https://community.checkpoint.com/t5/Firewall-and-Security-Management/ClusterXL-SG-Bridge-Mode-Connection/m-p/76295#M9441 <P>Hi&nbsp;<a href="https://community.checkpoint.com/t5/user/viewprofilepage/user-id/17364">@Maarten_Sjouw</a>&nbsp;,&nbsp;</P><P>I understand that part but still I am still confused since the switch that is connecting to the gateways is a stacked switch both of the switch is&nbsp; in active/active and each switch is connected to a security gateway (1 switch to 1 gateway physical connection).</P><P>In this scenario, there will be a possibility that the switch will send the traffic to the gateway which is the standby.</P><P>Let us say the active firewall for my VS1 is FW01 and FW02 is the standby, my stacked switch which has a physical connection of 1 switch to 1 gateway and both of my switch forwarding traffic, there is now a possibility that my FW02 can receive traffic but FW02 is the standby state.</P><P>Thank you for the help.</P> Tue, 25 Feb 2020 07:49:48 GMT CyberBreaker 2020-02-25T07:49:48Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/ClusterXL-SG-Bridge-Mode-Connection/m-p/76281#M9439 <P>Hi Guys,</P><P>I have 2 new security gateways in VSX bridge mode in clusterXL, these security gateways are connected to a stacked switch (1 gateway to 1 switch physical connection). My concern is that since the gateways are not running in L3 mode, the stacked switch is not pointing to a VIP to route the traffic and it is prone that the switch will pass the traffic to the standby firewall hence it will drop the traffic.</P><P>Is this how the CP behaves or are there any ways to prevent it?</P><P>Thank you very much.</P> Tue, 25 Feb 2020 04:41:06 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/ClusterXL-SG-Bridge-Mode-Connection/m-p/76281#M9439 CyberBreaker 2020-02-25T04:41:06Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/ClusterXL-SG-Bridge-Mode-Connection/m-p/76287#M9440 With VSX only 1 gateway is handling the specific VS, so there will not be any information on the other switch about MAC addresses on the other side of the bridge. Tue, 25 Feb 2020 06:06:50 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/ClusterXL-SG-Bridge-Mode-Connection/m-p/76287#M9440 Maarten_Sjouw 2020-02-25T06:06:50Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/ClusterXL-SG-Bridge-Mode-Connection/m-p/76295#M9441 <P>Hi&nbsp;<a href="https://community.checkpoint.com/t5/user/viewprofilepage/user-id/17364">@Maarten_Sjouw</a>&nbsp;,&nbsp;</P><P>I understand that part but still I am still confused since the switch that is connecting to the gateways is a stacked switch both of the switch is&nbsp; in active/active and each switch is connected to a security gateway (1 switch to 1 gateway physical connection).</P><P>In this scenario, there will be a possibility that the switch will send the traffic to the gateway which is the standby.</P><P>Let us say the active firewall for my VS1 is FW01 and FW02 is the standby, my stacked switch which has a physical connection of 1 switch to 1 gateway and both of my switch forwarding traffic, there is now a possibility that my FW02 can receive traffic but FW02 is the standby state.</P><P>Thank you for the help.</P> Tue, 25 Feb 2020 07:49:48 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/ClusterXL-SG-Bridge-Mode-Connection/m-p/76295#M9441 CyberBreaker 2020-02-25T07:49:48Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/ClusterXL-SG-Bridge-Mode-Connection/m-p/76300#M9442 Each switch builds its MAC table per port. When the VS is not active on member 2 it will not tell Switch2 any MAC addresses. So again Switch2 does not know about these addresses and will not forward anything for those addresses to your FW02. Tue, 25 Feb 2020 08:15:02 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/ClusterXL-SG-Bridge-Mode-Connection/m-p/76300#M9442 Maarten_Sjouw 2020-02-25T08:15:02Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/ClusterXL-SG-Bridge-Mode-Connection/m-p/76303#M9443 <P>Hi&nbsp;<a href="https://community.checkpoint.com/t5/user/viewprofilepage/user-id/17364">@Maarten_Sjouw</a>&nbsp;</P><P>Thanks for the clarification about that, so this is also applicable for modes of deployment either L3 or bridge mode?</P><P>Thanks</P> Tue, 25 Feb 2020 08:37:33 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/ClusterXL-SG-Bridge-Mode-Connection/m-p/76303#M9443 CyberBreaker 2020-02-25T08:37:33Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/ClusterXL-SG-Bridge-Mode-Connection/m-p/76311#M9444 Also in L3 the VS is only active on 1 of the 2 FW's not on the other. Tue, 25 Feb 2020 09:22:28 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/ClusterXL-SG-Bridge-Mode-Connection/m-p/76311#M9444 Maarten_Sjouw 2020-02-25T09:22:28Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/ClusterXL-SG-Bridge-Mode-Connection/m-p/76312#M9445 <P>Hi&nbsp;<a href="https://community.checkpoint.com/t5/user/viewprofilepage/user-id/17364">@Maarten_Sjouw</a>&nbsp;,</P><P>But it should be the same if in bridge mode right?&nbsp;</P><P>A VS can be active in only 1 FW in ClusterXL?</P><P>Thanks</P> Tue, 25 Feb 2020 09:24:59 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/ClusterXL-SG-Bridge-Mode-Connection/m-p/76312#M9445 CyberBreaker 2020-02-25T09:24:59Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/ClusterXL-SG-Bridge-Mode-Connection/m-p/76313#M9446 As I already said a VS can only be active on 1 FW it will not do anything on the other FW except for keeping the connection table up to date.<BR />It is not active in either mode on the Backup FW. Tue, 25 Feb 2020 09:28:32 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/ClusterXL-SG-Bridge-Mode-Connection/m-p/76313#M9446 Maarten_Sjouw 2020-02-25T09:28:32Z