This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
There is a regular L3 HA cluster (having internal, external and sync interfaces). It is not VSX.
There is a need to use this same cluster to do some L2 bridging. Firewall will not do any routing for L2 IP address scopes (that may change at some point, but it is not the issue here).
Lab topology for testing the scenario is displayed on drawing. When all switch ports are configured as access mode for vlan 100, two PCs can ping each other, bridging works OK. Policy allows any service from 10.10.100.0/24 to 10.10.100.0/24.
When I change switchports connecting firewalls to trunk (tagged vlans), firewall is not passing traffic anymore.
When PC 101 is trying to ping PC 102 traffic arrive on interface eth5, it is clear that traffic is tagged by vlan id 100, but nothing is seen on eth6:
[Expert@gw_dc1:0]# tcpdump -enni eth5 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth5, link-type EN10MB (Ethernet), capture size 262144 bytes 14:35:17.171156 00:0c:29:ac:e5:3f > ff:ff:ff:ff:ff:ff, ethertype 802.1Q (0x8100), length 64: vlan 100, p 0, ethertype ARP, Request who-has 10.10.100.102 tell 10.10.100.101, length 46 14:35:18.195079 00:0c:29:ac:e5:3f > ff:ff:ff:ff:ff:ff, ethertype 802.1Q (0x8100), length 64: vlan 100, p 0, ethertype ARP, Request who-has 10.10.100.102 tell 10.10.100.101, length 46 14:35:19.219390 00:0c:29:ac:e5:3f > ff:ff:ff:ff:ff:ff, ethertype 802.1Q (0x8100), length 64: vlan 100, p 0, ethertype ARP, Request who-has 10.10.100.102 tell 10.10.100.101, length 46 14:35:20.243128 00:0c:29:ac:e5:3f > ff:ff:ff:ff:ff:ff, ethertype 802.1Q (0x8100), length 64: vlan 100, p 0, ethertype ARP, Request who-has 10.10.100.102 tell 10.10.100.101, length 46 14:35:21.267126 00:0c:29:ac:e5:3f > ff:ff:ff:ff:ff:ff, ethertype 802.1Q (0x8100), length 64: vlan 100, p 0, ethertype ARP, Request who-has 10.10.100.102 tell 10.10.100.101, length 46 ^C 5 packets captured 5 packets received by filter 0 packets dropped by kernel [Expert@gw_dc1:0]# tcpdump -enni eth6 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth6, link-type EN10MB (Ethernet), capture size 262144 bytes ^C 0 packets captured 0 packets received by filter 0 packets dropped by kernel [Expert@gw_dc1:0]#
Firewalls are configured to use "Check Point ClusterXL for Bridge Active/Standby" to avoid loop. The above test was also done with FW2 shut down, to make sure all traffic is passing only via FW1. Gaia configuration:
gw_dc1> show configuration bridging add bridging group 1000 add bridging group 1000 interface eth5 add bridging group 1000 interface eth6
gw_dc1> show configuration interface set interface br1000 state on set interface eth0 state on set interface eth0 auto-negotiation on set interface eth0 ipv4-address 192.168.2.236 mask-length 24 set interface eth1 link-speed 1000M/full set interface eth1 state on set interface eth1 ipv4-address 10.200.200.2 mask-length 24 set interface eth2 link-speed 1000M/full set interface eth2 state on set interface eth2 ipv4-address 10.255.254.1 mask-length 30 set interface eth3 state off set interface eth4 state off set interface eth5 state on set interface eth6 state on set interface lo state on set interface lo ipv4-address 127.0.0.1 mask-length 8
Bridge interface is not part of topology in Smart Console. Tested this with R80.40 and also R81 JHF take 65. Tried it with single firewall (not part of cluster) and ClusterXL described above.
I am out of ideas. According to documentation, this is supported scenario but it is not working for some reason 😞
If you configure the switch ports as VLAN trunk, the Check Point Bridge interface should not interfere with the VLANs.
To configure a Bridge interface with VLAN trunk, create the Bridge interface with two physical (non-VLAN) interfaces as its subordinate interfaces
I did not contact TAC, this is lab environment with eval licenses and no support. When we do it on production boxes, it will have to work from day 1, so I am trying to verify the configuration and steps upfront.
