Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Thomas_Werner
Employee Alumnus
Employee Alumnus

Using MTA on bridge mode

In some occations you might have to run MTA on a Check Point gateway in bridge mode.

You must take care about a proper network design otherwise packet processing for traffic destined for MTA will fail.

This is the setup:

The important and mandatory thing is that traffic to and from the MTA must never be seen on any bridge interface - otherwise it will implicitly be blocked by the firewall component because the same network packet must not be seen twice on different interfaces.

So the requirement is to run all MTA traffic via dedicated interfaces (non-bridge interfaces).

That requires proper traffic routing also because you need to make sure that emails are received and send via the dedicated MTA interfaces.

2 Replies
PhoneBoy
Admin
Admin

I think you shouldn't run into this issue if you apply this SK (but maybe I'm wrong):

When configuring two interfaces in Bridge Mode, traffic is dropped due to "local interface spoofing" 

0 Kudos
Thomas_Werner
Employee Alumnus
Employee Alumnus

Hi Dameon,

above configuration is from a PoC setup I did in the past. I don't remember everthing we tried to not make the bridge drop traffic (we started without dedicated interfaces for MTA) but we did not succeed. The final conclusion was that you cannot disable the "drop a packet that was seen twice on an interface". Maybe something changed in newer releases but I did not verify. 

Regards Thomas

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events