topic Re: Adding new cluster interface and anti-spoofing in Firewall and Security Management

Adding new cluster interface and anti-spoofing

velo — Wed, 04 Sep 2024 09:38:27 GMT

I'm adding a new sub-interface to an existing cluster. I'm going to be following this guide:

https://support.checkpoint.com/results/sk/sk57100

My new sub-interface will be used to route traffic to a remote site (172.16.100.0/24) I will add a static route on each member pointing to this subnet via this new interface.

After creating the interface on each member in Gaia portal, I'm going to use the "get interfaces without topology" in Smart Dashboard. How should I setup the "Leads to" section? Which one of the following two options should I use?

Network defined by static routes
Specific (create an object for the remote network and select it here)

I don't want to "get interfaces with topology" because I don't want to mess with any existing setup. I recall I read somewhere that if you're using the "defined by static routes" option you might need to use "get interfaces with topology"

I want to use the lowest impact, least chance of risk option because it's an important environment.

Thanks

Re: Adding new cluster interface and anti-spoofing

AkosBakos — Wed, 04 Sep 2024 09:57:43 GMT

Hi @velo

I suggest you that the "get interfaces with topology" is not safe to use on an working setup. If you use it, all of the Interface information will be overwritten. If somewhere is set an anti-spoofing group, that will be overwritten too, so don't use it.

This is the suggested method in the mentioned SK too.

About your question, how to set up the new interface:

It depends on your need. If the confgured IP and MASK represents the network behind, you can use "Network defined by static routes" safely

Akos

Re: Adding new cluster interface and anti-spoofing

velo — Wed, 04 Sep 2024 11:03:09 GMT

Thanks Akos

I'm not going to use the "get interfaces with topology" option as that will make changes like you say.

But I thought I read somewhere that if you use the "Network defined by static routes" option, you needed to get the "get interfaces with topology" option for it to pick up the routes, but maybe that is not the case.

You are correct, IP and Mask will represent the network behind the new interface. I will use:

"get interfaces without topology"
"Network defined by static routes"

Hopefully that shout be OK.

Thanks

Re: Adding new cluster interface and anti-spoofing

AkosBakos — Wed, 04 Sep 2024 13:16:55 GMT

Hi @velo

This statement is misleading. 😉

You can change this setting anytime.

akos

Re: Adding new cluster interface and anti-spoofing

velo — Wed, 04 Sep 2024 11:09:19 GMT

Yes you're quite right, that would be silly. Thanks!

Re: Adding new cluster interface and anti-spoofing

Duane_Toler — Wed, 04 Sep 2024 13:08:27 GMT

If you are using the option "Network defined by routes" (it's not static routes; just routing in general), then the gateway will poll the Gaia routing daemon (RouteD) every few seconds to learn the contents of the routing table (the FIB). With this information, the gateway will auto-adjust the anti-spoofing topology without needing to make new objects manually.

You will use this option in dynamic routing environments, but you can just as easily do it with static routes ("static routes" are a routing protocol; just not a dynamic routing protocol)

Re: Adding new cluster interface and anti-spoofing

velo — Wed, 04 Sep 2024 18:49:26 GMT

Great to know, thank you. Makes sense.

Re: Adding new cluster interface and anti-spoofing

velo — Thu, 05 Sep 2024 09:18:13 GMT

Just another question. Do I need to add any firewall policy to allow CPP to communicate on these new interfaces?

Look at the SK article, I think it's actually incomplete. There is no mention of pushing a policy after the change.

Stop the clustering on Standby member
Perform all operations on Standby member
Perform all operations on Active member
Perform all operations in SmartDashboard
Start the clustering on Standby member

Re: Adding new cluster interface and anti-spoofing

AkosBakos — Thu, 05 Sep 2024 09:23:44 GMT

Do I need to add any firewall policy to allow CPP to communicate on these new interfaces? No.

You won't be notified to push a policy, just simle push it 🙂

Akos

Re: Adding new cluster interface and anti-spoofing

velo — Thu, 05 Sep 2024 09:25:38 GMT

Thanks for the info. I only mention the push because I think it enabled clustering on that interface only after the push.

Thanks for the info.

Re: Adding new cluster interface and anti-spoofing

AkosBakos — Thu, 05 Sep 2024 09:35:59 GMT

The policy install is that movement wich enable the clustering on the interface. All the settings are remain on the Management until you push policy,

Therefore the first investigation step is the pushing policy 🙂

Re: Adding new cluster interface and anti-spoofing

velo — Thu, 05 Sep 2024 09:37:07 GMT

100%, thanks for the info. That's why I think it might be a good idea to mention that in the SK article.

Thanks 🙂