This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Madmaks
Contributor
4 hours ago

Problem that is bridge Mode between Aruba Switch and Fortigate

Hi,

 

My plan is to position the Check Point device in bridge mode between the FortiGate firewall and the Aruba switch, and demonstrate the benefits of Check Point.

The FortiGate firewall and the Aruba switch are connected via LACP (Link Aggregation) and operate in trunk mode. Multiple VLANs are defined under this trunk. However, when I place the Check Point firewall between the two devices in bridge mode, no traffic passes through to me.

I have configured the VLANs under the Br1 interface on the Check Point device to match the VLANs defined on the FortiGate, but the result remains the same—no traffic is being received.

Ekran Resmi 2024-10-01 16.30.47.png

0 Kudos
4 Replies
AkosBakos
Advisor
3 hours ago

Hi @Madmaks 

What does the Smartlog show?

What does #fw ctl zdebug + drop shows?

The picture is correct? Aruba and Forti sides are LACP, and the CP has only 1 Interface? Both side must be the same.  "one-legged" bond wont't work in this situation.

Akos

 

----------------
\m/_(>_<)_\m/
0 Kudos
Madmaks
Contributor
3 hours ago
In response to AkosBakos

When I run  zdebug I could not see any drop.  Smartlog show just showing  log of mgmt interface.

 

Why do you think it won't work with a single interface? After all, that's what LACP is for. Even with a single interface, LACP will ensure that packets pass through one line.

The key point here is whether Check Point interferes with L2 traffic. For example, if it can only recognize IPv4, IPv6, and ARP traffic but not all traffic types, then that might be a reason for LACP not to work. Otherwise, I don’t see why it shouldn’t work. We can discuss this further

 

May be following solution will be help me, what about think?

 

Allow / Drop Ethernet Frames with Specific Protocols

By default, Security Gateway in the Bridge mode allows Ethernet frames that carry protocols other than IPv4 (0x0800), IPv6 (0x86DD), or ARP (0x0806) protocols.

Starting in R77.10, administrators can configure a Security Gateway in the Bridge mode to accept or drop Ethernet frames that carry specific protocols.

Note: In a cluster environment, this procedure must be performed on all members of the cluster.

Which Ethernet frames
should be allowed/dropped		Instructions
Allow Ethernet frames only with
IPv4, IPv6, and ARP protocols
  1. Add this line to the $FWDIR/boot/modules/fwkern.conf file (spaces are not allowed):
    fwaccept_unknown_protocol=0

  2. Reboot the Security Gateway.
Allow Ethernet frames
with any protocol
(other than IPv4, IPv6, or ARP)
(default)
  1. Add this line to the $FWDIR/boot/modules/fwkern.conf file (spaces are not allowed):
    fwaccept_unknown_protocol=1

  2. Reboot the Security Gateway.
0 Kudos
Chris_Atkinson
Employee Employee
Employee
2 hours ago

The Check Point probably should have two bonds configured to participate in LACP for this topology irrespective of how many slave interfaces are up/down.

CCSM R77/R80/ELITE
0 Kudos
Madmaks
Contributor
55 seconds ago
In response to Chris_Atkinson

Are you suggesting I do LACP on Checkpoint?

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events