https://community.checkpoint.com/t5/Firewall-and-Security-Management/Outgoing-packets-from-cluster-member-NAT-issue/m-p/145105#M22661 <P>Thanks for your help but unfortunately this doesn't helped me to resolve my issue.</P> Thu, 31 Mar 2022 04:24:41 GMT Nandhakumar 2022-03-31T04:24:41Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Outgoing-packets-from-cluster-member-NAT-issue/m-p/145039#M22646 <P>Having weird issue in Checkpoint Cluster member.&nbsp;</P><P>We have configured cluster member but when i try to do telnet one of our internal server from Active node its getting succeed but same not getting succeed from Standby node.</P><P>When i analyzed logs, it seems active node physical interface ip is hidden behind respective interface cluster VIP IP as source.</P><P>In standby node, NAT not happening and it uses physical interface IP.&nbsp;</P><P>&nbsp;</P><P>Now my question, how can we make config so that standby node also nat its physical ip with cluster vip for outgoing interface. i created manual NAT rule but there is no luck.</P><P>Same works when i make standby node to active by failover traffic. At the same active will become standby, so in this case it will fail in this node.</P><P>&nbsp;</P><P>&nbsp;</P> Wed, 30 Mar 2022 10:47:25 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Outgoing-packets-from-cluster-member-NAT-issue/m-p/145039#M22646 Nandhakumar 2022-03-30T10:47:25Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Outgoing-packets-from-cluster-member-NAT-issue/m-p/145064#M22651 <P>I suggest to set your standby member as a <STRONG>"Silent Standby"</STRONG></P><P>Set these Kernel parameters:</P><P>fwha_silent_standby_mode=1<BR />fwha_cluster_hide_active_only=0</P><P>&nbsp;</P><P>Set the same parameters in both members.</P><P>You can set them on the fly:</P><P><EM>fw ctl set int fwha_silent_standby_mode 1</EM></P><P><EM>fw ctl set int&nbsp; fwha_cluster_hide_active_only 0</EM></P><P>More info:</P><P><A href="https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&amp;solutionid=sk169154&amp;partition=Advanced&amp;product=ClusterXL#Standby%20member%20connections" target="_self">SK169154</A>&nbsp;</P><P>&nbsp;</P><P>To make it permanent see <A href="https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&amp;solutionid=sk26202&amp;partition=Advanced&amp;product=Quantum" target="_self">sk26202</A>&nbsp;</P><P>&nbsp;</P><P>If your management is below R80.40 you will need rules for the standby to initiate connections, as these will be evaluated in policy on the active.</P> Wed, 30 Mar 2022 13:36:02 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Outgoing-packets-from-cluster-member-NAT-issue/m-p/145064#M22651 Juan_ 2022-03-30T13:36:02Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Outgoing-packets-from-cluster-member-NAT-issue/m-p/145105#M22661 <P>Thanks for your help but unfortunately this doesn't helped me to resolve my issue.</P> Thu, 31 Mar 2022 04:24:41 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Outgoing-packets-from-cluster-member-NAT-issue/m-p/145105#M22661 Nandhakumar 2022-03-31T04:24:41Z