Configuring a Single Security Gateway in Bridge Mode

Note - This procedure applies to both Check Point Appliances and Open Servers.

Item	Description
1	Network, which an administrator needs to divide into two Layer 2 segments. The Security Gateway in Bridge Mode connects between these segments.
2	First network segment.
3	Switch that connects the first network segment to one bridged slave interface (4) on the Security Gateway in Bridge Mode.
4	One bridged slave interface (for example, `eth1`) on the Security Gateway in Bridge Mode.
5	Security Gateway in Bridge Mode.
6	Another bridged slave interface (for example, `eth2`) on the Security Gateway in Bridge Mode.
7	Dedicated Gaia Management Interface (for example, `eth0`) on the Security Gateway.
8	Switch that connects the second network segment to the other bridged slave interface (6) on the Security Gateway in Bridge Mode.
9	Second network segment.

Workflow:

Install the Security Gateway.
Configure the Bridge interface - in Gaia Portal, or Gaia Clish.
Configure the Security Gateway in SmartConsole - in Wizard Mode, or Classic Mode.
Configure the applicable policy for the Security Gateway in SmartConsole.

Step 1 of 4: Install the Security Gateway

Step	Description
1	Install the Gaia Operating System: Installing the Gaia Operating System on a Check Point Appliance Installing the Gaia Operating System on an Open Server
2	Run the Gaia First Time Configuration Wizard.
3	During the First Time Configuration Wizard, you must configure these settings: In the Management Connection window, select the interface, through which you connect to Gaia operating system. In the Internet Connection window, do not configure IP addresses. In the Installation Type window, select Security Gateway and/or Security Management. In the Products window: In the Products section, select Security Gateway only. In the Clustering section, clear Unit is a part of a cluster, type. In the Dynamically Assigned IP window, select No. In the Secure Internal Communication window, enter the desired Activation Key (between 4 and 127 characters long).

Step

Description

Install the Gaia Operating System:

Run the Gaia First Time Configuration Wizard.

During the First Time Configuration Wizard, you must configure these settings:

In the Management Connection window, select the interface, through which you connect to Gaia operating system.
In the Internet Connection window, do not configure IP addresses.
In the Installation Type window, select Security Gateway and/or Security Management.
In the Products window:
1. In the Products section, select Security Gateway only.
2. In the Clustering section, clear Unit is a part of a cluster, type.
In the Dynamically Assigned IP window, select No.
In the Secure Internal Communication window, enter the desired Activation Key (between 4 and 127 characters long).

Step 2 of 4: Configure the Bridge interface in Gaia Portal:

Step	Description
1	In your web browser, connect to the Gaia Portal on the Security Gateway.
2	In the left navigation tree, click Network Management > Network Interfaces.
3	Make sure that the interfaces, which you wish to add as slaves of the Bridge interface, do not have IP addresses assigned to them.
4	Click Add > Bridge. To configure an existing Bridge interface, select the Bridge interface and click Edit.
5	On the Bridge tab, enter or select a Bridge Group ID (unique integer between 1 and 1024).
6	Select the interfaces from the Available Interfaces list and then click Add. Notes: A Bridge interface in Gaia can contain only two slave interfaces. Do not select the interface that you configured as Gaia Management Interface.
7	On the IPv4 tab, enter the IPv4 address and subnet mask.
8	On the IPv6 tab (optional), enter the IPv6 address and mask length. Important - First, you must enable the IPv6 Support in Gaia and reboot.
9	Click OK.

Step 2 of 4: Configure the Bridge interface in Gaia Clish:

Step	Description
1	Connect to the command line on the Security Gateway.
2	Log in to Gaia Clish.
3	Make sure that the interfaces, which you wish to add as slaves of the Bridge interface, do not have IP addresses assigned to them. Run: `show interface <`Name of Interface`> ipv4-address` `show interface <`Name of Interface`> ipv6-address`
4	Add a new bridging group. Run: `add bridging group <`Bridge Group ID 0 - 1024`>`
5	Add the slave interfaces to the new bridging group: `add bridging group <`Bridge Group ID`> interface <`Name of First Slave Interface`>` `add bridging group <`Bridge Group ID`> interface <`Name of Second Slave Interface`>`
6	Assign an IP address to the bridging group. To assign an IPv4 address, run: `set interface <`Name of Bridge Interface`> ipv4-address <`IPv4 Address`> {subnet-mask <`Mask`> \| mask-length <`Mask Length`>}` To assign an IPv6 address, run: `set interface <`Name of Bridge Interface`> ipv6-address <`IPv6 Address`> mask-length <`Mask Length`>`
7	Save the configuration. Run: `save config`

Step 3 of 4: Configure the Security Gateway object in SmartConsole - Wizard Mode

Step	Description
1	Connect with SmartConsole to the Security Management Server or Domain Management Server that should manage this Security Gateway.
2	From the left navigation panel, click Gateways & Servers.
3	Create a new Security Gateway object in one of these ways: From the top toolbar, click the New () > Gateway. In the top left corner, click Objects menu > More object types > Network Object > Gateways and Servers > New Gateway. In the top right corner, click Objects Pane > New > More > Network Object > Gateways and Servers > Gateway.
4	In the Check Point Security Gateway Creation window, click Wizard Mode.
5	On the General Properties page: In the Gateway name field, enter the desired name for this Security Gateway object. In the Gateway platform field, select the correct hardware type. In the Gateway IP address section, select Static IP address and configure the same IPv4 and IPv6 addresses that you configured on the Management Connection page of the Security Gateway's First Time Configuration Wizard. Make sure the Security Management Server or Multi-Domain Server can connect to these IP addresses. Click Next.
6	On the Trusted Communication page: Select the applicable option: If you selected Initiate trusted communication now, enter the same Activation Key you entered during the Security Gateway's First Time Configuration Wizard. If you selected Skip and initiate trusted communication later, make sure to follow Step 7. Click Next.
7	On the End page: Examine the Configuration Summary. Select Edit Gateway properties for further configuration. Click Finish. Check Point Gateway properties window opens on the General Properties page.
8	If during the Wizard Mode, you selected Skip and initiate trusted communication later: The Secure Internal Communication field shows `Uninitialized`. Click Communication. In the Platform field: Select Open server / Appliance for all Check Point appliances models except 1100, 1200R, and 1400. Select Open server / Appliance for an Open Server. Enter the same Activation Key you entered during the Security Gateway's First Time Configuration Wizard. Click Initialize. Make sure the Certificate state field shows `Established`. Click OK.
9	On the Network Security tab, enable the additional desired Software Blades. Important: See the Supported Software Blades in Bridge Mode and Limitations in Bridge Mode. Do not select anything on the Management tab.
10	On the Network Management page, configure the Topology of the Bridge interface. Notes: If a Bridge interface connects to the Internet, set the Topology to External. If you use this Bridge Security Gateway object in Access Control Policy rules with Internet objects, set the Topology to External.
11	Click OK.
12	Publish the SmartConsole session.

Step 3 of 4: Configure the Security Gateway object in SmartConsole - Classic Mode

Step	Description
1	Connect with SmartConsole to the Security Management Server or Domain Management Server that should manage this Security Gateway.
2	From the left navigation panel, click Gateways & Servers.
3	Create a new Security Gateway object in one of these ways: From the top toolbar, click the New () > Gateway. In the top left corner, click Objects menu > More object types > Network Object > Gateways and Servers > New Gateway. In the top right corner, click Objects Pane > New > More > Network Object > Gateways and Servers > Gateway.
4	In the Check Point Security Gateway Creation window, click Classic Mode. Check Point Gateway properties window opens on the General Properties page.
5	In the Name field, enter the desired name for this Security Gateway object.
6	In the IPv4 address and IPv6 address fields, configure the same IPv4 and IPv6 addresses that you configured on the Management Connection page of the Security Gateway's First Time Configuration Wizard. Make sure the Security Management Server or Multi-Domain Server can connect to these IP addresses.
7	Establish the Secure Internal Communication (SIC) between the Management Server and this Security Gateway: Near the Secure Internal Communication field, click Communication. In the Platform field: Select Open server / Appliance for all Check Point appliances models except 1100, 1200R, and 1400. Select Open server / Appliance for an Open Server. Enter the same Activation Key you entered during the Security Gateway's First Time Configuration Wizard. Click Initialize. Click OK.
	If the Certificate state field does not show `Established`, perform these steps: Connect to the command line on the Security Gateway. Make sure there is a physical connectivity between the Security Gateway and the Management Server (for example, pings can pass). Run: `cpconfig` Enter the number of this option: `Secure Internal Communication`. Follow the instructions on the screen to change the Activation Key. In the SmartConsole, click Reset. Enter the same Activation Key you entered in the `cpconfig` menu. Click Initialize.
8	In the Platform section, select the correct options: In the Hardware field: If you install the Security Gateway on a Check Point Appliance, select the correct appliances series. If you install the Security Gateway on an Open Server, select Open server. In the Version field, select R80.30. In the OS field, select Gaia.
9	On the Network Security tab, enable the additional desired Software Blades. Important: See the Supported Software Blades in Bridge Mode and Limitations in Bridge Mode. Do not select anything on the Management tab.
10	On the Network Management page, configure the Topology of the Bridge interface. Notes: If a Bridge interface connects to the Internet, set the Topology to External. If you configure this Bridge Security Gateway object is in Access Control Policy rules with Internet objects, set the Topology to External.
11	Click OK.
12	Publish the SmartConsole session.

Step 4 of 4: Configure the applicable policy for the Security Gateway in SmartConsole

Step	Description
1	Connect with SmartConsole to the Security Management Server or Domain Management Server that manages this Security Gateway.
2	From the left navigation panel, click Security Policies.
3	Create a new policy and configure the applicable layers: At the top, click the + tab (or press CTRL T). On the Manage Policies tab, click Manage policies and layers. In the Manage policies and layers window, create a new policy and configure the applicable layers. Click Close. On the Manage Policies tab, click the new policy you created.
4	Create the applicable Access Control rules. Important - See the Supported Software Blades in Bridge Mode and Limitations in Bridge Mode.
5	Install the Access Control Policy on the Security Gateway object.

For more information, see the:

R80.30 Gaia Administration Guide.
R80.30 Security Management Administration Guide.
Applicable Administration Guides on the R80.30 Home Page.