This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Matlu
Advisor
2 weeks ago

Allow all VLANs on a Bridge Interface

Hello, Mates.

Is there a way to configure in the “Bridge Mode” interface of a FW CP, the option to allow all VLANS?

I have 1 box with 2 interfaces in bridge mode.

This box is in the middle of 2 Routers, which currently have configured on the ports that connects them, multiple VLANs.

So, I want the br1 interface that has my 2 physical interfaces to “allow all these VLANs without any exception”.

The routers currently pass more than 30 VLANs, and manually making 1 bridge group for each VLAN is not very productive.

Is there a way to make the br1 interface that has the 2 physical interfaces as such, “allow” all VLANs?

Greetings.

0 Kudos
7 Replies
PhoneBoy
Admin
Admin
2 weeks ago

From what I remember, if you just create a bridge with just the physical interfaces, it will pass all the VLANs.
That's basically what this SK does while telling you to also disable bridge anti-spoofing (needed in this case): https://support.checkpoint.com/results/sk/sk34312 

0 Kudos
Matlu
Advisor
2 weeks ago
In response to PhoneBoy

Hello.

If I apply the SK, how can you validate that the change has actually been made and has the value recommended in the document?

To disable Anti-Spoofing, set the global parameter fw_bridge_antispoofing to 0.

[Expert@Hostname] # fw ctl set int fw_bridge_antispoofing 0

Note: This configuration will be lost after the reboot. To set it to be permanent, run:

[Expert@Hostname]# echo "fw_bridge_antispoofing=0">> $FWDIR/modules/fwkern.conf

Thanks.

0 Kudos
PhoneBoy
Admin
Admin
2 weeks ago
In response to Matlu

To confirm the setting

[Expert@Hostname] # fw ctl get int fw_bridge_antispoofing

0 Kudos
Matlu
Advisor
2 weeks ago
In response to PhoneBoy

Hello,

The option to validate the current antispoofing status does not seem to work.

Is the command you shared correct?

[Expert@FW-WF:0]#
[Expert@FW-WF:0]# fw ctl get int fw_bridge_antispoofing
Get operation failed: failed to get parameter fw_bridge_antispoofing
get: Operation failed
Killed

Cheers.

0 Kudos
PhoneBoy
Admin
Admin
2 weeks ago
In response to Matlu

The only reason you get that is the kernel variable referenced doesn't exist.
Which means this SK is not correct, at least on current versions.
However, I think you should be ok if you disable anti-sppofing on the relevant bridge interface in SmartConsole.

0 Kudos
Matlu
Advisor
2 weeks ago
In response to PhoneBoy

So it should be enough if I remove the Antispoofing on the 2 interfaces that form the br1?

Because in the topology of the GW from the SmartConsole, there is no “br1” interface, but the 2 interfaces that make the “br1” appear.

0 Kudos
PhoneBoy
Admin
Admin
2 weeks ago
In response to Matlu

I believe you are correct: disable anti-spoofing on the two interfaces that make up br1.

If traffic originating from the gateway itself flows over the bridge, you will have to make other adjustments to account for "local interface anti-spoofing."
For that, see: https://support.checkpoint.com/results/sk/sk105899 
If I'm understanding this correctly these steps disable anti-spoofing globally (not just on the bridge interface), among other things.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events
    Top