Managing a Security Gateway through the Bridge Interface

Example Topology

Item

Description

1

Security Management ServerClosed Dedicated Check Point server that runs Check Point software to manage the objects and policies in a Check Point environment within a single management Domain. Synonym: Single-Domain Security Management Server.

2

Router

3

Bridge interface on the Security GatewayClosed Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources.

4

Security Gateway

5

Regular traffic interface on the Security Gateway

6

Regular traffic interface on the Security Gateway

Packet flow

  1. The Security Management ServerClosed Check Point Single-Domain Security Management Server or a Multi-Domain Security Management Server. sends a management packet to the Management InterfaceClosed (1) Interface on a Gaia Security Gateway or Cluster member, through which Management Server connects to the Security Gateway or Cluster member. (2) Interface on Gaia computer, through which users connect to Gaia Portal or CLI. on the Security Gateway.

    This Management Interface is configured as Bridge interface.

  2. The Security Gateway inspects the first management packet it receives on the first subordinate interface of the Bridge interface.

  3. The Security Gateway forwards the inspected management packet to the router through the second subordinate interface of the Bridge interface.

  4. The router sends the packet to the first subordinate interface of the Bridge interface.

  5. The Security Gateway concludes that this packet is a retransmission and drops it.

Procedure

Configure the Security Gateway to reroute packets on the Bridge interface.

Set the value of the kernel parameter "fwx_bridge_reroute_enabled" to 1.

The Security Gateway makes sure that the MD5 hash of the packet that leaves the Management Interface and enters the Bridge interface is the same.

Other packets in this connection are handled by the Bridge interface without using the router.

Notes:

  • To make the change permanent (to survive reboot), you configure the value of the required kernel parameter in the configuration file.

    This change applies only after a reboot.

  • To apply the change on-the-fly (does not survive reboot), you configure the value of the required kernel parameter with the applicable command.

Step

Instructions

1

Connect to the command line on the Security Gateway.

2

Log in to the Expert mode.

3

Modify the $FWDIR/boot/modules/fwkern.conf file:

  1. Back up the current $FWDIR/boot/modules/fwkern.conf file:

    cp -v $FWDIR/boot/modules/fwkern.conf{,_BKP}

    If this file does not exit, create it:

    touch $FWDIR/boot/modules/fwkern.conf

  2. Edit the current $FWDIR/boot/modules/fwkern.conf file:

    vi $FWDIR/boot/modules/fwkern.conf

  3. Add this line in the file:

    fwx_bridge_reroute_enabled=1

    Important - This configuration file does not support spaces or comments.

  4. Save the changes in the file.

  5. Exit the Vi editor.

4

Set the value of the required kernel parameter on-the-fly:

fw ctl set int fwx_bridge_reroute_enabled 1

5

Make sure the Security Gateway loaded the new configuration:

fw ctl get int fwx_bridge_reroute_enabled

The output must return

fwx_bridge_reroute_enabled = 1

6

Reboot the Security Gateway when possible.

7

After the reboot, make sure the Security Gateway loaded the new configuration:

fw ctl get int fwx_bridge_reroute_enabled

The output must return

fwx_bridge_reroute_enabled = 1