This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Bärbel
Participant
‎2023-03-30 02:50 AM

How to properly add a new interface with AntiSpoofing calculated automatically

We have some centrally managed SMB Appliances running as clusters (ClusterXL HA Mode New). We want to let the appliance do the correct AntiSpoofing by itself automatically. We use static routing (but also have some devices running dynamic routing). In the Gateway Cluster Properties we have the option "Automatically calculated by teh gateway, based on the Gateways's Routing Table".

When adding a new interface, we begin with configuring the interfaces in Gaia WebUI. Then we modify the Gateway Cluster Properties with SmartConsole. Under Topology we "Edit Topology". Then we click on "Get" with option "All Member's Interfaces with Topology...". Afterwards we manually add the ip, mask and name of the cluster interface and set the type to "Cluster". Then we install the policy. This made the cluster IP appear on the devices (cphaprob -a if). Unfortunately packets are getting dropped by the firewall with reason "AntiSpoofing".

What do we miss? Do we have to invoke "Copy topology to cluster interfaces"? We are struggling because we do not want to break the other existing and working interfaces. We are looking for documentation and advice on how to do it properly.


Versions:
1590 Appliance R80.20.35 - Build 467
SmartManagement R81.10 - Build 029
SmartConsole R81.10.9600.412

Thanks a lot in advance!

0 Kudos
11 Replies
G_W_Albrecht
Legend Legend
Legend
‎2023-03-30 06:21 AM

sk115276: How to troubleshoot "Local interface address spoofing" issues

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
Bärbel
Participant
‎2023-03-30 07:58 AM
In response to G_W_Albrecht

This sk seems unrelated to my question on "How to properly add a new interface with AntiSpoofing calculated automatically". Have I missed something?

0 Kudos
the_rock
Legend
Legend
‎2023-03-30 09:48 AM
In response to Bärbel

All you need to know is this...IF calculated automatically, it will reset anything configured manually, which may not be intended option you want. Most customers I know just manually edit them (though this is regular Gaia, not embedded), so you can confirm subnets behind that interface are indeeed 100% right. Though in SMB cluster case, as long as routing is correct, I dont see loigically why you cant leave it as automatic.

Andy

Small Office Appliance Topology

What can I do here?

In this window you can define all the interfaces on this host or gateway.

Note: This topic refers to these Small Office Appliances: CPSG 80 series, 1100 and 1200R appliances.

What background information do I need to know?

Topology is a physical or logical structure of computer-related objects. Topology defines how the network node connects to the networks inside and outside the organization. The node is connected to networks via interfaces. A gateway has two types of interfaces:

  • Internal interfaces face toward the local network. The LANs and the DMZ are both internal networks.
  • External interfaces face toward the Internet.

Interfaces are defined by an IP address and a netmask address. The interfaces on the gateway can be defined manually or automatically by pressing Get....

In the Gateway - Topology page, the topology is set automatically because it represents the hard coded device.

The set topology includes the following three interfaces (two internal and one external):

  • DMZ represents a logical second network behind the Small Office Appliance. You must connect DMZ computers to the LAN ports. DMZ is a dedicated Ethernet port (RJ-45) used to connect a DMZ (Demilitarized Zone) computer or network. Alternatively, the DMZ can serve as a secondary WAN port.
  • LAN represents the private network. LAN 1-8 local area network switch: Eight Ethernet ports (RJ-45) is used for connecting computers or other network devices.
  • WAN represents the external interface to the router. A WAN interface card, is a network interface card (NIC) that allows devices to connect to a wide area network. Wide Area Network (WAN): An Ethernet port (RJ-45) used for connecting your cable or xDSL modem, or for connecting a hub when setting up more than one Internet connection

Although these three interfaces automatically appear in the Topology window, they are not associated with an IP address and a Network Mask.

If you deselect the Dynamic Address option in the General Properties window and add a static IP address, the WAN automatically receives the specified static IP address and its Network Mask is 255.255.255.255.

The Type drop-down list in the General Properties window defines the hardware type and its associated topology. Currently all hardware types share the same topology. Every hardware type has one external interface and two internal interfaces. It is possible to add only one additional external interface.

 

 

 

 

0 Kudos
Bärbel
Participant
‎2023-03-30 09:55 AM
In response to the_rock

Do I need to press the button "Copy topology to cluster interfaces"?

0 Kudos
the_rock
Legend
Legend
‎2023-03-30 09:57 AM
In response to Bärbel

If its cluster, it would make sense, yes

  • Copy topology to cluster interfaces - Copy the topology from the physical member interfaces to the cluster virtual interfaces.
0 Kudos
Bärbel
Participant
‎2023-03-30 10:03 AM
In response to the_rock

Do I have to press "Copy topology to cluster interfaces" after "Get - All Member's Interfaces with Topology..."?

0 Kudos
the_rock
Legend
Legend
‎2023-03-30 10:07 AM
In response to Bärbel

Based on the explanation, I would say yes, but you can verify with TAC.

0 Kudos
Bärbel
Participant
‎2023-03-30 10:24 AM
In response to the_rock

I need to know how to set "the Topology" for a virtual cluster interface. At the moment I guess the button "Copy topology to cluster interfaces" is the only way to do it, in case "Automatically calculated by the gateway, based on the Gateways's Routing Table" is active. But I'm going to open a TAC case...

0 Kudos
the_rock
Legend
Legend
‎2023-03-30 10:29 AM
In response to Bärbel

Good idea, just to be 100% sure.

0 Kudos
Bärbel
Participant
‎2023-04-11 04:26 AM
In response to the_rock

I'm still waiting for advice from TAC. Is there really no documentation on this topic?

0 Kudos
the_rock
Legend
Legend
‎2023-04-11 05:27 AM
In response to Bärbel

I think the best "documentation" you would find on this is help section from smart dashboard, thats it. 

https://sc1.checkpoint.com/documents/R80.30/SmartConsole_OLH/EN/html_frameset.htm?topic=documents/R8...

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events
    Top