This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Moudar
MVP Silver
MVP Silver
‎2025-11-18 05:31 AM
Jump to solution

Not defined interface topology

Hi 

Under any interface topology settings we have the option This network (internal), IP addresses behind this interface: Not defined.

According to the admin guide:

"

  • Not Defined - All IP addresses behind this interface are considered a part of the internal network that connects to this interface

"

But if i choose that and try to install the policy i get:

 

not-defined.png

 

What do i miss here?

In what case should you use that (no defined) option in production networks?

0 Kudos
1 Solution

Accepted Solutions
the_rock
MVP Diamond
MVP Diamond
‎2025-11-18 07:14 AM
Jump to solution

Hey mate,

I just worked with TAC on another endpoint issue and mentioned this to the lady I spoke with and she checked with her colleague and indeed confirmed this is expected behavior and they will request documentation be updated, as it does give an impression it should work, but since it expects some some sort of correct topology defined, wording "not defined" would implicate for that not to happen, though it states it would be everything behind that interface.

Best,
Andy
"Have a great day and if its not, change it"

View solution in original post

0 Kudos
12 Replies
the_rock
MVP Diamond
MVP Diamond
‎2025-11-18 05:46 AM
Jump to solution

Can you send a screenshot of how its defined?

Best,
Andy
"Have a great day and if its not, change it"
0 Kudos
Moudar
MVP Silver
MVP Silver
‎2025-11-18 05:59 AM
In response to the_rock
Jump to solution

kort.JPG

0 Kudos
the_rock
MVP Diamond
MVP Diamond
‎2025-11-18 06:14 AM
In response to Moudar
Jump to solution

Just tried in the lab, no matter what options I test with non defined, it always fails. I assume must be expected behavior, but not 100% sure.

Best,
Andy
"Have a great day and if its not, change it"
0 Kudos
the_rock
MVP Diamond
MVP Diamond
‎2025-11-18 07:14 AM
Jump to solution

Hey mate,

I just worked with TAC on another endpoint issue and mentioned this to the lady I spoke with and she checked with her colleague and indeed confirmed this is expected behavior and they will request documentation be updated, as it does give an impression it should work, but since it expects some some sort of correct topology defined, wording "not defined" would implicate for that not to happen, though it states it would be everything behind that interface.

Best,
Andy
"Have a great day and if its not, change it"
0 Kudos
Moudar
MVP Silver
MVP Silver
‎2025-11-18 07:18 AM
In response to the_rock
Jump to solution

That answer will suffice for now, as I mainly wanted to understand why it behaves that way (failing to install the policy).
The documentation should be updated as well, because it’s the foundation of our knowledge, my friend.

the_rock
MVP Diamond
MVP Diamond
‎2025-11-18 07:20 AM
In response to Moudar
Jump to solution

ExcitedSoGIF.gif

Best,
Andy
"Have a great day and if its not, change it"
0 Kudos
Moudar
MVP Silver
MVP Silver
‎2025-11-18 07:21 AM
In response to Moudar
Jump to solution

and that leave me wonder what is the usage of "not defined", i mean what use case in production or in lab?

the_rock
MVP Diamond
MVP Diamond
‎2025-11-18 07:22 AM
In response to Moudar
Jump to solution

To me, suppose no real use, honestly.

Best,
Andy
"Have a great day and if its not, change it"
0 Kudos
emmap
MVP Gold CHKP MVP Gold CHKP
MVP Gold CHKP
‎2025-11-18 05:24 PM
In response to the_rock
Jump to solution

I think there just needs to be a default setting, and picking one of the other options could compromise security as it wouldn't be a default deny configuration.

0 Kudos
the_rock
MVP Diamond
MVP Diamond
‎2025-11-18 05:31 PM
In response to emmap
Jump to solution

Makes total sense to me , Emma. It would be cool if there was a pop up if customers picked the less secure option warning them about it. Maybe too much to ask for, but just an idea.

Best,
Andy
"Have a great day and if its not, change it"
0 Kudos
emmap
MVP Gold CHKP MVP Gold CHKP
MVP Gold CHKP
‎2025-11-18 08:35 PM
In response to the_rock
Jump to solution

The other options aren't necessarily less secure, there's not really anything that needs popping up so much as it just needs configuring properly. If anti-spoofing is disabled then it's less secure, and in that case a warning is added to the policy install outcome.

0 Kudos
the_rock
MVP Diamond
MVP Diamond
‎2025-11-18 08:39 PM
In response to emmap
Jump to solution

Personally, and I also advise customers to do the same, I find defined by routes the best option, because if topology does change, no need to update anything manually for given interface.

Best,
Andy
"Have a great day and if its not, change it"
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events