What is the difference between interface topologie...

AlekzNet

Hi All,

What is the difference between the following interface topologies:

- Internet
- Internal -> network defined by the routes (the default route is configured on this interface)

Any references to the documentation/SKs?

How is it working in the real life?

I'm asking because I discovered some strange behaviours...

Thank you in advance!

the_rock

Internet is chosen when interface is considered external.

AlekzNet

My question is about the difference in firewall's behaviour.

the_rock

It all depends on the routing really. Internal IP can also be chosen as external interface.

AlekzNet

That's what my question is about exactly 😉 :

> It all depends on the routing really. Internal IP can also be chosen as external interface.

> Internal -> network defined by the routes (the default route is configured on this interface)

the_rock

Network defined by routes...all that literally means is that if topology changes, no need to do anything or install policy. I always recommend that option.

AlekzNet

Again, this is perfectly fine and understandable. But that does not answer my question 😊

the_rock

Your question was difference in fw behavior. If selected Internet, interface will be considered as external, 2nd option would be internal. Sorry if Im not understanding something else 🙂

AlekzNet

The question is: If an internal interface has the default route configured through it, how would it be different from an external interface?

In other words. Two scenarios:

1. 3 ifaces: 1 Internet with the default route, 2 internals
2. 3 ifaces: all internals, but one of them has the default route.

Will there be any difference in how the firewall will treat the traffic going towards the default gateway? If yes, what is it?
Is it documented anywhere?
What is happening IRL?

Additional related questions:
- What does it mean, that the interface is internal or external? (Provided the routes are the same and/or the anti-spoofing is turned off)
- What is different in the traffic processing?
- Is it documented anywhere?

the_rock

NOW I get it 🙂

AFAIK, regardless how interfaces are configured, routing will work depending on the IP address. So say for lots of firewalls, external interface can be configured as internal IP, but routing can still go through it.

In your examples, say scenario 1, DG can be actual ISP upstream router and scenario 2 can be just lab ip address.

But, maybe someone else can correct me if Im wrong.

Good question btw!

Difference in traffic processing? Maybe give an example. Is it documented anywhere? Not sure this would be specifically.

Andy

AlekzNet

I'm asking this question, because I stumbled upon some very unexpected behaviour here: https://community.checkpoint.com/t5/Security-Gateways/How-to-disable-local-anti-spoofing-in-R81-20-c...

Hence, I'd like to know how it's supposed to work first. And if it does not work so IRL, another CP case is in order.

the_rock

I cant comment without knowing specifics, but from my experience, 9 times out of 10, anti spoofing has to do with assymetric routing.

Andy

AlekzNet

Anti-spoofing is turned off.

the_rock

If so, I would run ip r g on various ip addresses and make sure its right.

ie:

ip r g 8.8.8.8

AlekzNet

Again, this is not what the question is about 😄

the_rock

K, I give up then 😃😃

Jarvis_Lin

The firewall's application rules and threat prevention rules distinguish between external and internal traffic based on the defined topology settings.

For instance, the internet object in application rules and the protected scope configuration in anti-virus / threat emulation settings determine inspection based on the defined topology.

the_rock

Thats true, but then CP is not like Fortinet, where you have to define interfaces in the rules, so thats why I was saying it all depends on how routes are configured.

Are you a member of CheckMates?

What is the difference between interface topologies: Internet and Internal default route based?