This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
TAEKBOM_Kim
Contributor
‎2018-09-26 07:35 PM
Jump to solution

L3 mode and bridge mode in ha configuration?

Hi mates~!

The check point can operate L3 mode and bridge mode in HA configuration? 
I know It can operate L3 mode and bridge mode in standalone mode.
But I think it is impossible in HA.
Please give me your advice.
1 Solution

Accepted Solutions
Norbert_Bohusch
Advisor
‎2019-08-01 01:37 AM
Jump to solution

sk101371 - Bridge Mode on Gaia OS and SecurePlatform OS

This sk lists everything related to bridge mode.

Example:

Bridge mode is fully supported (unless stated otherwise) on Gaia / SecurePlatform OS by the following blades for single Security Gateway deployment, for cluster with one switch in Active/Active and Active/Standby deployment, and for cluster with four switches:

 

Or:

Limitations

Only two interfaces can be connected by a single Bridge interface. These two interfaces can then be thought of as a two-ports switch. Each port can be a Physical, a VLAN, or a Bond device.

These features, Software Blades and deployments are not supported in Bridge Mode:

  • IPSec VPN Software Blade
  • Mobile Access Software Blade
  • "Full High Availability" deployment (where both ClusterXL members are also configured in Management HA)
  • NAT rules on Security Gateways (specifically, the traffic will be displayed as accepted by the FireWall kernel in logs, but will not actually depart on the other side, which may give the false impression that it is working).
    Refer to sk106146 - Configuration required on routers to allow NATed traffic to pass through Security Gateway....
  • Access to Portals from bridged networks, if the bridge does not have an assigned IP address
  • Anti-Virus in Traditional Mode
  • Identity Awareness authentication other than AD Query (AD Query is the only supported authentication)
  • Assigning an IP address on Bridge interface in ClusterXL (any version)
  • ClusterXL in R75.40 and lower / R75.45 / R75.46 / R75.47
  • Asymmetric traffic inspection on Layer 2 Active/Active cluster deployment is not supported (asymmetric traffic inspection is any situation, where the Client-to-Server packet is inspected by one cluster member, while the Server-to-Client packet is inspected by the other member. In such scenarios several security features will not work)

View solution in original post

0 Kudos
2 Replies
darrenkohcc
Explorer
‎2019-07-30 11:05 PM
Jump to solution

i got the same question, any answer for this? 

 

0 Kudos
Norbert_Bohusch
Advisor
‎2019-08-01 01:37 AM
Jump to solution

sk101371 - Bridge Mode on Gaia OS and SecurePlatform OS

This sk lists everything related to bridge mode.

Example:

Bridge mode is fully supported (unless stated otherwise) on Gaia / SecurePlatform OS by the following blades for single Security Gateway deployment, for cluster with one switch in Active/Active and Active/Standby deployment, and for cluster with four switches:

 

Or:

Limitations

Only two interfaces can be connected by a single Bridge interface. These two interfaces can then be thought of as a two-ports switch. Each port can be a Physical, a VLAN, or a Bond device.

These features, Software Blades and deployments are not supported in Bridge Mode:

  • IPSec VPN Software Blade
  • Mobile Access Software Blade
  • "Full High Availability" deployment (where both ClusterXL members are also configured in Management HA)
  • NAT rules on Security Gateways (specifically, the traffic will be displayed as accepted by the FireWall kernel in logs, but will not actually depart on the other side, which may give the false impression that it is working).
    Refer to sk106146 - Configuration required on routers to allow NATed traffic to pass through Security Gateway....
  • Access to Portals from bridged networks, if the bridge does not have an assigned IP address
  • Anti-Virus in Traditional Mode
  • Identity Awareness authentication other than AD Query (AD Query is the only supported authentication)
  • Assigning an IP address on Bridge interface in ClusterXL (any version)
  • ClusterXL in R75.40 and lower / R75.45 / R75.46 / R75.47
  • Asymmetric traffic inspection on Layer 2 Active/Active cluster deployment is not supported (asymmetric traffic inspection is any situation, where the Client-to-Server packet is inspected by one cluster member, while the Server-to-Client packet is inspected by the other member. In such scenarios several security features will not work)
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events
    Top