Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Taimoor_Muftee
Explorer

R80.10 Management and R77.30 Gateways in Bridge mode

Looking to upgrade management from R77.30 to R80.10. In QA I'm getting validation errors for the firewalls in bridge mode which have no IP addresses on the fail-open interfaces (so 0.0.0.0/0.0.0.0). I don't have the ability to push from QA so I need to confirm if this is an issue installing policy? I cant seem to find any documentation on it. 

0 Kudos
9 Replies
PhoneBoy
Admin
Admin

Those interfaces shouldn't have IPs on them for sure.

Which version of SmartConsole are you using?

Also, let me put this in https://community.checkpoint.com/community/management/policy-management?sr=search&searchId=d0b7782c-...‌.

0 Kudos
Taimoor_Muftee
Explorer

It's R80.10 SmartConsole Build 024

0 Kudos
Tomer_Sole
Mentor
Mentor

Hi, for this kind of problems I really recommend that you open a support ticket, so that Check Point support will be able to identify the root cause and see how this problem cannot happen for other customers as well.

0 Kudos
Mark_Gurevich
Contributor

Hi, You have to make sure that bridge interfaces are not a part of topology tab in Dashboard.

0 Kudos
PhoneBoy
Admin
Admin

I believe you mean: not defining topology on the interface (i.e. not as internal or external).

0 Kudos
Mark_Gurevich
Contributor

My Bad) Topology still can be defined for single FW, but as I've said, in cluster, bridge interface do not part of topology tab at all and it is External by design. (Security Gateway R77 Versions Technical Administration Guide)

0 Kudos
PhoneBoy
Admin
Admin

Having just installed a Mirror Port gateway on R80.10, the correct answer is: the mirror port should not be defined on the Gateway object at all.

When I fetched topology from my R80.10 Mirror Port gateway, the interface that was the mirror port did not even come across in the topology.

Further, your management Interface for the device should probably have the topology "Undefined" and Anti-Spoofing disabled.

0 Kudos
Mark_Gurevich
Contributor

Hi Dameon, this is expected as mirror port is only for POC/testing and it will get all traffic (external + internal) from the corresponding mirror port of the switch. So bridge interface and mirror port, though might seem to be similar, are quite different.

0 Kudos
PhoneBoy
Admin
Admin

True, I misread Smiley Happy

That said I wonder if a similar solution shouldn't apply.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events