Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 

Unable to get bridge mode working in R80.10 Checkpoint VM

Hi all,

I have installed an evaluation version of All-in-one R80.10 Checkpoint Firewall in a VM.

I don't have Smart Console in our setup, so I have done all the configuration using Gaia CLI.

Following is the configuration I have done:

set interface eth1 state on
set interface eth2 state on
add bridging group 0
add bridging group 0 interface eth1
add bridging group 0 interface eth2

mgmt add host name "Mgmt" ip-address "10.0.2.2"
mgmt add access-rule layer "Network" name "Management Rule" source "Mgmt" service.1 "ssh" service.2 "https" position "top" action "Accept"
mgmt add access-rule layer "Network" name "FW-rule" source "All_Internet" service "any" position.below "Management Rule" action "Accept"
mgmt publish
mgmt install-policy policy-package "Standard"

But I am facing one issue, the bridge is not forwarding the traffic received on eth1 to eth2. I have tried disabling anti-spoofing also but it didn't help.

fw ctl set int fw_local_interface_anti_spoofing 0
fw ctl set int fw_antispoofing_enabled 0

The fw monitor logs shows only inbound traffic.

eth1:i0 (IP Options Strip (in))[1010]: 1.2.3.4 -> 19.19.19.5 (UDP) len=1010 id=1
eth1:i1 (Stateless verifications (in))[1010]: 1.2.3.4 -> 19.19.19.5 (UDP) len=1010 id=1
eth1:i2 (fw multik misc proto forwarding)[1010]: 1.2.3.4 -> 19.19.19.5 (UDP) len=1010 id=1
eth1:i3 (SecureXL conn sync)[1010]: 1.2.3.4 -> 19.19.19.5 (UDP) len=1010 id=1
eth1:i4 (fw VM inbound )[1010]: 1.2.3.4 -> 19.19.19.5 (UDP) len=1010 id=1
eth1:I5 (SecureXL inbound)[1010]: 1.2.3.4 -> 19.19.19.5 (UDP) len=1010 id=1
eth1:I6 (fw SCV inbound)[1010]: 1.2.3.4 -> 19.19.19.5 (UDP) len=1010 id=1
eth1:I7 (passive streaming (in))[1010]: 1.2.3.4 -> 19.19.19.5 (UDP) len=1010 id=1
eth1:I8 (TCP streaming (in))[1010]: 1.2.3.4 -> 19.19.19.5 (UDP) len=1010 id=1
eth1:I9 (IP Options Restore (in))[1010]: 1.2.3.4 -> 19.19.19.5 (UDP) len=1010 id=1
eth1:I10 (Chain End)[1010]: 1.2.3.4 -> 19.19.19.5 (UDP) len=1010 id=1
eth1:i0 (IP Options Strip (in))[1010]: 1.2.3.4 -> 19.19.19.5 (UDP) len=1010 id=1
eth1:i1 (Stateless verifications (in))[1010]: 1.2.3.4 -> 19.19.19.5 (UDP) len=1010 id=1
eth1:i2 (fw multik misc proto forwarding)[1010]: 1.2.3.4 -> 19.19.19.5 (UDP) len=1010 id=1
eth1:i3 (SecureXL conn sync)[1010]: 1.2.3.4 -> 19.19.19.5 (UDP) len=1010 id=1
eth1:i4 (fw VM inbound )[1010]: 1.2.3.4 -> 19.19.19.5 (UDP) len=1010 id=1
eth1:I5 (SecureXL inbound)[1010]: 1.2.3.4 -> 19.19.19.5 (UDP) len=1010 id=1
eth1:I6 (fw SCV inbound)[1010]: 1.2.3.4 -> 19.19.19.5 (UDP) len=1010 id=1
eth1:I7 (passive streaming (in))[1010]: 1.2.3.4 -> 19.19.19.5 (UDP) len=1010 id=1
eth1:I8 (TCP streaming (in))[1010]: 1.2.3.4 -> 19.19.19.5 (UDP) len=1010 id=1
eth1:I9 (IP Options Restore (in))[1010]: 1.2.3.4 -> 19.19.19.5 (UDP) len=1010 id=1
eth1:I10 (Chain End)[1010]: 1.2.3.4 -> 19.19.19.5 (UDP) len=1010 id=1

Can anyone please suggest what I am missing in the configuration?

0 Kudos
1 Reply
Highlighted

Be aware that when you have an ip address that will be showing up on more than one network interfaces the VM switches will mess it up with their security settings. You will probably need to disable all security settings on those ports.
Regards, Maarten
0 Kudos