Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Matlu
Advisor

Adding a new VLAN

 

Hello, everyone.

One query,

When you add a new VLAN to your Firewall Cluster, and then you have to pull the "topology" from the SmartConsole.

What impact can it have if you choose the "Get Interface With Topology" option?
Can this somehow negatively "impact" a company's network?


I understand that the "Get Interface With Topology" option "overwrites" the entire configuration, practically from 0, as far as the interfaces are concerned.
Is this correct?

Thanks for your input.

Best regards.

0 Kudos
13 Replies
Lari_Luoma
Ambassador Ambassador
Ambassador

Hi!

Get interfaces with topology gets the routing topology behind your interface. This has impact on anti-spoofing configuration.

For example: You have the following static route.

set static-route 10.1.1.0/24 nexthop gateway address 192.168.10.2 on

eth1 has an IP-address 192.168.10.1. Traffic to/from network 10.1.1.0/24 is only allowed in this interface. If traffic from this network is seen in any other interface, it's considered spoofed and dropped (if anti-spoofing is configured in prevent mode).

Get interfaces with topology synchronizes the routing table with the interface configuration and creates anti-spoofing groups.

If routing is correct and all networks are behind certain interfaces, there is no issues having anti-spoofing in prevent mode and using "get interface with topology". However, if your routing is a mess, this will cause problems for sure.

One good option is to use "defined by routes" in the topology tab, which ensure that your anti-spoofing information stays up-to-date even you have dynamic routing in use.

0 Kudos
Matlu
Advisor

Thanks for the explanation my friend.

In a production environment, where there are several Clusters/GW, and these have in their TOPOLOGY table, quite a few VLANS already "declared".

Is it convenient to use the "...with topology"?
Or better to use the "...without topology"?

Greetings.

0 Kudos
the_rock
Legend
Legend

Do NOT use "get with topology" as that will reset all topology settings to default...ALWAYS do "get interfaces WITHOUT topology" as that will preserve your current anti-spoofing settings.

0 Kudos
Lari_Luoma
Ambassador Ambassador
Ambassador

This is not completely true.

All depends on your need.

1. Always use defined by routes if you can (e.g. one limitation for defined by routes is if you want to use VPN topology "calculate IP based on topology"). This is fully automatic mode.

2. Use "with topology" if you want to automate your anti-spoofing setup (recommended). In this case you will need to get the topology and push policy every time you add a static route. This is semi-automatic mode.

3. Use "without topology" only if you want to create manual anti-spoofing groups (only reason for this would be that your routing is a mess and you can have any networks behind any interfaces. You still know those networks to add them to manual anti-spoofing groups). This is manual mode.

If you have manual anti-spoofing groups, you cannot use "with topology" anymore as it would overwrite the manually defined groups.

0 Kudos
the_rock
Legend
Legend

All I can think of for this is once TAC guy said to new customer to "get with topology..."...recommended way...yea, result was NOT pleasant, to say it nicely. But, I get your points. Still, I never recommend to anyone to "get with topology..."...just me.

0 Kudos
Lari_Luoma
Ambassador Ambassador
Ambassador

Sure, if you want to define anti-spoofing manually you will have to use "without topology" or your groups will be overridden. Personally I think you will only generate you more work by using the manual method, but it's still possible and I know many organizations doing it. Generally it's not the way I would recommend, but it works. 🙂

0 Kudos
the_rock
Legend
Legend

Thats fair, I guess we agree to disagree : - ). I use it all the time and never had any issues!

0 Kudos
Matlu
Advisor

It is quite an interesting topic, this Anti-Spoofing.

And all this because of knowing whether to opt for one or the other option, between the "... with topology" and "... without topology".

In my case, I have a ClusterXL that has more than 20 VLANS, which is "tied" to eth2.
Then the customer wants to add a couple more VLANS, and I am in crisis because I don't know which option to choose.
Hahaha

It is better to ask than to cry. 😅🤣

What do you recommend?

Greetings.

0 Kudos
the_rock
Legend
Legend

Again, me personally and this just me, whenever I had customer ask me this, I ALWAYS told everyone NOT to use "get with topology", always "without..." and we never had a single issue, so take that for what its worth. You are more than welcome to open TAC case and get an official CP answer, because in case anything breaks, at least you have it in writing...makes sense?

0 Kudos
Lari_Luoma
Ambassador Ambassador
Ambassador

My recommendation is above. I do agree with @the_rock that if you use the manual method you can be sure there are no issues. 🙂 This way you will define each anti-spoofing group manually and add the networks you want. Once you have done that you cannot go back to the "semi-automatic" mode and use "get interfaces with topology" as it would break your beautiful anti-spoofing groups you have used so much time to create. 🙂

the_rock
Legend
Legend

Well said indeed @Lari_Luoma 🙂

0 Kudos
abihsot__
Advisor

Regarding first point it might work fine for simple deployments, however I am very careful when it comes to "fully automated mode" because defined by routes option has some nasty bugs which if I remember correctly are not fixed yet.

https://community.checkpoint.com/t5/Security-Gateways/Topology-defined-by-routes-limitation/td-p/116...

 

0 Kudos
the_rock
Legend
Legend

Interesting...never experienced any issues with that setting myself.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events