This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
velo
Contributor
13 hours ago

Adding new cluster interface and anti-spoofing

I'm adding a new sub-interface to an existing cluster. I'm going to be following this guide:

https://support.checkpoint.com/results/sk/sk57100

My new sub-interface will be used to route traffic to a remote site (172.16.100.0/24) I will add a static route on each member pointing to this subnet via this new interface. 

After creating the interface on each member in Gaia portal, I'm going to use the "get interfaces without topology" in Smart Dashboard.  How should I setup the "Leads to" section? Which one of the following two options should I use?

  1. Network defined by static routes
  2. Specific (create an object for the remote network and select it here)

I don't want to "get interfaces with topology" because I don't want to mess with any existing setup. I recall I read somewhere that if you're using the "defined by static routes" option you might need to use "get interfaces with topology"

I want to use the lowest impact, least chance of risk option because it's an important environment.

Thanks

 

0 Kudos
6 Replies
AkosBakos
Advisor
12 hours ago

Hi @velo 

I suggest you that the "get interfaces with topology" is not safe to use on an working setup. If you use it, all of the Interface information will be overwritten. If somewhere is set an anti-spoofing group, that will be overwritten too, so don't use it.

This is the suggested method in the mentioned SK too.

About your question, how to set up the new interface:

  • It depends on your need. If the confgured IP and MASK represents the network behind,  you can use  "Network defined by static routes" safely

Akos

0 Kudos
velo
Contributor
11 hours ago
In response to AkosBakos

Thanks Akos

I'm not going to use the "get interfaces with topology" option as that will make changes like you say.

But I thought I read somewhere that if you use the "Network defined by static routes" option, you needed to get the "get interfaces with topology" option for it to pick up the routes, but maybe that is not the case.

You are correct, IP and Mask will represent the network behind the new interface. I will use:

  • "get interfaces without topology"
  • "Network defined by static routes"

Hopefully that shout be OK.

Thanks

 

0 Kudos
AkosBakos
Advisor
11 hours ago
In response to velo

Hi @velo 

This statement is misleading.  😉

You can change this setting anytime.

akos

 

0 Kudos
velo
Contributor
11 hours ago
In response to AkosBakos

Yes you're quite right, that would be silly. Thanks!

0 Kudos
Duane_Toler
Advisor
9 hours ago
In response to velo

If you are using the option "Network defined by routes" (it's not static routes; just routing in general), then the gateway will poll the Gaia routing daemon (RouteD) every few seconds to learn the contents of the routing table (the FIB).  With this information, the gateway will auto-adjust the anti-spoofing topology without needing to make new objects manually.

 

You will use this option in dynamic routing environments, but you can just as easily do it with static routes ("static routes" are a routing protocol; just not a dynamic routing protocol)

 

velo
Contributor
3 hours ago
In response to Duane_Toler

Great to know, thank you. Makes sense.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events