Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
s_milidrag
Participant
Participant

Discovering changes in topology table

Hello Checkmates,

What is the difference between "Get Interface Without Topology" and "Get Interface With Topology"  ?

What will firs and what will second option do ?

When to use "Get Interface With Topology" and when "Get Interface Without Topology" in discovering topology changes.

I have R80.20

SM
0 Kudos
14 Replies
Mark_Mitchell
Advisor

Hi Slobodan,

The get Interfaces with topology option will interrogate the gateway to retrieve the interfaces, it will also calculate the topology and also set the interfaces (this network only etc) for the purposes of anti-spoofing based on the routing table .

Using only the "Get Interfaces without topology" will get all interfaces without changing your existing topology. 

From experience I only use the "with" option when configuring a new gateway. As performing a topology get on an existing gateway/cluster may change your desired topology if you have set some specific spoofing groups up. 

Personally I like to control the topology and will more than likely make changes to the topology even when using the "with topology:" option. 

Hope this helps. 

Cheers

Mark

s_milidrag
Participant
Participant

Thanks Mark,

I've noticed in a case I have changes in routing (add static routes) and run "Get Interface Without Topology", gateway will not update topology table, so I need to run "Get Interface With Topology" 

SM
0 Kudos
Maarten_Sjouw
Champion
Champion

Slobodan, even though this might look fancy and is easy when you add routes, however, did you see how these networks are created in the objects database? Irrelevant if the network already exists or not a new network object is created in a semi-hidden state. What I mean by that is that you cannot add that network to a access rule or a group as it just does not show up in the listing. So later on when that network is removed from your environment, your stuck with a hidden object for a non existing network.

In a network with many changes this is not something you want 

Specifically in Cluster environments I would not use the With topology option, as mentioned by  Vladimir Yakovlev below.

Regards, Maarten
Mark_Mitchell
Advisor

Happy to help. 

Yes, if you are using the "Determine Topology based on route table" setting under the gateway/cluster that is correct otherwise then topology needs to be defined manually .

Cheers

Mark

0 Kudos
alissone007
Explorer

Hi Mark,

I got a question please regarding the network defined by routes!

Currently my setup is to add the manual static routes on the firewalls and then do a get interface with topology! By doing this I am getting a lot of hidden duplicated object which I want to avoid that. (sk126872)

We are changing our routing from static to dynamic in the next few month and I was wondering if I use the option Network defined by routes will I still have duplicated object created ? if yes, what is the best approach to avoid this? as I understand using the option specific with a manually created network groups is mainly for static routes right?

I also saw this in the documentation

When the Network defined by routes option is selected along with Perform Anti-Spoofing based on interface topology, you get Dynamic Anti-Spoofing. The valid IP addresses range is automatically calculated without the administrator having to do click Get Interfaces or install a policy

Regards,

Alissone

0 Kudos
PhoneBoy
Admin
Admin

By using the Network Defined By Routes option, you do not have to define the topology (and no duplicate objects are created).
This feature will work with either dynamic or static routes.

0 Kudos
the_rock
Legend
Legend

Hey,

This is definitely the best explanation from the smart console help page.

Best,

Andy

 

Interface - Topology Settings (checkpoint.com)

Understanding Topology

An interface can be defined as being External (leading to the Internet) or Internal (leading to the LAN).

The type of network that the interface Leads To:

  • Internet (External) or This Network (Internal) - This is the default setting. It is automatically calculated from the topology of the gateway. To update the topology of an internal network after changes to static routes, click Network Management > Get Interfaces in the General Properties window of the gateway.

  • Override - Override the default setting.

If you Override the default setting:

  • Internet (External) - All external/Internet addresses

  • This Network (Internal) -

    • Not Defined - All IP addresses behind this interface are considered a part of the internal network that connects to this interface

    • Network defined by the interface IP and Net Mask - Only the network that directly connects to this internal interface

    • Network defined by routes - The gateway dynamically calculates the topology behind this interface. If the network changes, there is no need to click "Get Interfaces" and install a policy.

    • Specific - A specific network object (a network, a host, an address range, or a network group) behind this internal interface

    • Interface leads to DMZ - The DMZ that directly connects to this internal interface

VPN Tunnel Interfaces

If the interface is part of a VPN Tunnel

the_rock_0-1708113494630.gif

 

, then the interface Leads To a Point to Point network. The interface is one end of the point to point connection. All traffic in the network behind the interface is part of the point to point connection. Click Override to define a specific network.

0 Kudos
Vladimir
Champion
Champion

On existing production gateway or cluster, the difference between "Get Interface Without Topology" and "Get Interface With Topology" is typically 2 to 4 hours of troubleshooting Smiley Happy

Seriously though, when you already have manually defined topology and antispoofing settings, the "With Topology" may wreck a havoc on your infrastructure. See this thread for example: Cluster Sync lost after Get Interfaces with topology 

It may also create a duplicate network objects.

AlekseiShelepov
Advisor

I totally agree.

The safest way is to choose "without topology" for existing devices. If there are some legacy configurations, if some part of the network is not documented, if there are many people managing firewalls, if there are just many vlans, better to just add manually the new network to the group.

Also, adding to duplicate objects, you can have some naming convention that this automatic retreival will not care about, of course.

starmen2000
Collaborator
Collaborator

What is difference between clicking get interfaces without Topology and to add interface manually? As i understand, they sound same to me.

0 Kudos
PhoneBoy
Admin
Admin

Get Interfaces (without topology) will automatically define any interfaces that don't exist.
It will not define the topology settings for new interfaces nor will it disrupt the topology configuration that exists for other interaces.

0 Kudos
Tal009988
Explorer

Hi @PhoneBoy 

Can you please confirm that there is downtime if Get Interfaces with topology is used, 

Existing interfaces will be not reachable until the process is completed (Get Interfaces with topology )

0 Kudos
PhoneBoy
Admin
Admin

The issue with Get Interfaces with Topology won't cause an outage.
It will, however, reset the topology configuration and possibly create extra objects in the process.

0 Kudos
Support_Team_Pi
Participant
Participant

Hi Vladimir,

So what happens if you don't use neither of the options, but just create manually and then policy push?
When testing this, it seems like the topology information where specific groups were defined before adding new VLAN interface are now disappeared and I am seeing anti-spoofing blocks on entirely different interfaces than the new ones I added..

Any idea?

KC.

 

 

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events