https://community.checkpoint.com/t5/Firewall-and-Security-Management/Migration-to-ClusterXL-with-alias-interface/m-p/232904#M45041 <P>As you are probably aware, ClusterXL does not support interface aliases.<BR />However, <A href="https://sc1.checkpoint.com/documents/R82/WebAdminGuides/EN/CP_R82_Gaia_AdminGuide/Content/Topics-GAG/Aliases.htm" target="_self">ElasticXL (in R82) does support aliases</A>.</P> <P>A network diagram will go a long way towards helping you solve this issue, as will a detailed explanation of why interfaces aliases are "needed."</P> Fri, 15 Nov 2024 15:42:20 GMT PhoneBoy 2024-11-15T15:42:20Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Migration-to-ClusterXL-with-alias-interface/m-p/232902#M45039 <P><SPAN class="">Good</SPAN> <SPAN class="">afternoon</SPAN><SPAN class="">.</SPAN></P><P><SPAN class="">The</SPAN> <SPAN class="">client</SPAN><SPAN> has </SPAN><SPAN class="">an</SPAN> <SPAN class="">NGFW</SPAN><SPAN> of </SPAN><SPAN class="">an</SPAN> <SPAN class="">unknown</SPAN> <SPAN class="">vendor</SPAN> <SPAN class="">that</SPAN> <SPAN class="">supports</SPAN> <SPAN class="">alias</SPAN> <SPAN class="">interfaces</SPAN><SPAN> based </SPAN><SPAN class="">on</SPAN> <SPAN class="">cluster</SPAN> <SPAN class="">technology</SPAN></P><P><SPAN>The </SPAN><SPAN class="">external</SPAN> <SPAN class="">addresses</SPAN> <SPAN class="">look</SPAN> <SPAN class="">like</SPAN><SPAN> this:</SPAN></P><P><SPAN class="">eth0</SPAN></P><P><SPAN class="">eth0:1 1.1.1.1/26 (VIP) </SPAN></P><P><SPAN class="">eth0:1 1.1.1.2/26 (Node1)</SPAN></P><P><SPAN class="">eth0:1 1.1.1.3/26 (Node2)</SPAN></P><P><SPAN class="">eth0:2 1.1.1.4/26 (VIP) </SPAN></P><P><SPAN class="">eth0:2 1.1.1.5/26 (Node1) </SPAN></P><P><SPAN class="">eth0:2 1.1.1.6/26 (Node2)</SPAN></P><P><SPAN class="">and etc</SPAN></P><P>&nbsp;</P><P><SPAN class="">Users</SPAN> <SPAN class="">access</SPAN> <SPAN class="">resources</SPAN> <SPAN class="">at</SPAN> <SPAN class="">addresses</SPAN> <SPAN class="">1.1.1.1</SPAN><SPAN class="">,</SPAN> <SPAN class="">1.1.1.3</SPAN><SPAN class="">,</SPAN> <SPAN class="">1.1.1.7</SPAN> <SPAN class="">and</SPAN> <SPAN class="">so</SPAN> <SPAN class="">on</SPAN><SPAN class="">.</SPAN></P><P>&nbsp;</P><P>&nbsp;<SPAN class="">Aliases</SPAN> <SPAN class="">cannot</SPAN><SPAN> be </SPAN><SPAN class="">transferred</SPAN> <SPAN class="">due</SPAN><SPAN> to </SPAN><SPAN class="">restrictions</SPAN><SPAN class="">.</SPAN><SPAN> The </SPAN><SPAN class="">separation</SPAN><SPAN> of the vlans will </SPAN><SPAN class="">not</SPAN> <SPAN class="">work</SPAN> <SPAN class="">due</SPAN><SPAN> to </SPAN><SPAN class="">the</SPAN> <SPAN class="">inability</SPAN><SPAN> to </SPAN><SPAN class="">use</SPAN><SPAN> the </SPAN><SPAN class="">same</SPAN> <SPAN class="">address</SPAN> <SPAN class="">space</SPAN> <SPAN class="">on</SPAN> <SPAN class="">several</SPAN> <SPAN class="">vilan</SPAN> <SPAN class="">interfaces</SPAN></P><P>&nbsp;</P><P><SPAN class="">I</SPAN><SPAN>'ve been </SPAN><SPAN class="">racking</SPAN> <SPAN class="">my</SPAN> <SPAN class="">brain</SPAN><SPAN> on </SPAN><SPAN class="">how</SPAN><SPAN> to </SPAN><SPAN class="">transfer</SPAN><SPAN> this </SPAN><SPAN class="">to</SPAN> <SPAN class="">CheckPoint</SPAN><SPAN class="">.</SPAN></P><P>&nbsp;</P><P><SPAN>Do you </SPAN><SPAN class="">have</SPAN> <SPAN class="">any</SPAN> <SPAN class="">ideas</SPAN><SPAN class="">?</SPAN></P><P>&nbsp;</P><P><SPAN class="">Thanks</SPAN></P> Fri, 15 Nov 2024 15:32:28 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Migration-to-ClusterXL-with-alias-interface/m-p/232902#M45039 okatsladz454 2024-11-15T15:32:28Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Migration-to-ClusterXL-with-alias-interface/m-p/232903#M45040 <P><SPAN>Routing and NAT but there may not be enough information here to say this would work conclusively for you.</SPAN></P> <P>Basically separate the subnets used for connectivity versus the addresses offering / publishing services.</P> Fri, 15 Nov 2024 15:40:38 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Migration-to-ClusterXL-with-alias-interface/m-p/232903#M45040 Chris_Atkinson 2024-11-15T15:40:38Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Migration-to-ClusterXL-with-alias-interface/m-p/232904#M45041 <P>As you are probably aware, ClusterXL does not support interface aliases.<BR />However, <A href="https://sc1.checkpoint.com/documents/R82/WebAdminGuides/EN/CP_R82_Gaia_AdminGuide/Content/Topics-GAG/Aliases.htm" target="_self">ElasticXL (in R82) does support aliases</A>.</P> <P>A network diagram will go a long way towards helping you solve this issue, as will a detailed explanation of why interfaces aliases are "needed."</P> Fri, 15 Nov 2024 15:42:20 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Migration-to-ClusterXL-with-alias-interface/m-p/232904#M45041 PhoneBoy 2024-11-15T15:42:20Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Migration-to-ClusterXL-with-alias-interface/m-p/232923#M45046 <P>You can create Proxy ARP for this instead of interfaces probably.</P> <P>You create eth0 as Cluster interface with 1.1.1.1 as ClusterXL IP and whatever for physical IP of each cluster member, if you still have free IP in the /26 otherwise use private IP with local-scope, there is an SK for that.</P> <P>You can then add on each cluster member Proxy ARP matching eth0 for the physical address which will make it that ETH0 will answer for 1.1.1.1, 1.1.1.2 and so on, on the active member.</P> Fri, 15 Nov 2024 21:16:26 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Migration-to-ClusterXL-with-alias-interface/m-p/232923#M45046 Alex- 2024-11-15T21:16:26Z