https://community.checkpoint.com/t5/Firewall-and-Security-Management/VSX-How-to-disable-an-interface-in-HA-monitoring/m-p/249192#M48676 <P>Last week we got a non-critical interface (eth1-06) in a VS that was flapping constantly and, hence, so was the cluster. We wanted to exclude for HA monitoring that interface in order to avoid that scenario in the future.</P> Fri, 16 May 2025 09:16:15 GMT Franktum 2025-05-16T09:16:15Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/VSX-How-to-disable-an-interface-in-HA-monitoring/m-p/248943#M48650 <P>Hi all,</P><P>In a regular cluster, when you want to failover when an interface goes down, you configure it as <STRONG>Cluster</STRONG> in Network Type field. Otherwise, you choose <STRONG>Private</STRONG>.</P><P>Don't know whether in VSX env, we could configure an interface not to be monitored by HA, hence a failover won't occur if that interface goes down.</P><P>Regards</P> Wed, 14 May 2025 10:30:07 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/VSX-How-to-disable-an-interface-in-HA-monitoring/m-p/248943#M48650 Franktum 2025-05-14T10:30:07Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/VSX-How-to-disable-an-interface-in-HA-monitoring/m-p/249038#M48657 <P>I believe you can add the interface to $FWDIR/conf/<SPAN>discntd.if and do a cprestart (both in the context of the relevant VS).<BR /></SPAN></P> Wed, 14 May 2025 19:24:01 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/VSX-How-to-disable-an-interface-in-HA-monitoring/m-p/249038#M48657 PhoneBoy 2025-05-14T19:24:01Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/VSX-How-to-disable-an-interface-in-HA-monitoring/m-p/249060#M48663 <P>Previously that would remove the IP from the interface on boot up, so I would avoid testing that in prod.&nbsp;</P> <P>Private interfaces on SG clusters do not have VIPs, which is not an option on VSX. Essentially the IP you configure on the interface in SmartConsole is a VIP, so 'private' is not an option as you can't not have a VIP there on VSX.&nbsp;</P> <P>What is the problem you are looking to solve by not monitoring the interface?</P> Thu, 15 May 2025 02:59:20 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/VSX-How-to-disable-an-interface-in-HA-monitoring/m-p/249060#M48663 emmap 2025-05-15T02:59:20Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/VSX-How-to-disable-an-interface-in-HA-monitoring/m-p/249064#M48664 <P>What type of interface, a specific VLAN or something else?</P> Thu, 15 May 2025 05:41:15 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/VSX-How-to-disable-an-interface-in-HA-monitoring/m-p/249064#M48664 Chris_Atkinson 2025-05-15T05:41:15Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/VSX-How-to-disable-an-interface-in-HA-monitoring/m-p/249192#M48676 <P>Last week we got a non-critical interface (eth1-06) in a VS that was flapping constantly and, hence, so was the cluster. We wanted to exclude for HA monitoring that interface in order to avoid that scenario in the future.</P> Fri, 16 May 2025 09:16:15 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/VSX-How-to-disable-an-interface-in-HA-monitoring/m-p/249192#M48676 Franktum 2025-05-16T09:16:15Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/VSX-How-to-disable-an-interface-in-HA-monitoring/m-p/249274#M48686 <P>We don't really have an option to not monitor an access port on VSX. Ideally it would be best to understand why it was flapping and resolve that - if it's a barely used subnet, make sure there's always something in there with an IP address that will respond to ARPs and pings.</P> Mon, 19 May 2025 02:59:09 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/VSX-How-to-disable-an-interface-in-HA-monitoring/m-p/249274#M48686 emmap 2025-05-19T02:59:09Z