https://community.checkpoint.com/t5/Cloud-Firewall/Cloudguard-cluster-interface-configuration/m-p/216524#M4808 <P>thanks so much !!!</P> Wed, 05 Jun 2024 13:27:15 GMT Gongya_Yu 2024-06-05T13:27:15Z https://community.checkpoint.com/t5/Cloud-Firewall/Cloudguard-cluster-interface-configuration/m-p/216146#M4801 <P>In the following cluster interface configuration, does eth1 pass the data traffic ?<BR /><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="CP-cluster-int-conf.PNG" style="width: 823px;"><img src="https://community.checkpoint.com/t5/image/serverpage/image-id/26030i2195C5E4926505DE/image-size/large?v=v2&amp;px=999" role="button" title="CP-cluster-int-conf.PNG" alt="CP-cluster-int-conf.PNG" /></span></P><P>if I have two route tables, one for eth0 and the other one for eth1. one route table for eth0 with a default route pointing to eni-eth0 and subnet association with 172.16.11.0/24, the other route table for eth1 with a default route pointing to eni-eth1 and subnet association with 172.16.10.0/24. Any issue with this ?<BR /><BR />thanks so much !!</P> Mon, 03 Jun 2024 04:18:55 GMT https://community.checkpoint.com/t5/Cloud-Firewall/Cloudguard-cluster-interface-configuration/m-p/216146#M4801 Gongya_Yu 2024-06-03T04:18:55Z https://community.checkpoint.com/t5/Cloud-Firewall/Cloudguard-cluster-interface-configuration/m-p/216198#M4802 <P>Hi,</P> <P>I could answer better if you may share more details. "Leads To" writes to Azure but ENI is AWS term while in Azure we usually route to load balancer.&nbsp;Some of the configuration also depends on version.</P> <P>&nbsp;</P> <P>In general, the default route to ENI directs all traffic to be inspected. All traffic directed at your VPC/VNET through the front end subnet will be directed to the solution. For backend, putting ENI as default for internal subnets will ensure EW inspection as well as NS.</P> Mon, 03 Jun 2024 10:50:46 GMT https://community.checkpoint.com/t5/Cloud-Firewall/Cloudguard-cluster-interface-configuration/m-p/216198#M4802 Amir_Senn 2024-06-03T10:50:46Z https://community.checkpoint.com/t5/Cloud-Firewall/Cloudguard-cluster-interface-configuration/m-p/216251#M4803 <P>I have the following which is very close to our prod.<BR /><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="eth-int-topology.PNG" style="width: 795px;"><img src="https://community.checkpoint.com/t5/image/serverpage/image-id/26050i14F90086D9702B00/image-size/large?v=v2&amp;px=999" role="button" title="eth-int-topology.PNG" alt="eth-int-topology.PNG" /></span></P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="eth-RT.PNG" style="width: 456px;"><img src="https://community.checkpoint.com/t5/image/serverpage/image-id/26051i7FFDC4E4F6122654/image-size/large?v=v2&amp;px=999" role="button" title="eth-RT.PNG" alt="eth-RT.PNG" /></span></P><P>Right now the firewall works as one-armed.</P><P>Question 1: if the interface is defined to be sync only, does that interface still pass data traffic ?<BR />Question 2: when is eth1-RT used ?&nbsp; I am wondering eth1-RT is not used here at all.<BR /><BR />thanks a lot !!</P> Mon, 03 Jun 2024 16:12:54 GMT https://community.checkpoint.com/t5/Cloud-Firewall/Cloudguard-cluster-interface-configuration/m-p/216251#M4803 Gongya_Yu 2024-06-03T16:12:54Z https://community.checkpoint.com/t5/Cloud-Firewall/Cloudguard-cluster-interface-configuration/m-p/216322#M4804 <P>Hi,</P> <P>yes , sync interfaces also pass data traffic. if they are configured as sync the the connections sync is also passing on those interfaces.</P> <P>you routing configuration is not correct. you should only have one default route (towards eth0 GW). You need to delete the other default route because it will cause routing issues (traffic is spread to both interfaces).</P> Tue, 04 Jun 2024 09:09:34 GMT https://community.checkpoint.com/t5/Cloud-Firewall/Cloudguard-cluster-interface-configuration/m-p/216322#M4804 Nir_Shamir 2024-06-04T09:09:34Z https://community.checkpoint.com/t5/Cloud-Firewall/Cloudguard-cluster-interface-configuration/m-p/216350#M4805 <P>thanks a million.</P><P>This is what I like to confirm.&nbsp;<BR />Even though we did not get any issue, I still like to confirm the correct way to do.&nbsp;&nbsp;</P><P>thanks again !!</P> Tue, 04 Jun 2024 12:05:40 GMT https://community.checkpoint.com/t5/Cloud-Firewall/Cloudguard-cluster-interface-configuration/m-p/216350#M4805 Gongya_Yu 2024-06-04T12:05:40Z https://community.checkpoint.com/t5/Cloud-Firewall/Cloudguard-cluster-interface-configuration/m-p/216426#M4806 <P>One more question to bother, for the cluster, still only one default route is needed ? If default route points to Member A interface for next-hop, what happens if member A fails ?</P><P>thanks a lot !!</P> Tue, 04 Jun 2024 18:21:33 GMT https://community.checkpoint.com/t5/Cloud-Firewall/Cloudguard-cluster-interface-configuration/m-p/216426#M4806 Gongya_Yu 2024-06-04T18:21:33Z https://community.checkpoint.com/t5/Cloud-Firewall/Cloudguard-cluster-interface-configuration/m-p/216451#M4807 <P>in AWS Cluster the default is pointing to the ACTIVE member of the cluster. when there's a failover happens we push out an API to AWS and change the default route to the new ACTIVE member.</P> Wed, 05 Jun 2024 05:11:28 GMT https://community.checkpoint.com/t5/Cloud-Firewall/Cloudguard-cluster-interface-configuration/m-p/216451#M4807 Nir_Shamir 2024-06-05T05:11:28Z https://community.checkpoint.com/t5/Cloud-Firewall/Cloudguard-cluster-interface-configuration/m-p/216524#M4808 <P>thanks so much !!!</P> Wed, 05 Jun 2024 13:27:15 GMT https://community.checkpoint.com/t5/Cloud-Firewall/Cloudguard-cluster-interface-configuration/m-p/216524#M4808 Gongya_Yu 2024-06-05T13:27:15Z