https://community.checkpoint.com/t5/Firewall-and-Security-Management/Remove-bond-interface/m-p/182023#M33341 <P>If someone in the TAC suggested that order to me, I would request the call be transferred to somebody else.</P> <P>When adding an interface, you must add at the OS level first, then the application level.</P> <P>When removing an interface, you should tell the application to stop using the interface before you tell the OS to stop providing the interface to be used. While in most circumstances you&nbsp;<STRONG>can</STRONG> do it in the other order (remove from OS first, remove from application second), that leaves the application trying to use something which doesn't exist. The best case situation for that is cluster failovers when a monitored interface goes down. It could easily result in flapping or a hard outage if combined with other interface problems or cluster monitoring problems.</P> <P>It's like using a cable for cluster sync: technically supported, but a bad idea which <STRONG>will</STRONG> cause problems sooner or later.</P> Wed, 24 May 2023 20:40:41 GMT Bob_Zimmerman 2023-05-24T20:40:41Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Remove-bond-interface/m-p/181971#M33316 <P>What precautions need to take before removing bond interface?</P><P>Remove bond interface from gateway and remove it from management server?</P><P>need to install the policy.</P><P>Any other steps need to take care?</P><P>Please suggest</P> Wed, 24 May 2023 16:39:11 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Remove-bond-interface/m-p/181971#M33316 Pradeep_Salunke 2023-05-24T16:39:11Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Remove-bond-interface/m-p/181973#M33317 <P>Regardless of which interface, steps to take are:</P> <P>1) Remove from OS level (web UI or clish)</P> <P>2) Update topology in smart console gateway object</P> <P>3) Install policy</P> <P>4) Verify all still works</P> <P>Andy</P> Wed, 24 May 2023 16:44:01 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Remove-bond-interface/m-p/181973#M33317 the_rock 2023-05-24T16:44:01Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Remove-bond-interface/m-p/181975#M33318 <P>If we performed the get interface without topology thus affect anything?</P> Wed, 24 May 2023 16:50:05 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Remove-bond-interface/m-p/181975#M33318 Pradeep_Salunke 2023-05-24T16:50:05Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Remove-bond-interface/m-p/181977#M33319 <P>Make sure to do get interfaces WITHOUT topology. If you do WITH, it will reset your current settings.</P> <P>Cheers,</P> <P>Andy</P> Wed, 24 May 2023 16:54:06 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Remove-bond-interface/m-p/181977#M33319 the_rock 2023-05-24T16:54:06Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Remove-bond-interface/m-p/181980#M33321 <P>Of note: removing the bond from the OS level requires removing the member interfaces from the bond. I would also do that step last. You <EM>really</EM> should not delete an interface which the firewall software still knows about. It can cause all kinds of weird traffic problems.</P> <OL> <LI>Remove interface from topology table in SmartConsole</LI> <LI>Push policy</LI> <LI>Disable interfaces at the OS level (e.g, shutdown the attached switch ports)</LI> <LI>Test</LI> <LI>If everything tests good, remove the bond's member interfaces, then delete the bond</LI> </OL> Wed, 24 May 2023 17:17:31 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Remove-bond-interface/m-p/181980#M33321 Bob_Zimmerman 2023-05-24T17:17:31Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Remove-bond-interface/m-p/181981#M33322 <P>Thats true, good point, it does require removing member interfaces, thank you for pointing that out. But, even TAC would suggest to remove it from OS level first, then topology...at least thats how they always did it in the past.</P> <P>Andy</P> Wed, 24 May 2023 17:26:44 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Remove-bond-interface/m-p/181981#M33322 the_rock 2023-05-24T17:26:44Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Remove-bond-interface/m-p/182023#M33341 <P>If someone in the TAC suggested that order to me, I would request the call be transferred to somebody else.</P> <P>When adding an interface, you must add at the OS level first, then the application level.</P> <P>When removing an interface, you should tell the application to stop using the interface before you tell the OS to stop providing the interface to be used. While in most circumstances you&nbsp;<STRONG>can</STRONG> do it in the other order (remove from OS first, remove from application second), that leaves the application trying to use something which doesn't exist. The best case situation for that is cluster failovers when a monitored interface goes down. It could easily result in flapping or a hard outage if combined with other interface problems or cluster monitoring problems.</P> <P>It's like using a cable for cluster sync: technically supported, but a bad idea which <STRONG>will</STRONG> cause problems sooner or later.</P> Wed, 24 May 2023 20:40:41 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Remove-bond-interface/m-p/182023#M33341 Bob_Zimmerman 2023-05-24T20:40:41Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Remove-bond-interface/m-p/182028#M33343 <P>Respectfully, I would disagree. I had done it the way TAC suggested many times before and never had a problem. If you think about it, all smart console would do is really get information based on whats configured on OS level, so to me, makes total sense to do it same way when adding OR removing the interface.</P> <P>Andy</P> Wed, 24 May 2023 21:24:32 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Remove-bond-interface/m-p/182028#M33343 the_rock 2023-05-24T21:24:32Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Remove-bond-interface/m-p/182134#M33372 <P>Think about it with VSX. If you remove the bond from the OS level first, then you try to remove it from your VSX object, provisioning will fail.</P> Thu, 25 May 2023 14:46:25 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Remove-bond-interface/m-p/182134#M33372 Bob_Zimmerman 2023-05-25T14:46:25Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Remove-bond-interface/m-p/182135#M33373 <P>Im sure you know VSX way better than I do, so Im positive thats correct. As far as regular gateways, I always done it how TAC suggests and never had a problem.</P> <P>Just my experience...</P> <P>Andy</P> Thu, 25 May 2023 14:49:25 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Remove-bond-interface/m-p/182135#M33373 the_rock 2023-05-25T14:49:25Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Remove-bond-interface/m-p/182152#M33382 <P>I have removed the bond interface and performed the fetch without topology. after activity i can seen that topology is undefined.</P><P>So we need to manually edit the same. I have took screenshot before activity.?</P> Thu, 25 May 2023 16:37:05 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Remove-bond-interface/m-p/182152#M33382 Pradeep_Salunke 2023-05-25T16:37:05Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Remove-bond-interface/m-p/182154#M33383 <P>Yes, please send a screenshot indicating the settings.</P> <P>Andy</P> Thu, 25 May 2023 16:38:58 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Remove-bond-interface/m-p/182154#M33383 the_rock 2023-05-25T16:38:58Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Remove-bond-interface/m-p/182156#M33385 <P>i don't have individual setting i.e. what is anti-spoofing settings.</P><P>Sorry to say that is not bond interface, that is VLAN interface under that bond 2.</P><P>I have removed the vlan interface.</P><P>&nbsp;</P> Thu, 25 May 2023 16:47:25 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Remove-bond-interface/m-p/182156#M33385 Pradeep_Salunke 2023-05-25T16:47:25Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Remove-bond-interface/m-p/182160#M33386 <P>As long as interface is not part of OS, then topology should reflect that, for sure.</P> <P>Andy</P> Thu, 25 May 2023 16:49:04 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Remove-bond-interface/m-p/182160#M33386 the_rock 2023-05-25T16:49:04Z