Routing and Bridge Interfaces

Security Gateways with a Bridge interface can support Layer 3 routing over non-bridged interfaces. If you configure a Bridge interface with an IP address on a Security Gateway (not on Cluster Members), the Bridge interface functions as a regular Layer 3 interface. It participates in IP routing decisions on the Security Gateway and supports Layer 3 routing.

Cluster deployments do not support this configuration.
You cannot configure the Bridge interface to be the nexthop gateway for a route.
A Security Gateway can support multiple Bridge interfaces, but only one Bridge interface can have an IP address.
A Security Gateway cannot filter or transmit packets that it inspected before on a Bridge interface (to avoid double-inspection).

Procedure for Security Gateways R80.10

Configure the Security Gateway to reroute packets on the Bridge interface. Set the value of the kernel parameter fwx_bridge_reroute_enabled to 1. The Security Gateway makes sure that the MD5 hash of the packet that leaves the Management Interface and enters the Bridge interface is the same. Other packets in this connection are handled by the Bridge interface without using the router.

Notes:

To make the change permanent (to survive reboot), you configure the value of the required kernel parameter in the configuration file. This change applies only after a reboot.
To apply the change on-the-fly (does not survive reboot), you configure the value of the required kernel parameter with the applicable command.

Procedure:

Step	Description
1	Connect to the command line on the Security Gateway.
2	Log in to the Expert mode.
3	Modify the `$FWDIR/boot/modules/fwkern.conf` file.
3A	Back up the current `$FWDIR/boot/modules/fwkern.conf` file: `# cp -v $FWDIR/boot/modules/fwkern.conf{,_BKP}` Important - If this file does not exit, create it. Run: `# touch $FWDIR/boot/modules/fwkern.conf`
3B	Edit the current `$FWDIR/boot/modules/fwkern.conf` file: `# vi $FWDIR/boot/modules/fwkern.conf`
3C	Add this line in the file: `fwx_bridge_reroute_enabled=1` Important - This configuration file does not support spaces or comments.
3D	Save the changes in the file.
3E	exit the Vi editor.
4	Set the value of the required kernel parameter on-the-fly: `# fw ctl set int fwx_bridge_reroute_enabled 1`
5	Make sure the Security Gateway loaded the new configuration: `# fw ctl get int fwx_bridge_reroute_enabled`
6	Reboot the Security Gateway when possible. After reboot, make sure the Security Gateway loaded the new configuration: `# fw ctl get int fwx_bridge_reroute_enabled`

Procedure for Security Gateways R77.10, R77.20 and R77.30

To resolve this issue, configure the Security Gateway to recognize that the first packet is from the Management Interface. The Security Gateway makes sure that the MD5 hash of the packet that leaves the Management Interface and enters the Bridge interface is the same. Other packets in this connection are handled by the Bridge interface without using the router.

Step	Description
1	Connect to the command line on the Security Gateway.
2	Log in to the Expert mode.
3	Modify the `$FWDIR/boot/modules/fwkern.conf` file.
3A	Back up the current `$FWDIR/boot/modules/fwkern.conf` file: `# cp -v $FWDIR/boot/modules/fwkern.conf{,_BKP}` Important - If this file does not exit, create it. Run: `# touch $FWDIR/boot/modules/fwkern.conf`
3B	Edit the current `$FWDIR/boot/modules/fwkern.conf` file: `# vi $FWDIR/boot/modules/fwkern.conf`
3C	Add the applicable line in the file. Important - This configuration file does not support spaces or comments. For IPv4 traffic: `fwx_bridge_reroute_ipv4=<`IPv4 address of the Management interface on the Security Gateway`>` For IPv6 traffic: `fwx_bridge_reroute_ipv6=<`IPv6 address of the Management interface on the Security Gateway`>`
3D	Save the changes in the file.
3E	exit the Vi editor.
4	Reboot the Security Gateway.
5	Make sure the Security Gateway loaded the new configuration: `# fw ctl get int fwx_bridge_reroute_ipv4` `# fw ctl get int fwx_bridge_reroute_ipv6`

Procedure for Security Gateways R77 and Lower

To resolve this issue, you can disable inspection on the Management Interface and disable local Anti-Spoofing.

Important - This procedure removes inspection from the Management Interface and could compromise Security Gateway's security. If you are unsure whether your environment is safe to use this method, contact Check Point Support.

Step	Description
1	Connect to the command line on the Security Gateway.
2	Log in to the Expert mode.
3	Modify the `$PPKDIR/boot/modules/simkern.conf` file.
3A	Back up the current `$PPKDIR/boot/modules/simkern.conf` file: `# cp -v $PPKDIR/boot/modules/simkern.conf{,_BKP}` Important - If the file does not exist, create it: `# touch $PPKDIR/boot/modules/simkern.conf`
3B	Edit the current `$PPKDIR/boot/modules/simkern.conf` file: `# vi $PPKDIR/boot/modules/simkern.conf`
3C	Add this line: `simlinux_excluded_ifs_list=<`Name of Management Interface> Notes: This configuration file does not support spaces or comments. This change excludes the Management Interface from SecureXL (see sk33541).
3D	Save the changes and exit the Vi editor.
4	Modify the $`FWDIR/boot/modules/fwkern.conf` file.
4A	Back up the current $`FWDIR/boot/modules/fwkern.conf` file: `# cp -v` $`FWDIR/boot/modules/fwkern.conf{,_BKP}` Important - If the file does not exist, create it: `# touch` $`FWDIR/boot/modules/fwkern.conf`
4B	Edit the current $`FWDIR/boot/modules/fwkern.conf` file: `# vi` $`FWDIR/boot/modules/fwkern.conf`
4C	Add these three lines: `fwx_bridge_use_routing=0` `fw_local_interface_anti_spoofing=0` `fwlinux_excluded_ifs_list=<`Name of Management Interface> Notes: This configuration file does not support spaces or comments. This change disables routing on Bridge interfaces. This change disables local Anti-Spoofing. This change excludes the Management Interface from Firewall (see sk33541).
4D	Save the changes and exit the Vi editor.
5	Reboot the Security Gateway.