Thanks Mark,

I've noticed in a case I have changes in routing (add static routes) and run "Get Interface Without Topology", gateway will not update topology table, so I need to run "Get Interface With Topology" 

Slobodan, even though this might look fancy and is easy when you add routes, however, did you see how these networks are created in the objects database? Irrelevant if the network already exists or not a new network object is created in a semi-hidden state. What I mean by that is that you cannot add that network to a access rule or a group as it just does not show up in the listing. So later on when that network is removed from your environment, your stuck with a hidden object for a non existing network.

In a network with many changes this is not something you want 

Specifically in Cluster environments I would not use the With topology option, as mentioned by  Vladimir Yakovlev below.

Hi Mark,

I got a question please regarding the network defined by routes!

Currently my setup is to add the manual static routes on the firewalls and then do a get interface with topology! By doing this I am getting a lot of hidden duplicated object which I want to avoid that. (sk126872)

We are changing our routing from static to dynamic in the next few month and I was wondering if I use the option Network defined by routes will I still have duplicated object created ? if yes, what is the best approach to avoid this? as I understand using the option specific with a manually created network groups is mainly for static routes right?

I also saw this in the documentation

When the Network defined by routes option is selected along with Perform Anti-Spoofing based on interface topology, you get Dynamic Anti-Spoofing. The valid IP addresses range is automatically calculated without the administrator having to do click Get Interfaces or install a policy

Regards,

Alissone

By using the Network Defined By Routes option, you do not have to define the topology (and no duplicate objects are created).
This feature will work with either dynamic or static routes.

Hey,

This is definitely the best explanation from the smart console help page.

Best,

Andy

Interface - Topology Settings (checkpoint.com)

Understanding Topology

An interface can be defined as being External (leading to the Internet) or Internal (leading to the LAN).

The type of network that the interface Leads To:

• Internet (External) or This Network (Internal) - This is the default setting. It is automatically calculated from the topology of the gateway. To update the topology of an internal network after changes to static routes, click Network Management > Get Interfaces in the General Properties window of the gateway.

• Override - Override the default setting.

If you Override the default setting:

• Internet (External) - All external/Internet addresses

• This Network (Internal) -

  • Not Defined - All IP addresses behind this interface are considered a part of the internal network that connects to this interface

  • Network defined by the interface IP and Net Mask - Only the network that directly connects to this internal interface

  • Network defined by routes - The gateway dynamically calculates the topology behind this interface. If the network changes, there is no need to click "Get Interfaces" and install a policy.

  • Specific - A specific network object (a network, a host, an address range, or a network group) behind this internal interface

  • Interface leads to DMZ - The DMZ that directly connects to this internal interface

VPN Tunnel Interfaces

If the interface is part of a VPN Tunnel

, then the interface Leads To a Point to Point network. The interface is one end of the point to point connection. All traffic in the network behind the interface is part of the point to point connection. Click Override to define a specific network.

I totally agree.

The safest way is to choose "without topology" for existing devices. If there are some legacy configurations, if some part of the network is not documented, if there are many people managing firewalls, if there are just many vlans, better to just add manually the new network to the group.

Also, adding to duplicate objects, you can have some naming convention that this automatic retreival will not care about, of course.

What is difference between clicking get interfaces without Topology and to add interface manually? As i understand, they sound same to me.

Get Interfaces (without topology) will automatically define any interfaces that don't exist.
It will not define the topology settings for new interfaces nor will it disrupt the topology configuration that exists for other interaces.

Hi @PhoneBoy 

Can you please confirm that there is downtime if Get Interfaces with topology is used, 

Existing interfaces will be not reachable until the process is completed (Get Interfaces with topology )

The issue with Get Interfaces with Topology won't cause an outage.
It will, however, reset the topology configuration and possibly create extra objects in the process.

Hi Vladimir,

So what happens if you don't use neither of the options, but just create manually and then policy push?
When testing this, it seems like the topology information where specific groups were defined before adding new VLAN interface are now disappeared and I am seeing anti-spoofing blocks on entirely different interfaces than the new ones I added..

Any idea?

KC.