Hello.

This is the documentation I was looking at, but I wondered since I started reading the documentation, if the interfaces that one sets in the GAIA Portal as bridge mode, should or should not be pulled from the SmartConsole in the topology part.

So if I have 1, 2, or many interfaces in bridge, the topology still has to be pulled from the SmartConsole, right?

Regards.

Hello,

We have inherited a FW that is configured to work as a L2 device, the goal is that this device only does “Web Filters” but we have had problems with the loss of some services when testing, something that should not happen, since we are working 2 interfaces in bridge mode.

A query in my scenario I currently have 4 interfaces

Eth1-1
Eth1-2
Mgmt
maas_tunnel

Currently the FW goes out to the Internet through the “Mgmt” interface, and it is important to mention that this FW is hooked to a Smart-1 Cloud.

I have reviewed the documentation, and the following section causes me doubts.

Can I have the 2 interface topology configured in External mode?

The interface that gives output to the Internet to the CP device, should be if or if, one of the interfaces that is in bridge mode?

Cheers. 🙂

Hey bro,

If routing is correct, just do get interfaces without topology and it would give right output.

Andy

Hey Buddy.

Is it no longer necessary to configure 1 of the 2 interfaces that are in bridge mode, as “External”?

The objective is that this FW works in L2, that it does not “intervene” at the routing level.
We only want the device to make web filters with the URL Filtering blade.

Cheers. 🙂

Thats right, as long as bridge interface is external.

Andy

Hello, Mate

Before putting the FW CP, the network topology is something like this.

When we put the FW CP, the topology changes to this model.

So to be sure to apply the changes correctly, both Eth1-1 and Eth1-2 interfaces must be configured as “External”, right?

Because currently they look like “This Network”.

A DUMB question, but if the interfaces in the topology are not “configured” in the right way, can this cause traffic problems?

Thank you for your help. 🙂

No dumb questions my friend. Technically, if you do get interfaces WITHOUT topology, it should fetch the right info. However, if something is incorrect, yes, it could cause issues, but considering its in bridge mode, you might be okay.

Andy

Buddy,

Thanks for getting back to me.

In my scenario, and based on PhoneBoy's comment, my Eth1-1 and Eth1-2 interfaces do you think it is “mandatory” to put them in “External” mode both interfaces?

In this FW, I only have 1 more interface connected, which is the MGMT port, and it is in the topology as “External”.

Apart from that interface, I don't have another one (I don't take into account the maas_tunnel interface, since my FW is hooked to a Smart-1 Cloud).

Cheers.

Yes, I believe they would need to be set as external, correct.

Andy

If the interfaces "touch" the external network (directly or indirectly), they should be marked external.
That includes most L2 deployments.

Why is your management interface external?
How does it fit into the overall topology of the environment?

Hello,

The goal is that the box, works as a “Web Filter” with the URLF+APPC blade.

They configured the “Mgmt” interface as “External” as I was informed, because of the fact that the box needs to be able to reach the Internet to be updating the engine of the mentioned blades, and also because of the fact that this box is hooked to a Smart-1 Cloud, so it needs the output to the Internet.

At the end of the day, this box only has 4 interfaces:

2 Interfaces in bridge mode, Eth1-1 and Eth1-2.
1 “Mgmt” interface
1 LOM interface

So, does it make sense to you, that the MGMT interface is “configured” as “External”?

Cheers.

How does the Management interface reach the Internet?
Does the traffic have to traverse the L2 bridge on this gateway?
If so, it can (should) be internal and you'll have to apply: https://support.checkpoint.com/results/sk/sk105899 

This box reaches the Internet through a default route.

IP MGMT: 10.123.119.46
IP Gateway: 10.123.119.34

Above our CP box, there is an F5 equipment, which is the one that does the NAT to our IP so that it can go out to the Internet.

The box could not be without Internet because it is hooked to a Smart-1 Cloud, and if we remove the output to the Internet, we understand that we will lose the management from our Tenant.

Now, as for the internal network traffic, effectively, this traffic must go through the bridge interfaces, without trying to go through the MGMT.

The objective of the box having Internet is related to not losing management of the equipment from the Tenant, and that the signatures of all the blades are kept up to date, besides that the box can know that there are new JHF packages for its installation.

Regards. 

Can you send what topology looks like at the moment?

Andy

Hi, Buddy.
About a week ago, I posted a couple of reference images of what my scenario looks like.

A silly question, but is it advisable and above all, is it possible, to create a default route to the Internet through one of my interfaces that is in bridge mode?

I have only one Br1 (Eth1-1 and Eth1-2)

At this moment the CP box goes out to the Internet through the MGMT Interface.

So if I put one of the bridge interfaces with the topology in EXTERNAL mode, would this 'force' me to create a default route through this Interface bridge?

I got a little confused.

😶😵‍💫

No worries man, we always work as a team to help others, just remember that, never feel bad about it.

Anyway, here is my thought...can you modify that route in web gui to use bridge if as DG, rather than an IP address?

Just do this in maintenance window.

Andy

So the Management interface is reaching the Internet not through the L2 bridge?
Topology impacts a few things:

• Anti-spoofing (doesn't make sense in this configuration)
• The "Internet" object (if used, probably shouldn't in this configuration)
• Threat Prevention scope (which might require a tweak to the profile, but not relevant since not used currently)

External should be fine here aside from the above issues.

All makes sense.

Hello,

A question, is it mandatory to configure an IP to a Bridge interface?
The Check Point documentation, points out in point #6, that an IP must be configured to the Bridge interface.

Configuring a Single Security Gateway in Bridge Mode

Exactly which IP should be configured?

Cheers.

Definitely you need an IP brother.

Andy

Buddy

It makes no sense to me that the documentation “invites” me to configure an IP on the bridge interface.

Isn't the bridge interface supposed to “function” as L2?

I have 2 Routers.

[R1] ------------------------------ [R2]

Between both routers there is a “point to point” segment configured.

The idea is to put the CP in the middle of the 2 devices.

[R1] -------------- [CP FW] ----------------- [R2]

So, if we have 2 interfaces of the CP in bridge mode, so that logically it still works “as if it were a cable”, why would we have to configure an IP in the same bridge interface?

I'm confused.

Do you understand my doubt?

Cheers.

The way I always understood it, and your question is totally VALID, the bridge interface does NOT technically need an IP, BUT, if its connected to something that need to use the network, then it would need an IP address assigned.

I could be totally wrong when I say that, but that was always my understanding.

Andy

Also, technically, IF you are adding 2 interfaces that dont have an IP assigned, then it would add them fine.

Andy

I am interested in this topic. So I found a different statements

For clusterXL in bridge

These features and deployments are not supported in Bridge Mode:

Assigning an IP address to a Bridge interface in ClusterXL

and 

Important: Make sure the Bridge interface and Bridge subordinate interfaces are not in the Topology. You cannot define the Topology of the Bridge interface. It is External by default.

I will test it in R82, but that makes sense.

Andy