Configuring Bridge Interfaces in Gaia Clish

In Gaia Clish The name of the default command line shell in Check Point Gaia operating system. This is a restricted shell (role-based administration controls the number of commands available in the shell)., bond interfaces are called bridging groups.

Notes:

You configure an IP address on a Bridging Group in the same way as you do on a physical interface (see Physical Interfaces).
The name of a Bridge interface in Gaia Check Point security operating system that combines the strengths of both SecurePlatform and IPSO operating systems. is "br<Bridge Group ID>".

For example, the name of a bridge interface with a Bridge Group ID of 5 is "br5".
To configure MTU on a Bridge subordinate interface, you must configure MTU on the Bridge interface.

This MTU applies to all subordinate interfaces assigned to this Bridge interface.
For additional information:
- For Security Gateways or ClusterXL - see the R81.20 Installation and Upgrade Guide > Chapter Special Scenarios for Security Gateways > Section Deploying a Security Gateway or a ClusterXL in Bridge Mode.
- For Security Groups on Quantum Maestro - see the R81.20 Maestro Administration Guide > Chapter Deploying a Security Group in Bridge Mode.
- For Security Groups on Scalable Chassis - see the R81.20 Scalable Chassis Administration Guide > Chapter Deploying a Security Group in Bridge Mode.

Important:

On Scalable Platforms, you must run the applicable commands in Gaia gClish of the applicable Security Group.
Warning - This procedure requires a system reboot. Perform this procedure during a maintenance window to minimize impact on production environments.

On Scalable Platforms, if SecureXL Check Point product on a Security Gateway that accelerates IPv4 and IPv6 traffic that passes through a Security Gateway. works in the KPPAK mode, and it is necessary to configure 32 or more Bridge interfaces, then before you configure Bridge interfaces #32 and greater, you must configure the value of the kernel parameter "fwha_pending_queue_extend_len_factor" to "64".
- Syntax in Gaia gClish:
  
  update_conf_file fwkern.conf fwha_pending_queue_extend_len_factor=64
- Syntax in the Expert mode:
  
  g_update_conf_file fwkern.conf fwha_pending_queue_extend_len_factor=64

Procedure

Step

Instructions

Connect to the command line on the Security Gateway Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources., Cluster Member Security Gateway that is part of a cluster., or Security Group.

Make sure that the subordinate interfaces, which you wish to add to the Bridge interface, do not have IP addresses assigned:

show interface <Name of Subordinate Interface> ipv4-address

show interface <Name of Subordinate Interface> ipv6-address

Add a new bridging group:

add bridging group <Bridge Group ID 0 - 1024>

Note - Do not change the state of bond interface manually using the "set interface <Bridge Group ID> state" command. This is done automatically by the bridging driver.

Add subordinate interfaces to the new bridging group:

add bridging group <Bridge Group ID> interface <Name of First Subordinate Interface>

add bridging group <Bridge Group ID> interface <Name of Second Subordinate Interface>

Notes:

Do not select the interface that you configured as Gaia Management Interface (1) Interface on a Gaia Security Gateway or Cluster member, through which Management Server connects to the Security Gateway or Cluster member. (2) Interface on Gaia computer, through which users connect to Gaia Portal or CLI..
Only Ethernet, VLAN, and Bond interfaces can be added to a bridge group.
A Bridge interface in Gaia can contain only two subordinate interfaces.

Assign an IP address to the bridging group.

Note - You configure an IP address on a Bridging Group in the same way as you do on a physical interface (see Physical Interfaces).

To assign an IPv4 address, run:

set interface <Name of Bridging Group> ipv4-address <IPv4 Address> {subnet-mask <Mask> | mask-length <Mask Length>}

You can optionally configure the bridging group to obtain an IPv4 Address automatically.

To assign an IPv6 address, run:

set interface <Name of Bridging Group> ipv6-address <IPv6 Address> mask-length <Mask Length>

You can optionally configure the bridging group to obtain an IPv6 Address automatically.

Important - First, you must enable the IPv6 Support and reboot (see System Configuration).

Save the configuration:

save config

Important - After you add, configure, or delete features, run the "save config" command to save the settings permanently.

Syntax

Deleting the bridging group

Syntax

delete bridging group <Bridge Group ID>

Notes:

You must delete all subordinate interfaces from the bridging group before you delete the bridging group.
Do not change the state of bond interface manually using the "set interface <Bridge Group ID> state" command. This is done automatically by the bridging driver.

Example

gaia> delete bridging group 56

Parameters

CLI Parameters

Parameter

Description

<Bridge Group ID>

Configures the Bridge Group ID.

Range: 0 - 1024
Default: No default value

<Name of Bridge Interface>

Configures the name of the Bridge interface.

<Name of Subordinate Interface>

Specifies a physical subordinate interface.

comments "Text"

Configures an optional free text comment.

Write the text in double quotes.
Text must be up to 100 characters.
This comment appears in the Gaia Portal Web interface for the Check Point Gaia operating system. and in the output of the show configuration command.

ipv4-address <IPv4 Address>

Configures the IPv4 address.

ipv6-address <IPv6 Address>

Configures the IPv6 address.

Important - First, you must enable the IPv6 Support and reboot (see System Configuration).

subnet-mask <Mask>

Configures the IPv4 subnet mask using dotted decimal notation (X.X.X.X).

mask-length <Mask Length>

Configures the IPv4 or IPv6 subnet mask length using the CIDR notation (integer between 2 and 32).

ipv6-autoconfig {on | off}

Configures if this interface gets an IPv6 address from a DHCPv6 Server:

on - Gets an IPv6 address from a DHCPv6 Server
off - Does not get an IPv6 address from a DHCPv6 Server (you must assign it manually)

Important - First, you must enable the IPv6 Support and reboot (see System Configuration).

mac-addr <MAC Address>

Configures the hardware MAC address.

mtu <68-16000 | 1280-16000>

Configures the Maximum Transmission Unit size for an interface.

For IPv4:

Range: 68 - 16000 bytes
Default: 1500 bytes

For IPv6:

Range: 1280 - 16000 bytes
Default: 1500 bytes

rx-ringsize <0-4096>

Configures the receive buffer size.

Range: 0 - 4096 bytes
Default: Depends on the interface driver

tx-ringsize <0-4096>

Configures the transmit buffer size.

Range: 0 - 4096 bytes
Default: Depends on the interface driver

Example

gaia> add bridging group 56 interface eth1
gaia> set interface br1 ipv6-address 3000:40::1 mask-length 64
gaia> show bridging groups
gaia> delete bridging group 56 interface eth1
gaia> delete bridging group 56