My question is about the difference in firewall's behaviour.

It all depends on the routing really. Internal IP can also be chosen as external interface.

That's what my question is about exactly 😉  :

> It all depends on the routing really. Internal IP can also be chosen as external interface.

> Internal -> network defined by the routes (the default route is configured on this interface)

Network defined by routes...all that literally means is that if topology changes, no need to do anything or install policy. I always recommend that option.

Again, this is perfectly fine and understandable. But that does not answer my question 😊

Your question was difference in fw behavior. If selected Internet, interface will be considered as external, 2nd option would be internal. Sorry if Im not understanding something else 🙂

The question is: If an internal interface has the default route configured through it, how would it be different from an external interface?

In other words. Two scenarios:

1. 3 ifaces: 1 Internet with the default route, 2 internals
2. 3 ifaces: all internals, but one of them has the default route.

Will there be any difference in how the firewall will treat the traffic going towards the default gateway? If yes, what is it?
Is it documented anywhere?
What is happening IRL?

Additional related questions:
- What does it mean, that the interface is internal or external? (Provided the routes are the same and/or the anti-spoofing is turned off)
- What is different in the traffic processing?
- Is it documented anywhere?

NOW I get it 🙂

AFAIK, regardless how interfaces are configured, routing will work depending on the IP address. So say for lots of firewalls, external interface can be configured as internal IP, but routing can still go through it.

In your examples, say scenario 1, DG can be actual ISP upstream router and scenario 2 can be just lab ip address.

But, maybe someone else can correct me if Im wrong.

Good question btw!

Difference in traffic processing? Maybe give an example. Is it documented anywhere? Not sure this would be specifically.

Andy

I'm asking this question, because I stumbled upon some very unexpected behaviour here: https://community.checkpoint.com/t5/Security-Gateways/How-to-disable-local-anti-spoofing-in-R81-20-c...

Hence, I'd like to know how it's supposed to work first. And if it does not work so IRL, another CP case is in order.

I cant comment without knowing specifics, but from my experience, 9 times out of 10, anti spoofing has to do with assymetric routing.

Andy

Anti-spoofing is turned off.

If so, I would run ip r g on various ip addresses and make sure its right.

ie:

ip r g 8.8.8.8

Again, this is not what the question is about 😄

K, I give up then 😃😃

Thats true, but then CP is not like Fortinet, where you have to define interfaces in the rules, so thats why I was saying it all depends on how routes are configured. 

I stated it already: there is a default route through the interface in question in both cases.

Personally, I would open TAC case to get an official answer. Just my honest opinion 🙂

Yep! That's what I'm going to do!

Cool...keep us posted what they say.

Andy

> the protected scope configuration

By default the protected scope is "Any". 

> the internet object in application rules and the protected scope configuration in anti-virus / threat emulation settings determine inspection based on the defined topology.

In other words, you are stating, that AV/AB/IPS signatures will work differently, if the the interface is assigned to the internal or external topology, right? What is this difference? Provided the IPS and firewall rules are all "Any"s?

> There is no interface topology marked "Internet."

It's called "Internet (External)" in the Topology Settings

> What is "External" topology you ask?
> It is literally those networks that are not defined on other interfaces (either directly or via routes).

In this case, do I understand correctly, that if we have:

A = All networks, everything
N1 = network 1 (e.g. assigned to interface i1)
N2 = network 2 (e.g. assigned to interface i2)

- if we have one iface with Internet (External), it will expect A - (N1 + N2)
- if we have only Internal ifaces, the one with the default route will expect A - (N1 + N2)

What happens if we have:

- anti-spoofing turned off?
- 2 or more external interfaces (for example, bridge sub-interfaces are both external by default)?

What is the difference (or there should be no difference?) if you configure the firewall with:

- 3 internal interfaces, one of the with the default route
- 2 internal interfaces, one external interface with the default route

> What precisely are you observing?

If the interface is configured as "External" with the default route,  Internet sites are not accessible. If the interface is configured as "Internal" with the default route - accessible. Anti-spoofing is turned off in both cases.

I had never seen case like what you described, first for me. Do you mind send screenshot of both topology settings when it works and when it does not? Just blur out any sensitive data.

Andy

It's exactly as I described. Anti-spoofing is turned off. And the routing will not be visible on the screenshot anyway 🙂

When you say "not accessible" what is the precise behavior observed both on the client and related log messages?

In a Layer 3 configuration, your "External" interface(s) generally contain the default route.
The fact it's contained on an Internal interface could be considered an incorrect configuration.
If I remember correctly, Bridge (Layer 2) interfaces should be marked Internal. 

Two things I know of are impacted by the topology configuration:

• The "Internet" object
• Threat Prevention enforcement, as discussed previously (note there are settings in the profile itself that also apply to Protected Scope" above and beyond the rules themselves).

> If I remember correctly, Bridge (Layer 2) interfaces should be marked Internal. 

According to https://sc1.checkpoint.com/documents/R81.20/WebAdminGuides/EN/CP_R81.20_Installation_and_Upgrade_Gui...

> In a Layer 3 configuration, your "External" interface(s) generally contain the default route.
> The fact it's contained on an Internal interface could be considered an incorrect configuration.

According to my tests, it works when the default route is configure on the "Internal" iface, and it does not work if this interface is configured as "Internet (External).

Today I got a very interesting advice from a colleague of mine - compare $FWDIR/state/local/FW1/local.set files between different topologies.

> If I remember correctly, Bridge (Layer 2) interfaces should be marked Internal. 

According to https://sc1.checkpoint.com/documents/R81.20/WebAdminGuides/EN/CP_R81.20_Installation_and_Upgrade_Gui...

Important: Make sure the Bridge interface and Bridge subordinate interfaces are not in the Topology. You cannot define the Topology of the Bridge interface. It is External by default.

> In a Layer 3 configuration, your "External" interface(s) generally contain the default route.
> The fact it's contained on an Internal interface could be considered an incorrect configuration.

It worked when the default route was configured on the "Internal" interface, and did not work, when this interface was set up as "Internet (External)"

> When you say "not accessible" what is the precise behavior observed both on the client and related log messages?

In short, I either could or could not get a response from an Internet DNS server (1.1.1.1).

Today, a colleague of mine advised me to compare $FWDIR/state/local/FW1/local.set files between different topologies. Definitely something to try!