topic Re: best practices to add VLAN interface in a cluster in Firewall and Security Management

best practices to add VLAN interface in a cluster

Maller — Mon, 25 Oct 2021 08:08:40 GMT

Hi all

Usually we have configured new DMZ adding it manually "add interface etc..." , to avoid issues using "get interfaces with topology " or "get interfaces without topology". In this way we have been working without issues in R80.10.

Now using this procedure ,we are facing an issue adding new vlan interfaces in a R80.40 cluster . After install policy , new dmz VIP are not configured . It does not appear in "cphaprob -a if "

To solve this issue , we have to use "get interface without topology" . I don't understand why manually process is not working now.

any suggestion?

thanks

Manel

Re: best practices to add VLAN interface in a cluster

Yair_Shahar — Mon, 25 Oct 2021 08:40:44 GMT

Hi Manel,

Is the DMZ VIP configured in the Cluster Topology? this should be manually configured after getting interfaces.

Thanks,

Yair

Re: best practices to add VLAN interface in a cluster

Maller — Mon, 25 Oct 2021 10:16:20 GMT

Hi Yair

yes , DMZ VIP is configured. What I don't understand is that adding interfaces manually "actions -> new interface" in FW object , configuring VIP and installing policy everything worked fine . This cluster has more than 70 DMZ and all of them were configured in this way.

Now , since upgrade to R80.40 it seems that manual way is not valid and we have to do it using "GET interfaces without topology " .

thanks

Re: best practices to add VLAN interface in a cluster

Yair_Shahar — Tue, 26 Oct 2021 09:35:11 GMT

Is it consistent? and happen on more than single interface?

are all IPs and masks configured in Topology match the IPs and masks configured on Gaia?

I tried this on R81.10 and it does not seem to occur.

I can try this with R80.40 later on - Which Jumbo Take are you using?

Yair

Re: best practices to add VLAN interface in a cluster

Maller — Tue, 26 Oct 2021 20:05:26 GMT

Hi Yair

Yes , it's consistent. All ip matches between topology and gaia.

All new dmz are added to bond0.X interface.

This cluster is running r80.40 take 125.

I opened a SR with support , and yes they said that the right way to create new dmz is with get interface option . But I think that option 'add interface' manually should work also and I don't understand why it doesn't work.

With R80.10 always worked. Problems related to new interfaces creation started with R80.40 .

Thanks.

Re: best practices to add VLAN interface in a cluster

Yair_Shahar — Thu, 28 Oct 2021 09:15:56 GMT

Hi,

I have tried this on my lab with R80.40, I'm yet to see this issue occur.

As mentioned - vlan, bond and ip configured on gaia, on cluster topology new interface created and configured manually (didn't use get-interfaces)

after install policy new VIP added to cphaprob -a if - see below bond2..180

Do I miss anything? is there any specific configuration you are using? on management or gateway side?

[Expert@cluster-member-83.27-R80.40-294:0]# cphaprob -a if

CCP mode: Manual (Unicast)
Required interfaces: 5
Required secured interfaces: 1

Interface Name: Status:

eth0 UP
eth2 (S) UP
bond1 (HA) UP
bond2.9 (LS) UP
bond2.180 (LS) UP

S - sync, LM - link monitor, HA/LS - bond type

Virtual cluster interfaces: 55

eth0 192.168.83.25 VMAC address: 00:1C:7F:00:4E:8E
bond1 10.83.25.1 VMAC address: 00:1C:7F:00:4E:8E
bond2.9 5.5.5.10 VMAC address: 00:1C:7F:00:4E:8E
bond2.10 30.0.10.3 VMAC address: 00:1C:7F:00:4E:8E
bond2.11 30.0.11.3 VMAC address: 00:1C:7F:00:4E:8E
bond2.12 30.0.12.3 VMAC address: 00:1C:7F:00:4E:8E
bond2.13 30.0.13.3 VMAC address: 00:1C:7F:00:4E:8E
bond2.14 30.0.14.3 VMAC address: 00:1C:7F:00:4E:8E
bond2.15 30.0.15.3 VMAC address: 00:1C:7F:00:4E:8E
bond2.16 30.0.16.3 VMAC address: 00:1C:7F:00:4E:8E
bond2.17 30.0.17.3 VMAC address: 00:1C:7F:00:4E:8E
bond2.18 30.0.18.3 VMAC address: 00:1C:7F:00:4E:8E
bond2.19 30.0.19.3 VMAC address: 00:1C:7F:00:4E:8E
bond2.20 30.0.20.3 VMAC address: 00:1C:7F:00:4E:8E
bond2.21 30.0.21.3 VMAC address: 00:1C:7F:00:4E:8E
bond2.22 30.0.22.3 VMAC address: 00:1C:7F:00:4E:8E
bond2.23 30.0.23.3 VMAC address: 00:1C:7F:00:4E:8E
bond2.24 30.0.24.3 VMAC address: 00:1C:7F:00:4E:8E
bond2.25 30.0.25.3 VMAC address: 00:1C:7F:00:4E:8E
bond2.26 30.0.26.3 VMAC address: 00:1C:7F:00:4E:8E
bond2.27 30.0.27.3 VMAC address: 00:1C:7F:00:4E:8E
bond2.28 30.0.28.3 VMAC address: 00:1C:7F:00:4E:8E
bond2.29 30.0.29.3 VMAC address: 00:1C:7F:00:4E:8E
bond2.30 30.0.30.3 VMAC address: 00:1C:7F:00:4E:8E
bond2.31 30.0.31.3 VMAC address: 00:1C:7F:00:4E:8E
bond2.32 30.0.32.3 VMAC address: 00:1C:7F:00:4E:8E
bond2.33 30.0.33.3 VMAC address: 00:1C:7F:00:4E:8E
bond2.34 30.0.34.3 VMAC address: 00:1C:7F:00:4E:8E
bond2.35 30.0.35.3 VMAC address: 00:1C:7F:00:4E:8E
bond2.36 30.0.36.3 VMAC address: 00:1C:7F:00:4E:8E
bond2.37 30.0.37.3 VMAC address: 00:1C:7F:00:4E:8E
bond2.38 30.0.38.3 VMAC address: 00:1C:7F:00:4E:8E
bond2.39 30.0.39.3 VMAC address: 00:1C:7F:00:4E:8E
bond2.40 30.0.40.3 VMAC address: 00:1C:7F:00:4E:8E
bond2.41 30.0.41.3 VMAC address: 00:1C:7F:00:4E:8E
bond2.42 30.0.42.3 VMAC address: 00:1C:7F:00:4E:8E
bond2.43 30.0.43.3 VMAC address: 00:1C:7F:00:4E:8E
bond2.44 30.0.44.3 VMAC address: 00:1C:7F:00:4E:8E
bond2.45 30.0.45.3 VMAC address: 00:1C:7F:00:4E:8E
bond2.46 30.0.46.3 VMAC address: 00:1C:7F:00:4E:8E
bond2.47 30.0.47.3 VMAC address: 00:1C:7F:00:4E:8E
bond2.48 30.0.48.3 VMAC address: 00:1C:7F:00:4E:8E
bond2.49 30.0.49.3 VMAC address: 00:1C:7F:00:4E:8E
bond2.50 30.0.50.3 VMAC address: 00:1C:7F:00:4E:8E
bond2.51 30.0.51.3 VMAC address: 00:1C:7F:00:4E:8E
bond2.52 30.0.52.3 VMAC address: 00:1C:7F:00:4E:8E
bond2.53 30.0.53.3 VMAC address: 00:1C:7F:00:4E:8E
bond2.54 30.0.54.3 VMAC address: 00:1C:7F:00:4E:8E
bond2.55 30.0.55.3 VMAC address: 00:1C:7F:00:4E:8E
bond2.56 30.0.56.3 VMAC address: 00:1C:7F:00:4E:8E
bond2.57 30.0.57.3 VMAC address: 00:1C:7F:00:4E:8E
bond2.58 30.0.58.3 VMAC address: 00:1C:7F:00:4E:8E
bond2.59 30.0.59.3 VMAC address: 00:1C:7F:00:4E:8E
bond2.60 30.0.60.3 VMAC address: 00:1C:7F:00:4E:8E
bond2.180 60.60.60.60 VMAC address: 00:1C:7F:00:4E:8E

Re: best practices to add VLAN interface in a cluster

Maller — Thu, 28 Oct 2021 16:32:25 GMT

Nothing special neither in gw nor in console. This behavior started after upgrade to R80.40 and the upgrade was right . I'll continue to investigate this matter.

thanks

thank you