This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Matlu
Advisor
15 hours ago

FW in L2

Hello,

We have a FW that we want to work in transparent mode, to avoid making sudden changes in our network.

We have enabled 2 fiber interfaces (Eth1-1 and Eth1-2) in bridge mode, which we understand is the way to make the FW work in L2.

The intention is that the FW only performs web filtering to the LAN of our headquarters.

Some questions

Is it necessary to pull the topology from the SmartConsole, and should the Interfaces that are in bridge mode also be seen from here?

If we only want the appliance to perform web filter control to the LAN, is it necessary to have the FW blade of our appliance enabled?

FW: R82 - JHF 10

Thank you for your answers.

0 Kudos
9 Replies
Chris_Atkinson
Employee Employee
Employee
14 hours ago

Review the documentation here:

https://sc1.checkpoint.com/documents/R82/WebAdminGuides/EN/CP_R82_Installation_and_Upgrade_Guide/Con...

See also sk106319, sk101371

CCSM R77/R80/ELITE
Matlu
Advisor
14 hours ago
In response to Chris_Atkinson

Hello.


This is the documentation I was looking at, but I wondered since I started reading the documentation, if the interfaces that one sets in the GAIA Portal as bridge mode, should or should not be pulled from the SmartConsole in the topology part.

So if I have 1, 2, or many interfaces in bridge, the topology still has to be pulled from the SmartConsole, right?

Regards.

0 Kudos
AkosBakos
Leader Leader
Leader
14 hours ago

Hi @Matlu 

Double-check the mentioned documentaions, especially the topoligy settings.

Long story short:

Q1: yes

Q2: yes. BTW you can't have a GW appliance without firewall enabled from my point of view. (grayed out)

 

image.png

Akos

----------------
\m/_(>_<)_\m/
0 Kudos
the_rock
Legend
Legend
14 hours ago

Q1 -> yes

Q2 -> fw blade is enabled by default when object is created

Andy

PhoneBoy
Admin
Admin
11 hours ago

Firewall blade is always required to be enabled.
Topology on the Bridge Mode interface should be External.

See also:

0 Kudos
Matlu
Advisor
5 hours ago
In response to PhoneBoy

Hello, Mate

Before putting the FW CP, the network topology is something like this.

E1.png

When we put the FW CP, the topology changes to this model.

E2.png

So to be sure to apply the changes correctly, both Eth1-1 and Eth1-2 interfaces must be configured as “External”, right?

Because currently they look like “This Network”.

E3.png

A DUMB question, but if the interfaces in the topology are not “configured” in the right way, can this cause traffic problems?

Thank you for your help. 🙂

0 Kudos
the_rock
Legend
Legend
5 hours ago
In response to Matlu

No dumb questions my friend. Technically, if you do get interfaces WITHOUT topology, it should fetch the right info. However, if something is incorrect, yes, it could cause issues, but considering its in bridge mode, you might be okay.

Andy

0 Kudos
Matlu
Advisor
4 hours ago
In response to the_rock

Buddy,

Thanks for getting back to me.

In my scenario, and based on PhoneBoy's comment, my Eth1-1 and Eth1-2 interfaces do you think it is “mandatory” to put them in “External” mode both interfaces?

In this FW, I only have 1 more interface connected, which is the MGMT port, and it is in the topology as “External”.

Apart from that interface, I don't have another one (I don't take into account the maas_tunnel interface, since my FW is hooked to a Smart-1 Cloud).

Cheers.

0 Kudos
the_rock
Legend
Legend
4 hours ago
In response to Matlu

Yes, I believe they would need to be set as external, correct.

Andy

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events