Accept, or Drop Ethernet Frames with Specific Protocols

By default, Security GatewayClosed Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources. in the Bridge modeClosed Security Gateway or Virtual System that works as a Layer 2 bridge device for easy deployment in an existing topology. allows Ethernet frames that carry protocols other than IPv4 (0x0800), IPv6 (0x86DD), or ARP (0x0806) protocols.

You can configure a Security GroupClosed A logical group of Security Appliances that provides Active/Active cluster functionality. A Security Group can contain one or more Security Appliances. Security Groups work separately and independently from each other. To the production networks, a Security Group appears a single Security Gateway. Every Security Group contains: (A) Applicable Uplink ports, to which your production networks are connected; (B) Security Appliances (the Quantum Maestro Orchestrator determines the applicable Downlink ports automatically); (C) Applicable management port, to which the Check Point Management Server is connected. in the Bridge Mode to either accept, or drop Ethernet frames that carry specific protocols.

When Access Mode VLAN (VLAN translation) is configured, BPDU frames can arrive with the wrong VLAN number to the switch ports through the Bridge interface. This mismatch can cause the switch ports to enter blocking mode.

In Active/Standby Bridge Mode only, you can disable BPDU forwarding to avoid such blocking mode:

Step

Instructions

1

Connect to the command line on the applicable Security Group.

2

Log in to the Expert mode.

3

Back up the current /etc/rc.d/init.d/network file:

cp -v /etc/rc.d/init.d/network{,_BKP}

4

Edit the current /etc/rc.d/init.d/network file:

vi /etc/rc.d/init.d/network

5

After the line:

./etc/init.d/functions

Add this line:

/sbin/sysctl -w net.bridge.bpdu_forwarding=0

6

Save the changes in the file and exit the editor.

7

Reboot the Security Group:

reboot -b all

8

Connect to the command line on the applicable Security Group.

9

Log in to the Expert mode.

10

Make sure the new configuration is loaded:

sysctl net.bridge.bpdu_forwarding

The expected output:

net.bridge.bpdu_forwarding = 0