topic Re: Discovering changes in topology table in General Topics

Discovering changes in topology table

s_milidrag — Sun, 27 Jan 2019 10:08:11 GMT

Hello Checkmates,

What is the difference between "Get Interface Without Topology" and "Get Interface With Topology" ?

What will firs and what will second option do ?

When to use "Get Interface With Topology" and when "Get Interface Without Topology" in discovering topology changes.

I have R80.20

Re: Discovering changes in topology table

Mark_Mitchell — Sun, 27 Jan 2019 11:15:32 GMT

Hi Slobodan,

The get Interfaces with topology option will interrogate the gateway to retrieve the interfaces, it will also calculate the topology and also set the interfaces (this network only etc) for the purposes of anti-spoofing based on the routing table .

Using only the "Get Interfaces without topology" will get all interfaces without changing your existing topology.

From experience I only use the "with" option when configuring a new gateway. As performing a topology get on an existing gateway/cluster may change your desired topology if you have set some specific spoofing groups up.

Personally I like to control the topology and will more than likely make changes to the topology even when using the "with topology:" option.

Hope this helps.

Cheers

Mark

Re: Discovering changes in topology table

s_milidrag — Sun, 27 Jan 2019 12:05:02 GMT

Thanks Mark,

I've noticed in a case I have changes in routing (add static routes) and run "Get Interface Without Topology", gateway will not update topology table, so I need to run "Get Interface With Topology"

Re: Discovering changes in topology table

Mark_Mitchell — Sun, 27 Jan 2019 12:10:22 GMT

Happy to help.

Yes, if you are using the "Determine Topology based on route table" setting under the gateway/cluster that is correct otherwise then topology needs to be defined manually .

Cheers

Mark

Re: Discovering changes in topology table

Vladimir — Sun, 27 Jan 2019 16:45:39 GMT

On existing production gateway or cluster, the difference between "Get Interface Without Topology" and "Get Interface With Topology" is typically 2 to 4 hours of troubleshooting

Seriously though, when you already have manually defined topology and antispoofing settings, the "With Topology" may wreck a havoc on your infrastructure. See this thread for example: Cluster Sync lost after Get Interfaces with topology

It may also create a duplicate network objects.

Re: Discovering changes in topology table

AlekseiShelepov — Sun, 27 Jan 2019 22:13:50 GMT

I totally agree.

The safest way is to choose "without topology" for existing devices. If there are some legacy configurations, if some part of the network is not documented, if there are many people managing firewalls, if there are just many vlans, better to just add manually the new network to the group.

Also, adding to duplicate objects, you can have some naming convention that this automatic retreival will not care about, of course.

Re: Discovering changes in topology table

Maarten_Sjouw — Mon, 28 Jan 2019 18:36:08 GMT

Slobodan, even though this might look fancy and is easy when you add routes, however, did you see how these networks are created in the objects database? Irrelevant if the network already exists or not a new network object is created in a semi-hidden state. What I mean by that is that you cannot add that network to a access rule or a group as it just does not show up in the listing. So later on when that network is removed from your environment, your stuck with a hidden object for a non existing network.

In a network with many changes this is not something you want

Specifically in Cluster environments I would not use the With topology option, as mentioned by Vladimir Yakovlev below.

Re: Discovering changes in topology table

Support_Team_Pi — Fri, 27 Mar 2020 10:11:06 GMT

Hi Vladimir,

So what happens if you don't use neither of the options, but just create manually and then policy push?
When testing this, it seems like the topology information where specific groups were defined before adding new VLAN interface are now disappeared and I am seeing anti-spoofing blocks on entirely different interfaces than the new ones I added..

Any idea?

KC.

Re: Discovering changes in topology table

starmen2000 — Tue, 27 Jun 2023 02:45:21 GMT

What is difference between clicking get interfaces without Topology and to add interface manually? As i understand, they sound same to me.

Re: Discovering changes in topology table

PhoneBoy — Tue, 27 Jun 2023 19:58:54 GMT

Get Interfaces (without topology) will automatically define any interfaces that don't exist.
It will not define the topology settings for new interfaces nor will it disrupt the topology configuration that exists for other interaces.

Re: Discovering changes in topology table

Tal009988 — Mon, 03 Jul 2023 17:21:19 GMT

Hi @PhoneBoy

Can you please confirm that there is downtime if Get Interfaces with topology is used,

Existing interfaces will be not reachable until the process is completed (Get Interfaces with topology )

Re: Discovering changes in topology table

PhoneBoy — Mon, 03 Jul 2023 20:34:07 GMT

The issue with Get Interfaces with Topology won't cause an outage.
It will, however, reset the topology configuration and possibly create extra objects in the process.

Re: Discovering changes in topology table

alissone007 — Thu, 15 Feb 2024 16:38:17 GMT

Hi Mark,

I got a question please regarding the network defined by routes!

Currently my setup is to add the manual static routes on the firewalls and then do a get interface with topology! By doing this I am getting a lot of hidden duplicated object which I want to avoid that. (sk126872)

We are changing our routing from static to dynamic in the next few month and I was wondering if I use the option Network defined by routes will I still have duplicated object created ? if yes, what is the best approach to avoid this? as I understand using the option specific with a manually created network groups is mainly for static routes right?

I also saw this in the documentation

When the Network defined by routes option is selected along with Perform Anti-Spoofing based on interface topology, you get Dynamic Anti-Spoofing. The valid IP addresses range is automatically calculated without the administrator having to do click Get Interfaces or install a policy

Regards,

Alissone

Re: Discovering changes in topology table

PhoneBoy — Fri, 16 Feb 2024 19:10:13 GMT

By using the Network Defined By Routes option, you do not have to define the topology (and no duplicate objects are created).
This feature will work with either dynamic or static routes.

Re: Discovering changes in topology table

the_rock — Fri, 16 Feb 2024 19:58:29 GMT

Hey,

This is definitely the best explanation from the smart console help page.

Best,

Andy

Interface - Topology Settings (checkpoint.com)

Understanding Topology

An interface can be defined as being External (leading to the Internet) or Internal (leading to the LAN).

The type of network that the interface Leads To:

Internet (External) or This Network (Internal) - This is the default setting. It is automatically calculated from the topology of the gateway. To update the topology of an internal network after changes to static routes, click Network Management > Get Interfaces in the General Properties window of the gateway.
Override - Override the default setting.

If you Override the default setting:

Internet (External) - All external/Internet addresses
This Network (Internal) -
- Not Defined - All IP addresses behind this interface are considered a part of the internal network that connects to this interface
- Network defined by the interface IP and Net Mask - Only the network that directly connects to this internal interface
- Network defined by routes - The gateway dynamically calculates the topology behind this interface. If the network changes, there is no need to click "Get Interfaces" and install a policy.
- Specific - A specific network object (a network, a host, an address range, or a network group) behind this internal interface
- Interface leads to DMZ - The DMZ that directly connects to this internal interface

VPN Tunnel Interfaces

If the interface is part of a VPN Tunnel

, then the interface Leads To a Point to Point network. The interface is one end of the point to point connection. All traffic in the network behind the interface is part of the point to point connection. Click Override to define a specific network.