the point to point connection. Click Override to define a specific network.

Re: Get interface

Lesley — Tue, 15 Apr 2025 18:39:29 GMT

What posted before by phoneboy and the_rock is good advice.

Only extra tip I can add, screenshot toplogy before fetch and compare it after. Then you are sure the right changes are performed.

Fetching with toplogy I have never done (yet) before

Re: Get interface

the_rock — Tue, 15 Apr 2025 18:41:11 GMT

Excellent advice Lesley.

Re: Get interface

Timothy_Hall — Wed, 10 Sep 2025 14:11:49 GMT

My general advice is to only use "Get Interfaces With Topology" on a new gateway that is not yet in production. For a production gateway, one should only use "Get Interfaces Without Topology" and then manually set topology for any newly fetched interfaces. "Get Interfaces With Topology" should be avoided on a production gateway as it can disrupt the topology settings of preexisting interfaces, resulting in massive anti-spoofing drops.

This behavior has been fully documented here at last: sk183590: "Get interfaces with topology" and "Get interfaces without topology" actions in SmartConsole

Re: Get interface

the_rock — Wed, 10 Sep 2025 14:45:10 GMT

100% agree...thats what I always suggest to people as well.

Andy