Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
fjulianom
Advisor
Jump to solution

About external interfaces

Hi experts,

 

I have read this article Interface - Topology Settings but still I can't understand how an external interface is defined. When a new firewall is set up, or if I do a "Get interfaces with topology", the external interfaces are those which are gateways for static routes? For example, if I have this in GAIA:

gaia.PNG

Gateways for 10.129.254.10 and 10.129.255.10 are interfaces eth10 and eth11, respectively. Does this mean eth10 and eth11 will be external, and the rest of interfaces will be internal?

What exactly does it mean "...calculated from the topology of the gateway"?

Internet (External) or This Network (Internal) This is the default setting. It is automatically calculated from the topology of the gateway.

 

Regards,

Julián

0 Kudos
2 Solutions

Accepted Solutions
Bob_Zimmerman
Authority
Authority

When you do Get Interfaces with Topology, whichever interface has the default route is set to External. Antispoofing groups are built for all the other interfaces containing network objects for the networks which route out that interface.

In most situations, you should only use External and Internal > Network Defined by Routes. Manually managing your antispoofing topology is a great way to shoot yourself in the foot over and over forever.

View solution in original post

RamGuy239
Advisor
Advisor

@fjulianom It's safe to do "get interfaces" in production. It won't take effect until you accept, publish and push the policy. Just make sure you don't publish anything and discard it. Usually, the only interface marked as "External" is the one linked to your default route. The logic is quite basic. I tend to switch most interfaces to "defined by routes".

External in this regard is in the context of the firewall. Is the traffic behind or in front of the firewall? On a firewall connected to the Internet, the external interface would normally be the one the firewall itself uses for outbound traffic. Even if you have DMZ networks with public IP addresses, you usually mark them as "Internal" and add the option "Interface Leads to DMZ". This ensures that Threat Prevention Policies will treat your DMZ subnets like they are external adding additional protection by default.

Certifications: CCSA, CCSE, CCSM, CCSM ELITE, CCTA, CCTE, CCVS, CCME

View solution in original post

8 Replies
Bob_Zimmerman
Authority
Authority

When you do Get Interfaces with Topology, whichever interface has the default route is set to External. Antispoofing groups are built for all the other interfaces containing network objects for the networks which route out that interface.

In most situations, you should only use External and Internal > Network Defined by Routes. Manually managing your antispoofing topology is a great way to shoot yourself in the foot over and over forever.

fjulianom
Advisor

Hi Bob,

 

Ok, but in my case only one interface has the default route (eth11), the other one (eth10) has static routes, and both of them appear as Internet (External):

624330CC-402C-4E42-B4C6-71540BFB185B.png

Shouldn’t eth10 appear as Internal?

 

Regards,

Julian

0 Kudos
the_rock
Legend
Legend

Hey Julian,

2 questions:

1) What happens if you click "get interfaces without topology"?

2) What IP is defined for internal interface?

Andy

0 Kudos
fjulianom
Advisor

Hi Andy,

 

I don't understand your questions:

 

1. I can't do a "get interfaces...", the firewall is in production.

2. What internal interface do you refer to?

 

Regards,

Julián

0 Kudos
RamGuy239
Advisor
Advisor

@fjulianom It's safe to do "get interfaces" in production. It won't take effect until you accept, publish and push the policy. Just make sure you don't publish anything and discard it. Usually, the only interface marked as "External" is the one linked to your default route. The logic is quite basic. I tend to switch most interfaces to "defined by routes".

External in this regard is in the context of the firewall. Is the traffic behind or in front of the firewall? On a firewall connected to the Internet, the external interface would normally be the one the firewall itself uses for outbound traffic. Even if you have DMZ networks with public IP addresses, you usually mark them as "Internal" and add the option "Interface Leads to DMZ". This ensures that Threat Prevention Policies will treat your DMZ subnets like they are external adding additional protection by default.

Certifications: CCSA, CCSE, CCSM, CCSM ELITE, CCTA, CCTE, CCVS, CCME
fjulianom
Advisor

Hi RamGuy239,

 

I didn't forget this topic. I wanted to do a "get interfaces" but I had this error because for some reason I have some interfaces locked:

error.PNG

So I open a TAC case to solve this. Anyway, I have been investigating my firewall configuration and I think I have two external interfaces because I have the default route via eth11, eth10 has static routes, but in the PBR section eth10 is used as default route, this makes more sense.

 

Regards,

Julián

0 Kudos
fjulianom
Advisor

Hi Hi RamGuy239,

 

I solved the problem. I was able to do "Get interfaces" and after doing it, both interfaces appeared as external. As said before, I think these two interfaces are external because I have the default route via eth11, eth10 has static routes, but in the PBR section eth10 is used as default route.

 

Regards,

Julián

0 Kudos
the_rock
Legend
Legend

I saw your answer to my post just now, apologies. Well, this can be topic for discussion, but I will throw in my 2 cents. Personally, I always suggest to do get interfaces without topology, specially in production. Plus I believe its good idea to use option "network defined by routes", because thats CP recommended way to begin with. Please refer to below:

https://sc1.checkpoint.com/documents/R80.30/SmartConsole_OLH/EN/html_frameset.htm?topic=documents/R8...

Cheers,

 

Andy

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events