This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
velo
Collaborator
‎2024-09-04 02:38 AM

Adding new cluster interface and anti-spoofing

I'm adding a new sub-interface to an existing cluster. I'm going to be following this guide:

https://support.checkpoint.com/results/sk/sk57100

My new sub-interface will be used to route traffic to a remote site (172.16.100.0/24) I will add a static route on each member pointing to this subnet via this new interface. 

After creating the interface on each member in Gaia portal, I'm going to use the "get interfaces without topology" in Smart Dashboard.  How should I setup the "Leads to" section? Which one of the following two options should I use?

  1. Network defined by static routes
  2. Specific (create an object for the remote network and select it here)

I don't want to "get interfaces with topology" because I don't want to mess with any existing setup. I recall I read somewhere that if you're using the "defined by static routes" option you might need to use "get interfaces with topology"

I want to use the lowest impact, least chance of risk option because it's an important environment.

Thanks

 

0 Kudos
11 Replies
AkosBakos
MVP Silver
MVP Silver
‎2024-09-04 02:57 AM

Hi @velo 

I suggest you that the "get interfaces with topology" is not safe to use on an working setup. If you use it, all of the Interface information will be overwritten. If somewhere is set an anti-spoofing group, that will be overwritten too, so don't use it.

This is the suggested method in the mentioned SK too.

About your question, how to set up the new interface:

  • It depends on your need. If the confgured IP and MASK represents the network behind,  you can use  "Network defined by static routes" safely

Akos

----------------
\m/_(>_<)_\m/
0 Kudos
velo
Collaborator
‎2024-09-04 04:03 AM
In response to AkosBakos

Thanks Akos

I'm not going to use the "get interfaces with topology" option as that will make changes like you say.

But I thought I read somewhere that if you use the "Network defined by static routes" option, you needed to get the "get interfaces with topology" option for it to pick up the routes, but maybe that is not the case.

You are correct, IP and Mask will represent the network behind the new interface. I will use:

  • "get interfaces without topology"
  • "Network defined by static routes"

Hopefully that shout be OK.

Thanks

 

0 Kudos
AkosBakos
MVP Silver
MVP Silver
‎2024-09-04 04:07 AM
In response to velo

Hi @velo 

This statement is misleading.  😉

You can change this setting anytime.

akos

 

----------------
\m/_(>_<)_\m/
0 Kudos
velo
Collaborator
‎2024-09-04 04:09 AM
In response to AkosBakos

Yes you're quite right, that would be silly. Thanks!

0 Kudos
Duane_Toler
MVP Silver
MVP Silver
‎2024-09-04 06:08 AM
In response to velo

If you are using the option "Network defined by routes" (it's not static routes; just routing in general), then the gateway will poll the Gaia routing daemon (RouteD) every few seconds to learn the contents of the routing table (the FIB).  With this information, the gateway will auto-adjust the anti-spoofing topology without needing to make new objects manually.

 

You will use this option in dynamic routing environments, but you can just as easily do it with static routes ("static routes" are a routing protocol; just not a dynamic routing protocol)

 

--
Ansible for Check Point APIs series: https://www.youtube.com/@EdgeCaseScenario and Substack
velo
Collaborator
‎2024-09-04 11:49 AM
In response to Duane_Toler

Great to know, thank you. Makes sense.

0 Kudos
velo
Collaborator
‎2024-09-05 02:18 AM
In response to AkosBakos

Just another question. Do I need to add any firewall policy to allow CPP to communicate on these new interfaces?

Look at the SK article, I think it's actually incomplete. There is no mention of pushing a policy after the change. 

  1. Stop the clustering on Standby member
  2. Perform all operations on Standby member
  3. Perform all operations on Active member
  4. Perform all operations in SmartDashboard
  5. Start the clustering on Standby member
0 Kudos
AkosBakos
MVP Silver
MVP Silver
‎2024-09-05 02:23 AM
In response to velo

Hi

Do I need to add any firewall policy to allow CPP to communicate on these new interfaces? No.

You won't be notified to push a policy, just simle push it 🙂

Akos

----------------
\m/_(>_<)_\m/
0 Kudos
velo
Collaborator
‎2024-09-05 02:25 AM
In response to AkosBakos

Thanks for the info. I only mention the push because I think it enabled clustering on that interface only after the push. 

Thanks for the info.

0 Kudos
AkosBakos
MVP Silver
MVP Silver
‎2024-09-05 02:35 AM
In response to velo

The policy install is that movement wich enable the clustering on the interface. All the settings are remain on the Management until you push policy,

Therefore the first investigation step is the pushing policy 🙂

----------------
\m/_(>_<)_\m/
0 Kudos
velo
Collaborator
‎2024-09-05 02:37 AM
In response to AkosBakos

100%, thanks for the info. That's why I think it might be a good idea to mention that in the SK article. 

Thanks 🙂

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events