This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Taimoor_Muftee
Explorer
‎2018-02-14 09:22 AM

R80.10 Management and R77.30 Gateways in Bridge mode

Looking to upgrade management from R77.30 to R80.10. In QA I'm getting validation errors for the firewalls in bridge mode which have no IP addresses on the fail-open interfaces (so 0.0.0.0/0.0.0.0). I don't have the ability to push from QA so I need to confirm if this is an issue installing policy? I cant seem to find any documentation on it. 

0 Kudos
9 Replies
PhoneBoy
Admin
Admin
‎2018-02-14 03:04 PM

Those interfaces shouldn't have IPs on them for sure.

Which version of SmartConsole are you using?

Also, let me put this in https://community.checkpoint.com/community/management/policy-management?sr=search&searchId=d0b7782c-...‌.

0 Kudos
Taimoor_Muftee
Explorer
‎2018-02-15 04:50 AM

It's R80.10 SmartConsole Build 024

0 Kudos
Tomer_Sole
Mentor
Mentor
‎2018-02-15 10:18 AM

Hi, for this kind of problems I really recommend that you open a support ticket, so that Check Point support will be able to identify the root cause and see how this problem cannot happen for other customers as well.

0 Kudos
Mark_Gurevich
Contributor
‎2018-02-15 01:32 PM

Hi, You have to make sure that bridge interfaces are not a part of topology tab in Dashboard.

0 Kudos
PhoneBoy
Admin
Admin
‎2018-02-15 02:47 PM
In response to Mark_Gurevich

I believe you mean: not defining topology on the interface (i.e. not as internal or external).

0 Kudos
Mark_Gurevich
Contributor
‎2018-02-15 02:57 PM
In response to PhoneBoy

My Bad) Topology still can be defined for single FW, but as I've said, in cluster, bridge interface do not part of topology tab at all and it is External by design. (Security Gateway R77 Versions Technical Administration Guide)

0 Kudos
PhoneBoy
Admin
Admin
‎2018-02-15 07:53 PM

Having just installed a Mirror Port gateway on R80.10, the correct answer is: the mirror port should not be defined on the Gateway object at all.

When I fetched topology from my R80.10 Mirror Port gateway, the interface that was the mirror port did not even come across in the topology.

Further, your management Interface for the device should probably have the topology "Undefined" and Anti-Spoofing disabled.

0 Kudos
Mark_Gurevich
Contributor
‎2018-02-16 12:46 AM
In response to PhoneBoy

Hi Dameon, this is expected as mirror port is only for POC/testing and it will get all traffic (external + internal) from the corresponding mirror port of the switch. So bridge interface and mirror port, though might seem to be similar, are quite different.

0 Kudos
PhoneBoy
Admin
Admin
‎2018-02-16 08:56 AM
In response to Mark_Gurevich

True, I misread Smiley Happy

That said I wonder if a similar solution shouldn't apply.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events