topic How to connect to MDS R80.10 through alternate interface ? in Firewall and Security Management

How to connect to MDS R80.10 through alternate interface ?

Francois_Beve — Wed, 26 Jul 2017 12:16:59 GMT

hello,

in R80.10, how to connect to MDS using another IP configured on any other interface than the MDS ip ?

Its working when connecting throught the Mgmt interface.

But not when tring through any other interface.

Customer indicated they had the same issue when configuring their MDS in R77.30 and a specific procedure has been applied to make it possible. Any idea how to do in R80.10?

see error message enclosed.

regardss

François.

Re: How to connect to MDS R80.10 through alternate interface ?

Peter_Sandkuijl — Wed, 26 Jul 2017 12:32:14 GMT

Check the R80.10 MDM manual and search for: Using More than one Interface on a Multi-Domain Server

Changing the Leading Interface
You define the leading interface during the installation procedure, but you can change it later. If you add a new interface to a Multi-Domain Server after installation, define the Leading Interface manually.
To add a New Leading Interface:
1. From the Multi-Domain Server command line, run: mdsconfig
2. Select Leading VIP Interfaces, and then select Add external IPv4 interface.
3. Enter the interface name and press Enter.
Changing the Leading Interface:
1. From the Multi-Domain Server command line, run: mdsconfig
2. Do steps 2-3, in the above procedure, to add new interface.
3. Select Leading VIP Interfaces.
4. Select Remove External IPv4 interface.
5. Enter the interface name to remove and press Enter.

Re: How to connect to MDS R80.10 through alternate interface ?

Eric_eric — Thu, 27 Jul 2017 08:09:21 GMT

Hello,

I have the same issue. I tested to add a leading interface but it's doesn't work.

Regards,

Eric

Re: How to connect to MDS R80.10 through alternate interface ?

Francois_Beve — Thu, 27 Jul 2017 09:47:45 GMT

Hello Eric, My customer also report adding a leading interface does not works.

At this step, I will recommend to engage support as the procedure is the official one described in Admin guide.

http://dl3.checkpoint.com/paid/27/2792d875783ad607cb7d593a6c335ec7/CP_R80.10_Multi-DomainSecurityManagement_AdminGuide.p…

Re: How to connect to MDS R80.10 through alternate interface ?

Demith_Samaraw2 — Mon, 23 Apr 2018 04:01:57 GMT

Did anyone find the solution for this, I also got the exact same issue, I can connect via MGMT, but i need a bond interface I have created to a leading interface, when i try to connect to Bond I also get the exact same error

Domain 'Failed to find domainIp x.x.x.x' not found!

Re: How to connect to MDS R80.10 through alternate interface ?

PhoneBoy — Wed, 25 Apr 2018 01:03:31 GMT

As suggested, it's best to open a TAC case on this.

Re: How to connect to MDS R80.10 through alternate interface ?

Vladimir — Wed, 25 Apr 2018 13:57:18 GMT

I am not sure if this is applicable or will work in your current situation, but if you are setting up a new MDS, you can try using this procedure:

Create a /32 loopback interface with routable IP.

Advertise it to your network using dynamic protocol(s).

Declare it to be a target for licensing.

This way you should be able to connect to the IP address different from that of the default management interface.

Declare this interface to be a Leading Interface and use the bundled physical interfaces for connectivity to the rest of your infrastructure.

I've made this work previously on SMS, but never tried it on MDS.

Please let me know if I am making incorrect assumptions or if this works.

Regards,

Vladimir

Re: How to connect to MDS R80.10 through alternate interface ?

Demith_Samaraw2 — Wed, 25 Apr 2018 23:19:22 GMT

Hi Dameon

I have raised a TAC case and seems it is a know issue on R80+ but they dont have a ETA for fix yet.

Re: How to connect to MDS R80.10 through alternate interface ?

Leandro_Nicolet — Wed, 16 May 2018 08:36:18 GMT

I did this recently in VMWare workstation where I only had eth0, but mds backup came from a system with a leading interface with Mgmt. I performed the changes in MDSCONFIG, but it still didn't work.

I then did the following and it worked for me.....

1. Change the interface name to Mgmt by editing the following.
/etc/udev/rules.d/00-OS-XX.rule

2. In clish re-ip the interface and change state to on. (i noticed after changing the interface name that the state had changed to off and the ip had been removed)

3. Reboot and perform an mds_restore

4. After restore completes, reboot again. Note ! it takes a good 20 mins to things to initially start, but thats probably just my VMWare resources.

Re: How to connect to MDS R80.10 through alternate interface ?

Dan_Zaidman — Thu, 17 May 2018 14:18:55 GMT

There can be only one leading interface , but you can change it , see the procedure in sk74020 - How to change the IP address of Domain Management Server

Let me know if it works for you.

Thanks

Dan

Re: How to connect to MDS R80.10 through alternate interface ?

Aaron_Pritchar1 — Fri, 08 Mar 2019 09:05:35 GMT

having same issue here.

I am testing the upgrade of R80.10 MDS to R80.20, with several CMAs included. This means that my target (R80.20) has the same IP addressing as the Source - which is still in production. This gives us IP conflicts, so i provisioned the 'real' leading VIP to be on an isolated subnet, with a secondary interface being routable on a different subnet.

this worked just find for the build process. and the database successfully import, and the MDS processes are up.
however when trying to Smartconsole onto the secondary interface (which i also have tried to setup as a leading VIP) i get the 'faile do tfind domainip'.

the only solution i can think of, would be to destination NAT from a firewall: i.e, connect to 10.1.1.1 (IP owned/arped for on a firewall) and destination NAT it to this MDS's real IP 10.2.1.1. Obviously, this will need t obe an isolated DMZ otherwise i'll get the address conflict.

in my world however, i dont have a firewall between my PC and the MDS 'lab' i am building to.

hopefully someone will have a fix for this soon.

Re: How to connect to MDS R80.10 through alternate interface ?

HenrikJ — Fri, 10 Jan 2020 09:26:59 GMT

Hello!

I got this working.

Do not try to access the MDS via the new interface.

What you should do, is route the real MDS-network to your new interface IP.

E.g.

Real leading interface has 10.0.0.1 / 24

New external interface 192.168.0.1 / 24

Create a route to 10.0.0.0/24 via 192.168.0.1

And then try to access 10.0.0.1 instead of 192.168.0.1.

The MDS will route this internally when it arrives, and I can successfully log into the MDS.

My version though is R80.30