topic Re: How to configure External interface in Clusterxl in Firewall and Security Management

How to configure External interface in Clusterxl

Javad_Nicou — Tue, 25 Jul 2017 03:36:40 GMT

Please help to understand how to configure internet facing interface in #Clusterxl and also Clusterxl with ISP redundancy

Scenario 1: Clusterxl high availability 14 Public IP from ISP

Scenario 2 : Clusterxl high availability 14 Public IP from 2 separate ISP ( #ISP_Redundancy )

Thank you .

isp redundancy‌ ‌ ‌

Re: How to configure External interface in Clusterxl

PhoneBoy — Tue, 25 Jul 2017 06:15:22 GMT

Assuming your ISP allocated you a /28 (14 addresses after you exclude the network and broadcast), you're going to need 3 IP addresses: one for each cluster member, and one for the VIP for ClusterXL.

I presume the ISP's default router will also take one of those IP addresses (as the default route).

Both cluster members will be configured to use that default route.

In any case, this along with the ISP Redundancy requirement should be a fairly standard configuration covered by the Product Documentation: ClusterXL R80.10 (Part of Check Point Infinity)

If you have specific questions after reading the docs and can provide more details about your proposed configuration, feel free to ask.

Re: How to configure External interface in Clusterxl

Javad_Nicou — Thu, 27 Jul 2017 05:56:52 GMT

Thank you very much Dameon .

Re: How to configure External interface in Clusterxl

Javad_Nicou — Thu, 21 Sep 2017 05:30:58 GMT

Hi Dameon ,

I have followed your instruction but not sure about default gateway and static NAT . Also, I am confused about the ISP redundancy faileover , The faileover will happen in the same Firewall or faileover to standby firewall ?

Default Gateway :

For each member what default gateway should configure? (ClusterXL mode)

NAT :

For static NAT to a web server ( static NAT to one of the IP of /28 NOT firewall IP ) do I need to create alias for each IP address and assign to Firewall external address ?

How should I configure static NAT for clusterxl in ISP redundancy ?

Thanks in advance for your help .

Re: How to configure External interface in Clusterxl

PhoneBoy — Thu, 21 Sep 2017 07:45:48 GMT

ISP Redundancy is local to the specific gateway.

In a cluster it should be configured on both members.

The default route should be your primary ISPs next hop IP (again, configured on both members).

For NAT, you do not need to create that static IP as an alias, you merely need to make a rule in the NAT rulebase.

You can have multiple public IPs (for the different ISP links) for your webserver.

This specific example is covered in the documentation: How To Configure ISP Redundancy

Re: How to configure External interface in Clusterxl

Javad_Nicou — Fri, 22 Sep 2017 00:15:42 GMT

Thanks for your reply .

if Default gateway configured as primary and primary Internet failed how firewall will handle the secondary ISP route ?

(in cluster object I have enabled the USO redundancy as primary/backup mode with next hop IP address but not sure I have to add default gateway or not in gui static route or not )

Also,The static NAT to my web server is not working without creating an aliases !!!!

Re: How to configure External interface in Clusterxl

dorj_erdeneochi — Wed, 27 Sep 2017 02:54:52 GMT

hello

I configured cluster in R80.10 distributed configuration. our ISP switch port is trunk mode. how will i configure trunk in external interface. i read if i add vlan 10 in eth1 . trunk is automatic added in eth1. my problem isn't working in external trunk port interface. how will i configure trunk in cluster external interfaces ?

Re: How to configure External interface in Clusterxl

PhoneBoy — Wed, 27 Sep 2017 03:28:06 GMT

Basically you treat each VLAN as if it were a physical interface.

This means:

In Gaia, after adding the relevant VLANs to eth1, configure the networking for each VLAN as appropriate.
- Note it's generally not best practice for the physical (non VLAN) interface to have an IP once you start using VLANs on a given physical interface.
In SmartConsole, gateway and cluster objects, you will see each VLAN show up as an independent interface when you do a Get Topology. Configure each VLAN as appropriate. Ensure each VLAN has a cluster IP.

Note also about the following limitation when using VLANs with ClusterXL: Monitoring of VLAN interfaces in ClusterXL

Re: How to configure External interface in Clusterxl

dorj_erdeneochi — Wed, 27 Sep 2017 05:01:18 GMT

Thanks for answer. This is my topology. i need configure trunk in checkpoint. below is what i did.

1. Assign VLAN on both checkpoint eth1.

2. Put default gateway to ISP 1.1.1.4

3. did Get topology and configured network to external in eth1.

4. WG is watchguard firewall.

problem is: could not ping from Checkpoint to WG and ISP.

is my topology correct for this cluster?

Re: How to configure External interface in Clusterxl

PhoneBoy — Wed, 27 Sep 2017 05:44:53 GMT

A VLAN trunk only works if both ends are configured the same way.

If you plug the WatchGuard interface with a Trunk into a switch port, then that switch port must:

Support VLANs
Be configured as a trunk with the same VLANs as the WatchGuard

Same with both Check Point devices, both on the WatchGuard side of things and on the Cisco side of things.

Also, on the gateway topology, the interface that should be marked as external is eth1.10 (the VLAN interface) not eth1 (the physical one).

On a separate note, load sharing configurations (while supported) are generally not advised.

If the cluster members exceed 50% utilization and one node fails, the other member will become overloaded (which may cause a complete outage).

Re: How to configure External interface in Clusterxl

dorj_erdeneochi — Wed, 27 Sep 2017 06:35:34 GMT

thanks for answer. I understood from your answer that trunk port is work. maybe i missed some configuration . can you say me some check list configuration for this topology ? can you give phone number ? i have a some question cluster in checkpoint R80.10 ? is it possible ?