This website uses cookies. By clicking OK, you consent to the use of cookies. Click Here to learn more about how we use cookies.
OK
ABOUT CHECKMATES & FAQ
Create a Post
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Help
Thomas_Werner
Employee Alumnus
Employee Alumnus
‎2019-01-24 04:14 AM

Using MTA on bridge mode

In some occations you might have to run MTA on a Check Point gateway in bridge mode.

You must take care about a proper network design otherwise packet processing for traffic destined for MTA will fail.

This is the setup:

The important and mandatory thing is that traffic to and from the MTA must never be seen on any bridge interface - otherwise it will implicitly be blocked by the firewall component because the same network packet must not be seen twice on different interfaces.

So the requirement is to run all MTA traffic via dedicated interfaces (non-bridge interfaces).

That requires proper traffic routing also because you need to make sure that emails are received and send via the dedicated MTA interfaces.

Reply
2 Replies
PhoneBoy
Admin
Admin
‎2019-01-26 12:18 PM

I think you shouldn't run into this issue if you apply this SK (but maybe I'm wrong):

When configuring two interfaces in Bridge Mode, traffic is dropped due to "local interface spoofing" 

0 Kudos
Reply
Thomas_Werner
Employee Alumnus
Employee Alumnus
‎2019-01-26 01:00 PM

Hi Dameon,

above configuration is from a PoC setup I did in the past. I don't remember everthing we tried to not make the bridge drop traffic (we started without dedicated interfaces for MTA) but we did not succeed. The final conclusion was that you cannot disable the "drop a packet that was seen twice on an interface". Maybe something changed in newer releases but I did not verify. 

Regards Thomas

Reply