Hi everyone,
I am having a challenge with a L2 Bridge mode setup and hoping someone can chime in with some assistance/direction.
Use Case:
1) Customer requires a Layer2 based Bridge setup inline between its current router and core switch
2) Layer 3 interfaces reside on the router for select interfaces they wish to segment/control traffic; other networks are routed from the core switch; requiring inspection to/from router (i.e., out of the site)
3) Some of this control is between two VLANs sitting off the same router (VLAN 100 and VLAN 200 in this example).
4) Customer is using a Native, non tagged interface (10.10.10.1/24 in this example) between the Core and router; Tagging the interface on the router is not possible due to a dynamic routing limitation (i.e for some reason, running OSPF or BGP on this router can't be done on a sub interface 😞 )
Testing:
Initially, we set this up as a simple bridge interface (Eth1 <=> Eth2) on the checkpoint and it did flow traffic through for any traffic coming from/to the core and router. Once we attempted traffic from one of the segmented networks, it dropped the traffic. We determined this to be due to some 'hairpinning' of the traffic going up and back down the same bridge interface to be the root cause.
Intended setup:
To overcome this, we are thinking of establishing 3 total bridge interfaces: Bri1 (Eth1 <=> Eth2; for the untagged interface), Bri100 (Eth1.100 <=> Eth2.100) for VLAN 100 traffic and Bri200 (Eth1.200 <=> Eth2.200) for VLAN 200. The hope here is that traffic between Vlan 200 and the native or between VL100 & VL200 will be allowed as its now should flow through two different interfaces.
Wanted to check to see if 1) this is the best means to accomplish this and 2) is there any issues with this exact setup in reference to the 'untagged' traffic (Ok to do as described or do i need another physical wire (i.e. Access port for the native only [Eth1/Eth2 bridge] and a trunked port for the tagged only [Eth3/Eth4 with VLAN interfaces for the bridges).
Topology/Security Zone question:
My goal was to fix this separation with the various Bridge interfaces per VLAN and then use security zones associated to each of the interfaces to build my access/threat policy off of. Since this setup will be repeated at various sites, I want to establish a unified rule base using the security zone objects. VL100 and VL200 all have the same use case at these sites but different networks.
What i am not able to find is firm documentation on how to set this up.
Note - The physical interfaces that are part of a Bridge interface always appear with the topology "Undefined". Workaround: Use the API command "get-interfaces". |
| Notes:
|
Important:
Make sure the Bridge interface and Bridge subordinate interfaces are not in the Topology.
You cannot define the Topology of the Bridge interface. It is External by default.
I know that unless I can import the topology, I can't define security zones but does that mean that you can only do this in a single GW here and not a Cluster (Active/Active or Active/Passive)? If External is the default topology for a bridge interface, why does each import (with or without topology) both come back with "internal" in some form. I've looked at all of the SKs around bridge mode and what is supported and what is not.....I can't find anything outside what I have posted here that mentions anything of this subject. its also my understanding that in L2 bridge mode, Anti-spoofing should be off (sk105899 & sk34312). is that still the case today or only for ease of not requiring to define every network manually (per sk34312) or for the double inspection of the management interface depending on how it flows in/out in respect to the bridge (sk105899). For the VLAN networks in question, I believe I can define the spoofing if I set the topology with "This Network (Internal) => IP address behind this interface => Specific <Insert Network object here>. But if the documentation states it can only be "external", then I would think defining this would not be possible(?).
I really want to solve this L2 issue and not have to resort to a L3 deployment with the current setup this customer has. I also know that a ClusterXL question will come up here and would also like to figure out if there is limitation to this topology deployment with the VLAN tags and Security Zones is even plausible overall.
Sorry for the long drawn out post.....been bugging me for awhile trying to solve this and appreciate any assistance before I engage my account team
| User | Count |
|---|---|
| 20 | |
| 11 | |
| 9 | |
| 6 | |
| 4 | |
| 3 | |
| 3 | |
| 3 | |
| 2 | |
| 2 |
Wed 04 Sep 2024 @ 05:00 PM (CEST)
Secure the GenAI Revolution with the All-New GenAI Security from Check PointThu 05 Sep 2024 @ 11:00 AM (PDT)
West US: What's New In Check Point Quantum Security Gateway R82!Tue 10 Sep 2024 @ 03:00 PM (AEST)
No Suits, No Ties - MDR and Incident Response - Going Equipped to Compromise (APAC)Wed 04 Sep 2024 @ 05:00 PM (CEST)
Secure the GenAI Revolution with the All-New GenAI Security from Check PointThu 05 Sep 2024 @ 11:00 AM (PDT)
West US: What's New In Check Point Quantum Security Gateway R82!Tue 10 Sep 2024 @ 03:00 PM (AEST)
No Suits, No Ties - MDR and Incident Response - Going Equipped to Compromise (APAC)Tue 10 Sep 2024 @ 10:00 AM (CEST)
No Suits, No Ties - MDR and Incident Response - Going Equipped to Compromise (EMEA)Tue 10 Sep 2024 @ 05:00 PM (CEST)
No Suits, No Ties - MDR and Incident Response - Going Equipped to Compromise (Americas)Wed 11 Sep 2024 @ 10:00 AM (CEST)
CheckMates Live Norway - Network Troubleshooting Best PracticesTue 01 Oct 2024 @ 10:00 AM (CEST)
CheckMates Live Salzburg - Maintenance and Upgrade Best PracticesThu 03 Oct 2024 @ 10:00 AM (CEST)
CheckMates Live Vienna - Identity Awareness Best Practices and Harmony Sase Updates
