This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
prashanth
Participant
‎2023-09-25 06:25 AM
Jump to solution

Active/Standby Bridge Topology Table

I'm setting up an Active/Standby Bridge with two bridge groups.

Bridge Group 1: Eth1 <> Eth2

Bridge Group 2: Eth3 <> Eth4

I can see the bridge interfaces when I create the gateway at SmartConsole. But when creating the cluster bridge interfaces aren't discovered.

First and foremost is this behaviour is normal?

How can I achieve segregated policy packages per bridge group?

Since the bridge interfaces are not available in the topology table, we can’t protect them against Anti-spoofing. Is there any method to achieve this?

 

Labels
0 Kudos
1 Solution

Accepted Solutions
PhoneBoy
Admin
Admin
‎2023-09-25 10:59 AM
Jump to solution

This is normal and documented: https://sc1.checkpoint.com/documents/R81.10/WebAdminGuides/EN/CP_R81.10_Installation_and_Upgrade_Gui...

  • Make sure the Bridge interface and Bridge subordinate interfaces are not in the Topology. 

  • You cannot define the Topology of the Bridge interface. It is External by default.

To have a different policy for each bridge, you will need to use VSX (putting each bridge in a separate VS).
See also (for various limitations): https://support.checkpoint.com/results/sk/sk101371

View solution in original post

0 Kudos
3 Replies
PhoneBoy
Admin
Admin
‎2023-09-25 10:59 AM
Jump to solution

This is normal and documented: https://sc1.checkpoint.com/documents/R81.10/WebAdminGuides/EN/CP_R81.10_Installation_and_Upgrade_Gui...

  • Make sure the Bridge interface and Bridge subordinate interfaces are not in the Topology. 

  • You cannot define the Topology of the Bridge interface. It is External by default.

To have a different policy for each bridge, you will need to use VSX (putting each bridge in a separate VS).
See also (for various limitations): https://support.checkpoint.com/results/sk/sk101371

0 Kudos
prashanth
Participant
‎2023-10-04 06:54 PM
In response to PhoneBoy
Jump to solution

Thank you @PhoneBoy 

Once we have converted the cluster into an Active/Standby bridge mode is it recommended to use other interface types such as Bond/L3 along with the bridge interfaces?

0 Kudos
PhoneBoy
Admin
Admin
‎2023-10-06 09:08 AM
In response to prashanth
Jump to solution

You can use bonded interfaces with bridge mode, yes.
You can also have L3 interfaces, but note the limitation around Double Inspection: https://support.checkpoint.com/results/sk/sk172204
Specifically, make sure that traffic does not traverse both an L2 and an L3 interface. 
Management traffic can do so with a configuration change: https://support.checkpoint.com/results/sk/sk105899

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events