This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
RemoteUser
Advisor
‎2025-04-15 05:05 AM
Jump to solution

Get interface

what is the difference between get interface with topology and without?
which one is better to use? and why?

0 Kudos
2 Solutions

Accepted Solutions
PhoneBoy
Admin
Admin
‎2025-04-15 09:52 AM
Jump to solution

Get Interfaces is generally safer as it only adds detected interfaces to the gateway object without setting or changing any configuration related to them.
Get Interfaces With Topology will actually set the anti-spoofing configuration based on what it can see in the device's routing table.
Problem is: duplicate and sometimes hidden objects are created as part of this process.
Which is why using Get Interfaces With Topology is generally not considered best practice to use outside of an initial configuration.

 

View solution in original post

the_rock
Legend
Legend
‎2025-04-15 09:56 AM
Jump to solution

Phoneboy explained it exactly how it is. For your reference, I would strongly recommend to use without topology. Below are settings its referring to.

Andy

 

Interface - Topology Settings

Understanding Topology

An interface can be defined as being External (leading to the Internet) or Internal (leading to the LAN).

The type of network that the interface Leads To:

  • Internet (External) or This Network (Internal) - This is the default setting. It is automatically calculated from the topology of the gateway. To update the topology of an internal network after changes to static routes, click Network Management > Get Interfaces in the General Properties window of the gateway.

  • Override - Override the default setting.

If you Override the default setting:

  • Internet (External) - All external/Internet addresses

  • This Network (Internal) -

    • Not Defined - All IP addresses behind this interface are considered a part of the internal network that connects to this interface

    • Network defined by the interface IP and Net Mask - Only the network that directly connects to this internal interface

    • Network defined by routes - The gateway dynamically calculates the topology behind this interface. If the network changes, there is no need to click "Get Interfaces" and install a policy.

    • Specific - A specific network object (a network, a host, an address range, or a network group) behind this internal interface

    • Interface leads to DMZ - The DMZ that directly connects to this internal interface

VPN Tunnel Interfaces

If the interface is part of a VPN Tunnel

 

, then the interface Leads To a Point to Point network. The interface is one end of the point to point connection. All traffic in the network behind the interface is part of the point to point connection. Click Override to define a specific network.

View solution in original post

6 Replies
PhoneBoy
Admin
Admin
‎2025-04-15 09:52 AM
Jump to solution

Get Interfaces is generally safer as it only adds detected interfaces to the gateway object without setting or changing any configuration related to them.
Get Interfaces With Topology will actually set the anti-spoofing configuration based on what it can see in the device's routing table.
Problem is: duplicate and sometimes hidden objects are created as part of this process.
Which is why using Get Interfaces With Topology is generally not considered best practice to use outside of an initial configuration.

 

the_rock
Legend
Legend
‎2025-04-15 09:56 AM
Jump to solution

Phoneboy explained it exactly how it is. For your reference, I would strongly recommend to use without topology. Below are settings its referring to.

Andy

 

Interface - Topology Settings

Understanding Topology

An interface can be defined as being External (leading to the Internet) or Internal (leading to the LAN).

The type of network that the interface Leads To:

  • Internet (External) or This Network (Internal) - This is the default setting. It is automatically calculated from the topology of the gateway. To update the topology of an internal network after changes to static routes, click Network Management > Get Interfaces in the General Properties window of the gateway.

  • Override - Override the default setting.

If you Override the default setting:

  • Internet (External) - All external/Internet addresses

  • This Network (Internal) -

    • Not Defined - All IP addresses behind this interface are considered a part of the internal network that connects to this interface

    • Network defined by the interface IP and Net Mask - Only the network that directly connects to this internal interface

    • Network defined by routes - The gateway dynamically calculates the topology behind this interface. If the network changes, there is no need to click "Get Interfaces" and install a policy.

    • Specific - A specific network object (a network, a host, an address range, or a network group) behind this internal interface

    • Interface leads to DMZ - The DMZ that directly connects to this internal interface

VPN Tunnel Interfaces

If the interface is part of a VPN Tunnel

 

, then the interface Leads To a Point to Point network. The interface is one end of the point to point connection. All traffic in the network behind the interface is part of the point to point connection. Click Override to define a specific network.

Lesley
Authority Authority
Authority
‎2025-04-15 11:39 AM
Jump to solution

What posted before by phoneboy and the_rock is good advice.

Only extra tip I can add, screenshot toplogy before fetch and compare it after. Then you are sure the right changes are performed.

Fetching with toplogy I have never done (yet) before

-------
If you like this post please give a thumbs up(kudo)! 🙂
the_rock
Legend
Legend
‎2025-04-15 11:41 AM
In response to Lesley
Jump to solution

Excellent advice Lesley.

0 Kudos
Timothy_Hall
Legend Legend
Legend
3 weeks ago
Jump to solution

My general advice is to only use "Get Interfaces With Topology" on a new gateway that is not yet in production.   For a production gateway, one should only use "Get Interfaces Without Topology" and then manually set topology for any newly fetched interfaces.  "Get Interfaces With Topology" should be avoided on a production gateway as it can disrupt the topology settings of preexisting interfaces, resulting in massive anti-spoofing drops.

This behavior has been fully documented here at last: sk183590: "Get interfaces with topology" and "Get interfaces without topology" actions in SmartConso...

Gaia 4.18 (R82) Immersion Tips, Tricks, & Best Practices Video Course
Now Available at https://shadowpeak.com/gaia4-18-immersion-course
the_rock
Legend
Legend
3 weeks ago
In response to Timothy_Hall
Jump to solution

100% agree...thats what I always suggest to people as well.

Andy

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events