topic Re: ClusterXL Interface Deletion Question in Firewall and Security Management

ClusterXL Interface Deletion Question

Martin_S_1 — Fri, 04 Feb 2022 16:30:24 GMT

We have a ClusterXL pair of two 7000's. I'm about to start deleting ClusterXL interfaces from the pair. So I'll be removing them from the local gateways and updating SmartCentre. I've never done it before. Can an Interface be deleted from inside SmartCentre if there are still objects with IP addresses that fall inside the subnet of the interface being deleted? Can I delete the interface without having to delete all the objects and rules first in SmartCentre?

Re: ClusterXL Interface Deletion Question

Bob_Zimmerman — Fri, 04 Feb 2022 18:17:28 GMT

Sure. Rules are totally separate from the interface config. After all, firewalls can have routers behind them.

In general, you should remove the interface from the topology table in the firewall object on the management server, push policy, then remove the interface config on the firewalls themselves. That way, the firewall software stops looking for the interface before the interface actually goes away. If you remove the interface on the CLI first, you could get failovers and other weird behavior because the firewall software may still be trying to use it.

Re: ClusterXL Interface Deletion Question

Martin_S_1 — Mon, 07 Feb 2022 14:23:24 GMT

Hi Bob, thanks for taking the time to reply. I didn't know this. My basic plan was to proceed like this....

Brief action plan for removing an interface from cluster topology (R80.10 and above)

Remove the Virtual IP address and Change the Interface to 'Private' in SmartConsole and push policy.
check chaprob -a if for the change on both firewall gateway members.
Disable clustering on standby gateway.
delete the interface from standby gateway.
delete the interface from active gateway.

Delete the interface from SmartConsole and push policy.
Restart clustering on standby gateway.

This is taken from sk57100. Do you think this will be okay if I proceed like this, or do you think I should remove the VIP and delete the interface entirely and pushing policy before heading over to the actual gateways to remove the interfaces from there?

Re: ClusterXL Interface Deletion Question

Bob_Zimmerman — Mon, 07 Feb 2022 16:25:14 GMT

I would delete it entirely from the GUI first, push policy, then delete it on the CLI.

Setting the interface to Private should be enough, but seems like an extra step and an extra policy push for no good reason.

Re: ClusterXL Interface Deletion Question

Martin_S_1 — Tue, 08 Feb 2022 07:14:30 GMT

Hi Bob, thanks for taking the time to reply once more. Interesting. Makes me wonder why they didn't simplify it to doing it the way you are suggesting. I'm sure there must be a good reason for for the extra step.