Transcription
How To Setup a BridgeMode Firewall on an IPAppliance with IPSO10 April 2012
2012 Check Point Software Technologies Ltd.All rights reserved. This product and related documentation are protected by copyright and distributed underlicensing restricting their use, copying, distribution, and decompilation. No part of this product or relateddocumentation may be reproduced in any form or by any means without prior written authorization of CheckPoint. While every precaution has been taken in the preparation of this book, Check Point assumes noresponsibility for errors or omissions. This publication and features described herein are subject to changewithout notice.RESTRICTED RIGHTS LEGEND:Use, duplication, or disclosure by the government is subject to restrictions as set forth in subparagraph(c)(1)(ii) of the Rights in Technical Data and Computer Software clause at DFARS 252.227-7013 and FAR52.227-19.TRADEMARKS:Refer to the Copyright page (http://www.checkpoint.com/copyright.html) for a list of our trademarks.Refer to the Third Party copyright notices (http://www.checkpoint.com/3rd party copyright.html) for a list ofrelevant copyrights and third-party licenses.
Important InformationLatest SoftwareWe recommend that you install the most recent software release to stay up-to-date with the latest functionalimprovements, stability fixes, security enhancements and protection against new and evolving attacks.Latest DocumentationThe latest version of this document is ion download?ID 15361For additional technical information, visit the Check Point Support on HistoryDateDescription4/10/2012First release of this documentFeedbackCheck Point is engaged in a continuous effort to improve its documentation.Please help us by sending your comments(mailto:cp techpub feedback@checkpoint.com?subject Feedback on How To Setup a Bridge ModeFirewall on an IP Appliance with IPSO ).
ContentsImportant Information .3How To Setup a Bridge Mode Firewall on an IP Appliance with IPSO .5Objective .5Supported Versions . 5Supported Operating Systems . 5Supported Appliances . 5Before You Start .5Related Documents and Assumed Knowledge . 5Impact on Environment and Warnings . 6Setting up a Bridge Mode Firewall on an IP Appliance with IPSO .6Setting up a Bridge Mode Group . 6Configuring the bridge Mode Group on an IP appliance with IPSO 6.2 .19Configuring a High Availability Bridge Mode Firewall .29Index .35
How To Setup a Bridge Mode Firewall on an IP Appliance with IPSOHow To Setup a Bridge Mode Firewallon an IP Appliance with IPSOObjectiveThis document explains various configurations that you can use to setup a Bridge Mode firewall or an IPSOTransparent Mode firewall in a single and clustered gateway configuration.Supported Versions NGX R65 HFA 70 and later R70, R70.10, R70.20, R70.30 R71Supported Operating Systems IPSO 4.2 IPSO 6.2Supported AppliancesAny IP and Power series appliances that support IPSO.Before You StartRelated Documents and Assumed Knowledge Network Voyager for IPSO 6.2 Reference htm?ID 10293)OR Nokia Network Voyager Reference Guide for IPSO 4.2 (N450000359 Rev tm?ID 9844) R70 Firewall Administration Guide D 8738)(Chapter 6: Bridge Mode). This guide does not cover or provide instructions to install IPSO and Security Application on an IPappliance, or the initial configuration to setup system time, interfaces, and static routes. Reader is familiar with advanced IP routing and IP bridge functionality. Why are my BPDU packets being dropped by Transparent Mode interfaces? - ions?id 38927). What is "Neighbor Control Block" in Transparent Mode? - ions?id 39630). Default filter doesn't block traffic traversing transparent mode interfaces - ions?id 39766).How To Setup a Bridge Mode Firewall on an IP Appliance with IPSO 5
Setting up a Bridge Mode Firewall on an IP Appliance with IPSO VSX cluster in transparent mode failover failure - ions?id 40320). Unknown ARP opcode (0x0032), (0x0033), (0x0034), (0x0036) to DST: 01:00:5E:00:00:12 in aTransparent Mode VRRP Config - sk41140 (http://supportcontent.checkpoint.com/solutions?id 41140). What are some limitations of transparent mode? - sk41241. Transparent Mode FAQ - sk41320 (http://supportcontent.checkpoint.com/solutions?id 41320). What is the age time-out for Neighbor Control Block in Transparent mode? - ions?id 41330). Does NMDS support VLAN translation in Transparent Mode (Bridging)? - ions?id 41436). Anti-spoofing in IPSO Transparent mode - rtcenter/portal?eventSubmit doGoviewsolutiondetails &solutionid sk41442&js peid P-114a7ba5fd7-10001&partition General&product Security). Will the ADP subsystem accelerate Transparent Mode connections with SecureXL? - ions?id 42716). Is transparent mode supported with Fiber network interfaces on IP series platforms? - ions?id 44772).Impact on Environment and Warnings The firewall is a bridge. It typically forwards traffic that is allowed by the rulebase. By default, transparent mode interfaces forward only IP or ARP packets. Traffic for all other protocols isdiscarded automatically. Transparent mode is not supported with IPv6. Transparent Mode supports only Ethernet interfaces (10/100/1000/10000 Mbps).Setting up a Bridge Mode Firewall onan IP Appliance with IPSOSetting up a Bridge Mode GroupIn this procedure, we use a sample topology to show a Transparent Mode group (XMG) and its interfaces asan example. Group XMG 101 with interfaces eth2c0 and eth3c0. Their IP Address is 172.16.1.29. Its Destination is172.16.1.0/24. Group XMG 104 with interfaces eth4c0 and eth5c0. Their IP Address is 192.168.10.29. Its Destination is192.168.10.0/24.How To Setup a Bridge Mode Firewall on an IP Appliance with IPSO 6
Setting up a Bridge Mode Firewall on an IP Appliance with IPSO Interface eth1c0 between the firewall and the Check Point Gateway. Its IP Address is 172.26.144.129.Its Destination is 172.26.144.0/24.To Create a Transparent Mode group (XMG), and Add Interfaces to it:1. Make sure the IP appliance has IPSO 6.2 installed (not the Check Point VPN-1 Security application).How To Setup a Bridge Mode Firewall on an IP Appliance with IPSO 7
Setting up a Bridge Mode Firewall on an IP Appliance with IPSO2. Configure interfaces (in this example, three interfaces, eth1c0, eth2c0, and eth3c0) with IP addressesand enable them. The firewall requires one interface in a Bridge/Transparent Mode group to have an IPaddress. To the firewall, all interfaces in the group share this address.3. From the Voyager tree view, select Configuration Interface Configuration Transparent Mode.The Transparent Mode Configuration window opens.4. In the Create New Transparent Mode Group field, enter an integer (greater than 0). For example, 101,and click Apply.How To Setup a Bridge Mode Firewall on an IP Appliance with IPSO 8
Setting up a Bridge Mode Firewall on an IP Appliance with IPSO5. Click the link of the new transparent mode group. It reads as XMG with the number entered in step 4.For example, XMG 101. The Transparent Mode Configuration for Group 101 (101 in this example)window opens.6. In the Add Interface drop down list, select an interface to associate with the transparent mode group. Inthis case, select the logical interface associated with IP address 172.16.1.29/24, and click Apply.How To Setup a Bridge Mode Firewall on an IP Appliance with IPSO 9
Setting up a Bridge Mode Firewall on an IP Appliance with IPSO7. In the Add Interface drop down list, select the second interface connected to the same LAN, and clickApply.This allows the system to bridge between the two interfaces in the group.How To Setup a Bridge Mode Firewall on an IP Appliance with IPSO 10
Setting up a Bridge Mode Firewall on an IP Appliance with IPSO8. In the tree view, click Transparent Mode. The Transparent Mode Configuration window opens.9. In the Transparent Mode Groups table, in the Enable column, select the check box associated withXMG 101, and click Apply Save.How To Setup a Bridge Mode Firewall on an IP Appliance with IPSO 11
Setting up a Bridge Mode Firewall on an IP Appliance with IPSO10. Create a second Transparent Mode group (in this example, 104).11. Add interfaces (in this example, eth4c0, eth5c0, with IP Address 192.168.10.29/24) to XMG 104.12. In the tree view, select Transparent Mode. The Transparent Mode Configuration window opens.How To Setup a Bridge Mode Firewall on an IP Appliance with IPSO 12
Setting up a Bridge Mode Firewall on an IP Appliance with IPSO13. In the Transparent Mode Groups table, in the Enable column, select the check box associated withXMG 104, and click Apply Save.Now the Interface Configuration window shows the Transparent Mode group interfaces:To Create a Transparent Mode Group from Clish (if you prefer):Run:NokiaIP290:37 NokiaIP290:38 NokiaIP290:39 NokiaIP290:40 addaddaddsetxmodexmodexmodexmodeidididid104104 interface eth4c0104 interface eth5c0104 state 1How To Setup a Bridge Mode Firewall on an IP Appliance with IPSO 13
Setting up a Bridge Mode Firewall on an IP Appliance with IPSONokiaIP290:41 save configTo Delete a Transparent Mode Group:1. From the Voyager tree view, select Configuration Interface Configuration Transparent Mode. Inthe Transparent Mode Groups table, in the Delete column, select the check box associated with thegroup you want to delete (in this example, XMG 104), and click Apply Save.2. Restart the Firewall Service with cpstop and cpstart after any change to the Transparent Modegroup configuration.To Delete a Transparent Group from Clish:Run:NokiaIP290:53 delete xmode id 104NokiaIP290:54 save configTo Remove an Interface from the Transparent Mode Group from Clish:Run:NokiaIP290:60 delete xmode id 104 interface eth5c0NokiaIP290:61 save configTo Monitor a Transparent Mode Group:From Voyager: from the tree view, select Monitor Transparent Mode Monitor.From Clish: you can monitor the transparent mode group with these commands:NokiaIP290:44 show xmode id 101 infoXMODE ID 101State : 1vrrp enabled : Not ConfiguredInterfaces :1 : eth2c02 : eth3c0NokiaIP290:45 show xmode id 104 infoXMODE ID 104State : 1How To Setup a Bridge Mode Firewall on an IP Appliance with IPSO 14
Setting up a Bridge Mode Firewall on an IP Appliance with IPSOvrrp enabled :Interfaces :1 : eth4c02 : eth5c0Not ConfiguredNokiaIP290:46 show xmode id 101 statXMODE ID 101Number of times transparent mode group creationsucceeded : 2Number of times transparent mode group creation failed: 0Number of times transparent mode group deletionsucceeded : 0Number of times transparent mode group deletion failed: 0Number of times adding an interface to a transparentmode group succeeded : 4Number of times adding an interface to a transparentmode group failed : 0Number of times removing an interface from atransparent mode group succeeded : 0Number of times removing an interface from atransparent mode group failed : 0Number of known neighbors : 0Number of add IPv4 Family success : 4Number of add IPv4 Family failed : 0Number of remove IPv4 Family success : 0Number of remove IPv4 Family failed : 0Stats : ARPNumber of packets originated locally : 6Number of outgoing packets dropped due to interfacedown : 0Number of no buffer errors : 0Number of no destination errors : 0Number of send errors : 0Number of packets received : 27Number of incoming packets dropped due to interfacedown : 0Number of packets delivered locally : 23Number of packets forwarded : 21Stats : IPv4Number of IP packets originated locally : 784Number of outgoing packets dropped due to interfacedown : 7Number of no buffer errors : 0Number of no destination errors : 0Number of send errors : 0Number of packets delivered to firewall on egress :1352Number of packets returned from firewall on egress: 1352Number of packets received : 39479Number of incoming packets dropped due to interfacedown : 0Number of packets delivered locally : 67Number of packets forwarded : 39399Number of packets dropped on VRRP standby : 0Number of packet header errors : 0Number of packets delivered locally due to NAT : 0Stats : IPv6NokiaIP290:46 show xmode id 104 statXMODE ID 104Number of times transparent mode group creationsucceeded : 5Number of times transparent mode group creation failedHow To Setup a Bridge Mode Firewall on an IP Appliance with IPSO 15
Setting up a Bridge Mode Firewall on an IP Appliance with IPSO:0Number of times transparent mode group deletionsucceeded : 3Number of times transparent mode group deletion failed: 0Number of times adding an interface to a transparentmode group succeeded : 8Number of times adding an interface to a transparentmode group failed : 0Number of times removing an interface from atransparent mode groupsucceeded : 4Number of times removing an interface from atransparent mode group failed : 0Number of known neighbors : 0Number of add IPv4 Family success : 8Number of add IPv4 Family failed : 4Number of remove IPv4 Family success : 4Number of remove IPv4 Family failed : 0Stats : ARPNumber of packets originated locally : 0Number of outgoing packets dropped due to interfacedown : 0Number of no buffer errors : 0Number of no destination errors : 0Number of send errors : 0Number of packets received : 0Number of incoming packets dropped due to interfacedown : 0Number of packets delivered locally : 0Number of packets forwarded : 0Stats : IPv4Number of IP packets originated locally : 0Number of outgoing packets dropped due to interfacedown : 0Number of no buffer errors : 0Number of no destination errors : 0Number of send errors : 0Number of packets delivered to firewall on egress :0Number of packets returned from firewall on egress: 0Number of packets received : 0Number of incoming packets dropped due to interfacedown : 0Number of packets delivered locally : 0Number of packets forwarded : 0Number of packets dropped on VRRP standby : 0Number of packet header errors : 0Number of packets delivered locally due to NAT : 0Stats : IPv6To Verify Connectivity and Test Traffic through Transparent Mode Group Interfaces:1. Make sure the Transparent Mode group interfaces are Active (a link is available) and UP (the status isgreen in Voyager).How To Setup a Bridge Mode Firewall on an IP Appliance with IPSO 16
Setting up a Bridge Mode Firewall on an IP Appliance with IPSO2. Send traffic through the interfaces (in this example, eth2c0 and eth3c0).3. Run tcpdump on the eth2c0 and eth3c0 interfaces, and observe that the traffic is seen in both directions(in this example 172.16.1.99 pings 172.16.1.80).IP290A[admin]# tcpdump -i eth2c0 icmptcpdump: verbose output suppressed, use -v or -vv forfull protocol decodelistening on eth2c0, link-type EN10MB (Ethernet), capturesize 96 bytes07:17:38.363721 IP 172.16.1.99 172.16.1.80: ICMP echorequest, id 512, seq 32513, length 4007:17:38.363849 O IP 172.16.1.80 172.16.1.99: ICMPecho reply, id 512, seq 32513, length 4007:17:39.361713 IP 172.16.1.99 172.16.1.80: ICMP echorequest, id 512, seq 32769, length 4007:17:39.361867 O IP 172.16.1.80 172.16.1.99: ICMPecho reply, id 512, seq 32769, length 4007:17:40.363015 IP 172.16.1.99 172.16.1.80: ICMP echorequest, id 512, seq 33025, length 4007:17:40.363176 O IP 172.16.1.80 172.16.1.99: ICMPecho reply, id 512, seq 33025, length 4007:17:41.364616 IP 172.16.1.99 172.16.1.80: ICMP echorequest, id 512, seq 33281, length 4007:17:41.364778 O IP 172.16.1.80 172.16.1.99: ICMPecho reply, id 512, seq 33281, length 40 C8 packets captured10 packets received by filter0 packets dropped by kernelIP290A[admin]# tcpdump -i eth3c0 icmptcpdump: verbose output suppressed, use -v or -vv forfull protocol decodelistening on eth3c0, link-type EN10MB (Ethernet), capturesize 96 bytes07:17:38.363724 O IP 172.16.1.99 172.16.1.80: ICMPecho request, id 512, seq 32513, length 4007:17:38.363848 IP 172.16.1.80 172.16.1.99: ICMP echoreply, id 512, seq 32513, length 40How To Setup a Bridge Mode Firewall on an IP Appliance with IPSO 17
Setting up a Bridge Mode Firewall on an IP Appliance with IPSO07:17:39.361721 O IP 172.16.1.99 172.16.1.80: ICMPecho request, id 512, seq 32769, length 4007:17:39.361865 IP 172.16.1.80 172.16.1.99: ICMP echoreply, id 512, seq 32769, length 4007:17:40.363022 O IP 172.16.1.99 172.16.1.80: ICMPecho request, id 512, seq 33025, length 4007:17:40.363174 IP 172.16.1.80 172.16.1.99: ICMP echoreply, id 512, seq 33025, length 4007:17:41.364625 O IP 172.16.1.99 172.16.1.80: ICMPecho request, id 512, seq 33281, length 4007:17:41.364776 IP 172.16.1.80 172.16.1.99: ICMP echoreply, id 512, seq 33281, length 40 C8 packets captured15 packets received by filter0 packets dropped by kernel4. Run tcpdump with the –e switch to observe the MAC/Ethernet addresses involved in thiscommunication.Since the firewall acts as a Layer 2 bridge, you see the MAC/Ethernet addresses of the host thatoriginates the traffic, and the host that receives the traffic. If there are routers on either side of thetransparent mode group interfaces, you can see the source and destination MAC/Ethernet addresses ofthe respective routers only.IP290A[admin]# tcpdump -e -i eth2c0 icmptcpdump: verbose output suppressed, use -v or -vv forfull protocol decodelistening on eth2c0, link-type EN10MB (Ethernet), capturesize 96 bytes06:38:44.278854 00:02:b3:06:58:39 (oui Intel Corporation) 00:0d:60:48:f9:10 (oui IBM Corporation), ethertype IPv4(0x0800), length 74: 172.16.1.99 172.16.1.80: ICMP echorequest, id 512, seq 30977, length 4006:38:44.279042 O 00:0d:60:48:f9:10 (oui IBMCorporation) 00:02:b3:06:58:39 (oui Intel Corporation),ethertype IPv4 (0x0800), length 74: 172.16.1.80 172.16.1.99: ICMP echo reply, id 512, seq 30977, length4006:38:45.276895 00:02:b3:06:58:39 (oui Intel Corporation) 00:0d:60:48:f9:10 (oui IBM Corporation), ethertype IPv4(0x0800), length 74: 172.16.1.99 172.16.1.80: ICMP echorequest, id 512, seq 31233, length 4006:38:45.277024 O 00:0d:60:48:f9:10 (oui IBMCorporation) 00:02:b3:06:58:39 (oui Intel Corporation),ethertype IPv4 (0x0800), length 74: 172.16.1.80 172.16.1.99: ICMP echo reply, id 512, seq 31233, length4006:38:46.278043 00:02:b3:06:58:39 (oui Intel Corporation) 00:0d:60:48:f9:10 (oui IBM Corporation), ethertype IPv4(0x0800), length 74: 172.16.1.99 172.16.1.80: ICMP echorequest, id 512, seq 31489, length 4006:38:46.278206 O 00:0d:60:48:f9:10 (oui IBMCorporation) 00:02:b3:06:58:39 (oui Intel Corporation),ethertype IPv4 (0x0800), length 74: 172.16.1.80 172.16.1.99: ICMP echo reply, id 512, seq 31489, length4006:38:47.279505 00:02:b3:06:58:39 (oui Intel Corporation) 00:0d:60:48:f9:10 (oui IBM Corporation), ethertype IPv4(0x0800), length 74: 172.16.1.99 172.16.1.80: ICMP echorequest, id 512, seq 31745, length 4006:38:47.279644 O 00:0d:60:48:f9:10 (oui IBMCorporation) 00:02:b3:06:58:39 (oui Intel Corporation),ethertype IPv4 (0x0800), length 74: 172.16.1.80 172.16.1.99: ICMP echo reply, id 512, seq 31745, length40How To Setup a Bridge Mode Firewall on an IP Appliance with IPSO 18
Setting up a Bridge Mode Firewall on an IP Appliance with IPSO C8 packets captured18 packets received by filter0 packets dropped by kernelIP290A[admin]#IP290A[admin]# tcpdump -e -i eth3c0 icmptcpdump: verbose output suppressed, use -v or -vv forfull protocol decodelistening on eth3c0, link-type EN10MB (Ethernet), capturesize 96 bytes06:38:44.278857 O 00:02:b3:06:58:39 (oui IntelCorporation) 00:0d:60:48:f9:10 (oui IBM Corporation),ethertype IPv4 (0x0800), length 74: 172.16.1.99 172.16.1.80: ICMP echo request, id 512, seq 30977, length4006:38:44.279040 00:0d:60:48:f9:10 (oui IBM Corporation) 00:02:b3:06:58:39 (oui Intel Corporation), ethertype IPv4(0x0800), length 74: 172.16.1.80 172.16.1.99: ICMP echoreply, id 512, seq 30977, length 4006:38:45.276898 O 00:02:b3:06:58:39 (oui IntelCorporation) 00:0d:60:48:f9:10 (oui IBM Corporation),ethertype IPv4 (0x0800), length 74: 172.16.1.99 172.16.1.80: ICMP echo request, id 512, seq 31233, length4006:38:45.277022 00:0d:60:48:f9:10 (oui IBM Corporation) 00:02:b3:06:58:39 (oui Intel Corporation), ethertype IPv4(0x0800), length 74: 172.16.1.80 172.16.1.99: ICMP echoreply, id 512, seq 31233, length 4006:38:46.278048 O 00:02:b3:06:58:39 (oui IntelCorporation) 00:0d:60:48:f9:10 (oui IBM Corporation),ethertype IPv4 (0x0800), length 74: 172.16.1.99 172.16.1.80: ICMP echo request, id 512, seq 31489, length4006:38:46.278205 00:0d:60:48:f9:10 (oui IBM Corporation) 00:02:b3:06:58:39 (oui Intel Corporation), ethertype IPv4(0x0800), length 74: 172.16.1.80 172.16.1.99: ICMP echoreply, id 512, seq 31489, length 4006:38:47.279506 O 00:02:b3:06:58:39 (oui IntelCorporation) 00:0d:60:48:f9:10 (oui IBM Corporation),ethertype IPv4 (0x0800), length 74: 172.16.1.99 172.16.1.80: ICMP echo request, id 512, seq 31745, length4006:38:47.279643 00:0d:60:48:f9:10 (oui IBM Corporation) 00:02:b3:06:58:39 (oui Intel Corporation), ethertype IPv4(0x0800), length 74: 172.16.1.80 172.16.1.99: ICMP echoreply, id 512, seq 31745, length 40 C8 packets captured20 packets received by filter0 packets dropped by kernelIP290A[admin]#Configuring the bridge Mode Group on an IP appliancewith IPSO 6.2To Configure R70 Bridge Mode Firewall on an IP appliance:For this section, routers are added, on either side of the Bridge Mode interfaces, to the sample topology.This requires a different IP address for XMG 101 interfaces. Group XMG 101 with interfaces eth2c0 and eth3c0. Their IP Address is 10.207.188.29. Its Destination is10.207.188.0/24.How To Setup a Bridge Mode Firewall on an IP Appliance with IPSO 19
Setting up a Bridge Mode Firewall on an IP Appliance with IPSO Default Gateway for eth2c0 is 10.207.188.126. Default Gateway for eth3c0 is 10.207.188.226. Group XMG 104 with interfaces eth4c0 and eth5c0. Their IP Address is 10.188.69.129. Its Destination is10.188.69.0/24. Interface eth1c0 between the firewall and the Check Point Gateway. Its IP Address is 172.26.144.129.Its Destination is 172.26.144.0/24. Router R1 to eth3c0, router R2 to eth2c0.1. Re-install NGX R70 VPN-1 Power Security Application.How To Setup a Bridge Mode Firewall on an IP Appliance with IPSO 20
Setting up a Bridge Mode Firewall on an IP Appliance with IPSO2. Make sure the updated Interface Configuration window looks as in the image below.3. From the SmartDashboard tree view, select the gateway. The General Properties window opens.4. Configure the gateway properties as shown below: In the IP Address field, the IP of the Check Point Gateway. In the Comment field, Transparent Mode Firewall-1. In Platform, select Other for Hardware, the appropriate version for Version, and IPSO for OS. In the Network Security tab, select the IPSec VPN and Monitoring check boxes.How To Setup a Bridge Mode Firewall on an IP Appliance with IPSO 21
Setting up a Bridge Mode Firewall on an IP Appliance with IPSO5. To establish SIC between the SmartCenter Server and the gateway, click Communication. TheTrusted Communication window opens. Enter a one-time password, confirm the password, and clickInitialize.How To Setup a Bridge Mode Firewall on an IP Appliance with IPSO 22
Setting up a Bridge Mode Firewall on an IP Appliance with IPSO6. Select Topology, and click Get Interfaces with Topology. The Get Topology Results windowopens.How To Setup a Bridge Mode Firewall on an IP Appliance with IPSO 23
Setting up a Bridge Mode Firewall on an IP Appliance with IPSO7. Click Accept to confirm the interface topology. Notice that the interfaces that belong to the same XMGshare the same IP addresses.How To Setup a Bridge Mode Firewall on an IP Appliance with IPSO 24
Setting up a Bridge Mode Firewall on an IP Appliance with IPSO8. Select the Transparent Mode group interface that does not have an IP address configured in Voyager,and click Remove.How To Setup a Bridge Mode Firewall on an IP Appliance with IPSO 25
Setting up a Bridge Mode Firewall on an IP Appliance with IPSO9. Now the sample gateway topology does not show the interfaces with no IPs.10. For each interface, double click the interface. The Interface Properties window opens.11. In the Topology tab, select External, and click OK. A warning message opens.Note - To configure Anti-spoofing on a bridge mode firewall, refer to rtcenter/portal?eventSubmit doGoviewsolutiondetails &solutionid sk41442&js peid P-114a7ba5fd710001&partition General&product Security).How To Setup a Bridge Mode Firewall on an IP Appliance with IPSO 26
Setting up a Bridge Mode Firewall on an IP Appliance with IPSO12. Click Yes.How To Setup a Bridge Mode Firewall on an IP Appliance with IPSO 27
Setting up a Bridge Mode Firewall on an IP Appliance with IPSO13. From the SmartDashboard menu bar, select Rules Add Rule Above, and configure a simple AnyAny-Accept rulebase that enables logging, to verify that the test traffic is inspected by the Bridge ModeFirewall.14. From the menu bar, select Policy Install. The Install Policy window opens.15. Select the Bridge Mode Firewall.To Verify Connectivity and Test Traffic through Transparent Mode Group Interfaces:1. Send test traffic through the Bridge Mode Firewall.How To Setup a Bridge Mode Firewall on an IP Appliance with IPSO 28
Setting up a Bridge Mode Firewall on an IP Appliance with IPSO2. Open the SmartView Tracker, and from the tree view, select the firewall to check its logs.Configuring a High Availability Bridge Mode FirewallTo Configure a High Availability Transparent/Bridge Mode firewall:This sample topology shows a High Availability Transparent Mode group (XMG) firewalls in a VRRP cluster. Group XMG 101 with interfaces eth2c0 and eth3c0. Their IP Address is 10.207.188.29. Its Destination is10.207.188.0/24. Default Gateway for Sw3 10.207.188.126. Default Gateway for Sw2 is 10.207.188.226. Group XMG 104 with interfaces eth4c0 and eth5c0. Their IP Address is 10.188.69.129. Its Destination is10.188.69.0/24. Interface eth1c0 between the firewall and the Check Point Gateway. Its IP Address is 172.26.144.129.Its Destination is 172.26.144.0/24. Router R1 to Sw2, router R2 to Sw3.How To Setup a Bridge Mode Firewall on an IP Appliance with IPSO 29
Setting up a Bridge Mode Firewall on an IP Appliance with IPSO Sw1 Virtual IP is 172.26.144.130. Sw3 Virtual IP is 10.207.188.30.1. Setup the Transparent Mode group interfaces for this second firewall node as in the first one. Assign IPsas in the sample High Availability topology above (as with routers before).2. To enable VRRP on a Transparent Mode group interface:a) In the Voyager tree view, Interface Configuration, Transparent Mode, click the link of thetransparent mode group just created (in this example, XMG 101).b) Select the Enable VRRP check box, and click Apply.c) In the tree view, select Configuration High Availability VRRP. The VRRP Configurationwindow opens.How To Setup a Bridge Mode Firewall on an IP Appliance with IPSO 30
Setting up a Bridge Mode Firewall on an IP Appliance with IPSOd) In the Create New Monitored-Circuit Virtual Router field, enter an ID number (in this example120).e) Make sure the Monitor Firewall State check box is not selected, and click Apply.f)In Monitored-Circuit Virtual Routers, configure appropriate values in the Priority and the DeltaPriority fields, and enter 10.207.188.30 (in this example) in the New Backup Address field.g) Click Apply Save.h) Click VRRP Monitor. The VRRP Monitor window opens.How To Setup a Bridge Mode Firewall on an IP Appliance with IPSO 31
Setting up a Bridge Mode Firewall on an IP Appliance with IPSOi)Make sure VRRP State is Master or Backup (depends on the Priority and Delta Priority values).j)To verify that the Virtual IP address is assigned to the VRRP Master, run:Note - It is normal to see all the Transparent Mode group interfaces tobe in Promiscuous mode, as this is required for Bridge Modeoperations.IP290A[admin]# ifconfig eth2c0eth2c0: lname eth2c0flags 10e7 UP,PHYS AVAIL,LINK AVAIL,BROADCAST,MULTICAST,AUTOLINK,XMODE inet mtu 1500inet 10.207.188.29/24 broadcast 10.207.188.255inet 10.207.188.30/24 broadcast 10.207.188.255vrrpmac 0:0:5e:0:1:78phys eth2flags c173 UP,LINK,BROADCAST,MULTICAST,PROMISC,PRESENT ether 00:a0:8e:71:df:92 speed 100M full duplexk) To verify that the VRRP advertisements are sent to the VRRP multicast
and enable them. The firewall requires one interface in a Bridge/Transparent Mode group to have an IP address. To the firewall, all interfaces in the group share this address. 3. From the Voyager tree view, select Configuration Interface Configuration Transparent Mode. The Transparent Mode Configuration window opens. 4.
