Working with Interface Definitions

All VSXClosed Virtual System Extension. Check Point virtual networking solution, hosted on a computer or cluster with virtual abstractions of Check Point Security Gateways and other network devices. These Virtual Devices provide the same functionality as their physical counterparts. Gateways and Virtual Routers and Virtual Switches contain at least one interface definition.

Typically, you define the interfaces during the process of configuring the topology for a given object.

Warp interfaces, however, are created automatically based on Virtual DeviceClosed Logical object that emulates the functionality of a type of physical network object. Virtual Device can be on of these: Virtual Router, Virtual System, or Virtual Switch. definitions and their topology.

You cannot modify or delete a Warp interface.

Adding a New Interface

The procedure and options for defining an interface vary according to the object and the network topology.

Some properties and pages are not available for certain interface definitions.

To add a new interface:

  1. Open the Virtual Device object.

  2. From the navigation tree, click Topology.

  3. From the Interfaces section, click New and select one of these options:

    • Regular

    • Leads to Virtual Router

    • Leads to Virtual Switch

    The Interface Properties window for the selected option opens.

  4. Configure the applicable settings (see below).

  5. Click OK.

  6. Install the applicable Access Control Policy.

The General tab defines the network connections associated with an interface.

One or more of these properties show, depending on the context.

  • Interface: Select a physical interface from the list (physical interfaces only).

  • VLAN Tag: VLAN tag associated with the defined interface.

  • IP Address and Net Mask: IP address and net mask of the device associated with the interface.

  • Propagate route to adjacent Virtual Devices: Enable to "advertise" the associated device to neighboring devices, thereby enabling connectivity between them. See VSX Routing Concepts.

  • MTU: Maximum transmission unit size in bytes (default = 1,500).

The General tab for interface connections leading to Virtual Routers or Virtual Switches contains connection properties specific to those Virtual Devices.

For some interface types, you can change some or all of these topology properties:

  • External: The interface leads to external networks or to the Internet.

  • Internal: The interface leads to internal networks or a DMZ:

    • Not Defined: All IP addresses behind this interface are considered a part of the internal network that connects to this interface.

    • Network defined by the interface IP and Net Mask: Only the network that directly connects to this internal interface.

    • Network defined by routes: The Virtual System dynamically calculates the topology for this interface.

      Note - To see this option, you must clear the option Calculate topology automatically based on routing information in the Virtual System object.

    • Specific: A specific object (a Host, a Network, a Network Group, an Address Range).

    • Interface leads to DMZ: Defines an interface as leading to a DMZ, which isolates a vulnerable, externally accessible resource from the rest of a protected, internal network.

Attackers can gain access to protected networks by falsifying or "spoofing" a trusted source IP address with high access privileges. It is important to configure Anti-Spoofing protection for VSX Gateways and Virtual Systems, including internal interfaces. You can configure Anti-Spoofing for an interface, provided that the topology for the interface is properly defined.

If you are using dynamic routing, disable the Calculate topology automatically based on routing information option, and manually configure the topology of the Virtual System.

To enable Anti-Spoofing for an interface:

  1. From the Topology tab in the Interface Properties window, select Perform Anti-Spoofing based on interface topology.

  2. Configure the tracking options.

IP multicast applications send one copy of each datagram (IP packet) and address it to a group of computers that wish to receive it. Multicast restrictions allow you to define rules that block outbound datagrams from specific multicast groups (IP address ranges). You can define multicast access restrictions for physical and Warp interfaces in a VSX environment.

 

From

To

IPv4 (defined in RFC 1112)

224.0.0.0

239.255.255.255

IPv6

ff00::

ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff

To enable multicast restrictions:

  1. From the Multicast Restrictions tab in the Interface Properties window, select Drop multicast packets by the following conditions.

  1. Select a restriction type:

    • Drop multicast packets whose destination is in the list

    • Drop all multicast packets except those whose destination is in the list

  2. Click Add.

    The Add Object window opens.

  3. Click New > Multicast Address Range.

    The Multicast Address Range Properties window opens.

  4. Configure these settings:

    • Name

    • Type

    • If you selected IP Address Range, enter the First and Last IP addresses.

  5. Click OK.

  6. From the Interface Properties window, select a tracking option.

  7. Click OK and close the General Properties window.

  8. Add a ruleClosed Set of traffic parameters and other conditions in a Rule Base (Security Policy) that cause specified actions to be taken for a communication session. to the Access Control Policy that allows traffic for the specified multicast groups.

Changing an Interface Definition

This section presents procedures for modifying existing interface definitions and related features.

Interfaces definitions are always associated with a VSX GatewayClosed Physical server that hosts VSX virtual networks, including all Virtual Devices that provide the functionality of physical network devices. It holds at least one Virtual System, which is called VS0. or a Virtual System definition.

To change an existing interface definition:

  1. Double-click the interface in the Interfaces section.

  2. In the Interface Properties window, define the interface properties.

  3. Click OK.

  4. Install the applicable Access Control Policy.

Deleting an Interface

To delete an interface:

  1. From the Topology page, select the interface and click Delete.

  2. Click OK.

  3. Install the applicable Access Control Policy.