This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Pawel_
Explorer
‎2025-03-12 06:13 AM

Get interfaces or manually add an interface - is there any difference?

Hi Team,

I'd like to understand if there is any functional difference between adding interfaces in Network Topology manually against using 'Get Interfaces' feature.

We used to add all interfaces manually. It worked, no issues.

Recently I tried to create a GRE tunnel on a cluster (R81.20). I followed sk169794. The only difference was that I added GRE interfaces manually instead of using 'Get Interfaces with Topology'.

GRE tunnel was up and running however all GRE packets sent by a cluster member were sent with the active cluster member physical interface IP as a source, not VIP.

I've been told that running 'Get Interfaces with Topology' and installing policy should solve the issue. I ran 'Get Interfaces with Topology' however that created about a hundred configuration changes and I'm not happy to publish them.

I always believed that 'Get Interfaces' is a helpful shortcut used to make all interface name/ip/spoofing group/etc creation easier. Is there anything else that happens behind the scene?

Regards,

Pawel

0 Kudos
8 Replies
PhoneBoy
Admin
Admin
‎2025-03-17 12:35 PM

I fail to see how Get Interfaces with Topology would resolve this issue.
I assume Cluster NAT isn't happening on GRE traffic.

0 Kudos
Pawel_
Explorer
‎2025-03-18 01:52 AM
In response to PhoneBoy

Thank you for the reply.

That's exactly what I thought and I wasn't happy to follow the support recommendation and mess up my current config.

I had also created a manual NAT for GRE traffic however it did not work, neither.

Finally I decided to give up and moved GRE to other vendor devices.

Thank you again.

 

0 Kudos
HeikoAnkenbrand
MVP Diamond
MVP Diamond
‎2025-03-18 12:44 AM

Hi @Pawel_;

Here is a comparison between adding interfaces manually in Network Topology and using the 'Get Interfaces' feature in SmartConsole:

Manual Configuration:
Recommended for environments where precision and customization are critical, especially for special interfaces like loopback interfaces.
Allows for the inclusion of special interfaces like loopback interfaces, which are not retrieved by the 'Get Interfaces' feature.

Get Interfaces Feature:
Suitable for environments where efficiency and consistency are prioritized, and the number of interfaces is manageable.
Automatically retrieves and configures multiple interfaces quickly, saving time. There is a higher chance of configuration errors due to manual input.
Does not retrieve interfaces without assigned IP addresses (e.g., 0.0.0.0 or 127.0.0.1) or loopback interfaces.

➜ CCSM Elite, CCME, CCTE ➜ www.checkpoint.tips
Pawel_
Explorer
‎2025-03-18 01:55 AM
In response to HeikoAnkenbrand

Hi,

Got it, so 'Get Interfaces' is just an automatic way that helps to avoid configuration errors. If the interfaces are manually configured correctly 'Get Interfaces' should not bring any additional value.

Thank you for your reply.

0 Kudos
Timothy_Hall
MVP Gold
MVP Gold
‎2025-03-18 06:04 AM
In response to Pawel_

Correct.  One other note that I mention in my classes is to NEVER do a "Get interfaces with topology" on an existing gateway that is in production, since as you saw doing so may attempt to reconfigure the topology of dozens or hundreds of interfaces and get you into anti-spoofing trouble.  Use "Get interfaces without topology" on production gateways instead then manually verify the topology settings for any new interfaces.  "Get interfaces with topology" is fine for a new gateway you are deploying that is not in production yet, but you'll still need to manually verify the topology settings of all interfaces.

New Book: "Max Power 2026" Coming Soon
Check Point Firewall Performance Optimization
Hugo_vd_Kooij
MVP Gold
MVP Gold
‎2025-03-18 08:44 AM
In response to Timothy_Hall

With over 100 interfaces (VLAN's) it is still a lot of changes to push. And the time increases on some sort of exponential scale with the number of interfaces involved.

<< We make miracles happen while you wait. The impossible jobs take just a wee bit longer. >>
0 Kudos
Alex-
MVP Silver
MVP Silver
‎2025-03-18 06:20 AM
In response to Pawel_

There are specific cases. For instance, VTI implementation asks you to perform a "Get interfaces without topology" as you can't create them manually, which is always a great feeling to have when clicking on this option on a production environment.

0 Kudos
the_rock
MVP Diamond
MVP Diamond
‎2025-03-18 09:52 AM

Get interfaces without topology would simply "fetch" whats on the OS level. 

Andy

Best,
Andy
"Have a great day and if its not, change it"
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events