This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Matlu
Advisor
a week ago

FW in L2

Hello,

We have a FW that we want to work in transparent mode, to avoid making sudden changes in our network.

We have enabled 2 fiber interfaces (Eth1-1 and Eth1-2) in bridge mode, which we understand is the way to make the FW work in L2.

The intention is that the FW only performs web filtering to the LAN of our headquarters.

Some questions

Is it necessary to pull the topology from the SmartConsole, and should the Interfaces that are in bridge mode also be seen from here?

If we only want the appliance to perform web filter control to the LAN, is it necessary to have the FW blade of our appliance enabled?

FW: R82 - JHF 10

Thank you for your answers.

0 Kudos
22 Replies
Chris_Atkinson
Employee Employee
Employee
a week ago

Review the documentation here:

https://sc1.checkpoint.com/documents/R82/WebAdminGuides/EN/CP_R82_Installation_and_Upgrade_Guide/Con...

See also sk106319, sk101371

CCSM R77/R80/ELITE
Matlu
Advisor
a week ago
In response to Chris_Atkinson

Hello.


This is the documentation I was looking at, but I wondered since I started reading the documentation, if the interfaces that one sets in the GAIA Portal as bridge mode, should or should not be pulled from the SmartConsole in the topology part.

So if I have 1, 2, or many interfaces in bridge, the topology still has to be pulled from the SmartConsole, right?

Regards.

0 Kudos
Matlu
Advisor
Wednesday
In response to Chris_Atkinson

Hello,

We have inherited a FW that is configured to work as a L2 device, the goal is that this device only does “Web Filters” but we have had problems with the loss of some services when testing, something that should not happen, since we are working 2 interfaces in bridge mode.

A query in my scenario I currently have 4 interfaces

Eth1-1
Eth1-2
Mgmt
maas_tunnel

Currently the FW goes out to the Internet through the “Mgmt” interface, and it is important to mention that this FW is hooked to a Smart-1 Cloud.

I have reviewed the documentation, and the following section causes me doubts.

E5.png

E6.png

Can I have the 2 interface topology configured in External mode?

The interface that gives output to the Internet to the CP device, should be if or if, one of the interfaces that is in bridge mode?

Cheers. 🙂

0 Kudos
the_rock
Legend
Legend
Wednesday
In response to Matlu

Hey bro,

If routing is correct, just do get interfaces without topology and it would give right output.

Andy

0 Kudos
Matlu
Advisor
Wednesday
In response to the_rock

Hey Buddy.

Is it no longer necessary to configure 1 of the 2 interfaces that are in bridge mode, as “External”?

The objective is that this FW works in L2, that it does not “intervene” at the routing level.
We only want the device to make web filters with the URL Filtering blade.

Cheers. 🙂

0 Kudos
the_rock
Legend
Legend
Wednesday
In response to Matlu

Thats right, as long as bridge interface is external.

Andy

0 Kudos
AkosBakos
Leader Leader
Leader
a week ago

Hi @Matlu 

Double-check the mentioned documentaions, especially the topoligy settings.

Long story short:

Q1: yes

Q2: yes. BTW you can't have a GW appliance without firewall enabled from my point of view. (grayed out)

 

image.png

Akos

----------------
\m/_(>_<)_\m/
0 Kudos
the_rock
Legend
Legend
a week ago

Q1 -> yes

Q2 -> fw blade is enabled by default when object is created

Andy

PhoneBoy
Admin
Admin
a week ago

Firewall blade is always required to be enabled.
Topology on the Bridge Mode interface should be External.

See also:

0 Kudos
Matlu
Advisor
a week ago
In response to PhoneBoy

Hello, Mate

Before putting the FW CP, the network topology is something like this.

E1.png

When we put the FW CP, the topology changes to this model.

E2.png

So to be sure to apply the changes correctly, both Eth1-1 and Eth1-2 interfaces must be configured as “External”, right?

Because currently they look like “This Network”.

E3.png

A DUMB question, but if the interfaces in the topology are not “configured” in the right way, can this cause traffic problems?

Thank you for your help. 🙂

0 Kudos
the_rock
Legend
Legend
a week ago
In response to Matlu

No dumb questions my friend. Technically, if you do get interfaces WITHOUT topology, it should fetch the right info. However, if something is incorrect, yes, it could cause issues, but considering its in bridge mode, you might be okay.

Andy

0 Kudos
Matlu
Advisor
a week ago
In response to the_rock

Buddy,

Thanks for getting back to me.

In my scenario, and based on PhoneBoy's comment, my Eth1-1 and Eth1-2 interfaces do you think it is “mandatory” to put them in “External” mode both interfaces?

In this FW, I only have 1 more interface connected, which is the MGMT port, and it is in the topology as “External”.

Apart from that interface, I don't have another one (I don't take into account the maas_tunnel interface, since my FW is hooked to a Smart-1 Cloud).

Cheers.

0 Kudos
the_rock
Legend
Legend
a week ago
In response to Matlu

Yes, I believe they would need to be set as external, correct.

Andy

0 Kudos
PhoneBoy
Admin
Admin
Thursday
In response to Matlu

If the interfaces "touch" the external network (directly or indirectly), they should be marked external.
That includes most L2 deployments.

Why is your management interface external?
How does it fit into the overall topology of the environment?

0 Kudos
Matlu
Advisor
Thursday
In response to PhoneBoy

Hello,

The goal is that the box, works as a “Web Filter” with the URLF+APPC blade.

They configured the “Mgmt” interface as “External” as I was informed, because of the fact that the box needs to be able to reach the Internet to be updating the engine of the mentioned blades, and also because of the fact that this box is hooked to a Smart-1 Cloud, so it needs the output to the Internet.

At the end of the day, this box only has 4 interfaces:

2 Interfaces in bridge mode, Eth1-1 and Eth1-2.
1 “Mgmt” interface
1 LOM interface

So, does it make sense to you, that the MGMT interface is “configured” as “External”?

Cheers.

0 Kudos
PhoneBoy
Admin
Admin
Thursday
In response to Matlu

How does the Management interface reach the Internet?
Does the traffic have to traverse the L2 bridge on this gateway?
If so, it can (should) be internal and you'll have to apply: https://support.checkpoint.com/results/sk/sk105899 

0 Kudos
Matlu
Advisor
Thursday
In response to PhoneBoy

This box reaches the Internet through a default route.

IP MGMT: 10.123.119.46
IP Gateway: 10.123.119.34

Above our CP box, there is an F5 equipment, which is the one that does the NAT to our IP so that it can go out to the Internet.

The box could not be without Internet because it is hooked to a Smart-1 Cloud, and if we remove the output to the Internet, we understand that we will lose the management from our Tenant.

Now, as for the internal network traffic, effectively, this traffic must go through the bridge interfaces, without trying to go through the MGMT.

The objective of the box having Internet is related to not losing management of the equipment from the Tenant, and that the signatures of all the blades are kept up to date, besides that the box can know that there are new JHF packages for its installation.

Regards. 

0 Kudos
the_rock
Legend
Legend
Thursday
In response to Matlu

Can you send what topology looks like at the moment?

Andy

0 Kudos
Matlu
Advisor
Saturday
In response to the_rock

Hi, Buddy.
About a week ago, I posted a couple of reference images of what my scenario looks like.

A silly question, but is it advisable and above all, is it possible, to create a default route to the Internet through one of my interfaces that is in bridge mode?

I have only one Br1 (Eth1-1 and Eth1-2)

At this moment the CP box goes out to the Internet through the MGMT Interface.

So if I put one of the bridge interfaces with the topology in EXTERNAL mode, would this 'force' me to create a default route through this Interface bridge?

I got a little confused.

😶😵💫

0 Kudos
the_rock
Legend
Legend
Saturday
In response to Matlu

No worries man, we always work as a team to help others, just remember that, never feel bad about it.

Anyway, here is my thought...can you modify that route in web gui to use bridge if as DG, rather than an IP address?

Just do this in maintenance window.

Andy

0 Kudos
PhoneBoy
Admin
Admin
Friday
In response to Matlu

So the Management interface is reaching the Internet not through the L2 bridge?
Topology impacts a few things:

  • Anti-spoofing (doesn't make sense in this configuration)
  • The "Internet" object (if used, probably shouldn't in this configuration)
  • Threat Prevention scope (which might require a tweak to the profile, but not relevant since not used currently)

External should be fine here aside from the above issues.

the_rock
Legend
Legend
Friday
In response to PhoneBoy

All makes sense.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    In-Person

    Tue 18 Mar 2025 @ 09:30 AM (EET)

    CheckMates Live Greece
    In-Person

    Tue 25 Mar 2025 @ 09:00 AM (EDT)

    Canada In-Person Cloud Security with Hands-On CloudGuard Workshops!
    In-Person

    Tue 25 Mar 2025 @ 12:00 PM (MDT)

    Salt Lake City: CPX 2025 Recap
    In-Person

    Tue 08 Apr 2025 @ 12:00 PM (MDT)

    Denver: CPX 2025 Recap
    CheckMates Events