Adding a New Interface

Important:

  • Virtual Routers are not supported (Known Limitations 01413513).

  • Virtual Switches are supported only from R80.20SP Jumbo Hotfix Accumulator Take 178 (Known Limitation MBS-5214).

The procedure and options for defining an interface vary according to the object and the network topology.

Some properties and pages are not available for certain interface definitions.

To add a new interface:

  1. Open the Gateway Properties window for the Virtual DeviceClosed Logical object that emulates the functionality of a type of physical network object. Virtual Device can be on of these: Virtual Router, Virtual System, or Virtual Switch..

  2. From the navigation tree, click Topology.

    The Topologypage opens.

  3. From the Interfacessection, click New and select one of these options:

    • Regular

    • Leads to Virtual Router

    • Leads to Virtual Switch

    The Interface Properties window for the selected option opens.

Configuring Connection Properties - General

The General tab defines the network connections associated with an interface.

One or more of these properties show, depending on the context.

  • Interface: Select a physical interface from the list (physical interfaces only).

  • VLAN Tag: VLAN tag associated with the defined interface.

  • IP Address and Net Mask: IP address and net mask of the device associated with the interface.

  • Propagate route to adjacent Virtual Devices: Enable to "advertise" the associated device to neighboring devices, thereby enabling connectivity between them. The Route Propagation provides additional details.

  • MTU: Maximum transmission unit size in bytes (default = 1,500).

Configuring Connections Leading to Virtual Routers and Virtual Switches

The Generaltab for interface connections leading to Virtual Routers or Virtual Switches contains connection properties specific to those Virtual Devices.

Configuring Interface Topology

For some interface types, you can change some or all of these topology properties:

  • External: The interface leads to external networks or to the Internet.

  • Internal: The interface leads to internal networks or a DMZ, and includes these properties:

    • Not Defined: IP routing is not defined for this device.

    • Network: Routing is defined by the IP and net mask defined in General Properties.

    • Specific: Routing is defined by a specific network or network group.

    • Interface leads to DMZ: Defines an interface as leading to a DMZ, which isolates a vulnerable, externally accessible resource from the rest of a protected, internal network.

Configuring Anti-Spoofing

Attackers can gain access to protected networks by falsifying or "spoofing" a trusted source IP address with high access privileges. It is important to configure Anti-Spoofing protection for VSXClosed Virtual System Extension. Check Point virtual networking solution, hosted on a computer or cluster with virtual abstractions of Check Point Security Gateways and other network devices. These Virtual Devices provide the same functionality as their physical counterparts. Gateways and Virtual Systems, including internal interfaces. You can configure Anti-Spoofing for an interface, provided that the topology for the interface is properly defined.

If you are using dynamic routing, disable the Calculate topology automatically based on routing information option, and manually configure the topology of the Virtual System.

To enable Anti-Spoofing for an interface:

  1. From the Topologytab in the Interface Properties window, select Perform Anti-Spoofing based on interface topology.

  2. Configure the tracking options.

Configuring Multicast Restrictions

IP multicasting applications send one copy of each datagram (IP packet) and address it to a group of computers that wish to receive it. Multicast restrictions allow you to define rules that block outbound datagrams from specific multicast groups (IP address ranges). You can define multicast access restrictions for physical and Warp interfaces in a VSX environment.

From

To

IPv4 (defined in RFC 1112)

224.0.0.0

239.255.255.255

IPv6

ff00::

ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff

To enable multicast restrictions:

  1. From the Multicast Restrictions tab in the Interface Properties window, select Drop multicast packets by the following conditions.

  1. Select a restriction type:

    • Drop multicast packets whose destination is in the list

    • Drop all multicast packets except those whose destination is in the list

  2. Click Add.

    The Add Object window opens.

  3. Click New > Multicast Address Range.

    The Multicast Address Range Properties window opens.

  4. Configure these settings:

    • Name

    • Type

    • If you selected IP Address Range, enter the Firstand LastIP addresses.

  5. Click OK.

  6. From the Interface Properties window, select a tracking option.

  7. Click OKand close the General Properties window.

  8. Add a ruleClosed Set of traffic parameters and other conditions in a Rule Base (Security Policy) that cause specified actions to be taken for a communication session. to the Rule BaseClosed All rules configured in a given Security Policy. Synonym: Rulebase. that allows traffic for the specified multicast groups and install the policy.

Changing an Interface Definition

This section presents procedures for modifying existing interface definitions and related features.

Changing an Interface

Interfaces definitions are always associated with a Virtual Gateway or a Virtual System definition.

To work with an existing interface definition:

  1. Double-click the interface in the Interfaces section.

  2. In the Interface Properties window, Adding a New Interface.

Deleting an Interface

To delete an interface:

  1. From the Topologypage, select the interface and click Delete.

  2. Click OK.