topic Using cluster object in access policy in General Topics

Using cluster object in access policy

phlrnnr — Thu, 17 Dec 2020 19:27:52 GMT

When using a cluster object in the access policy, what exactly does it represent? Does it represent all IPs on all interfaces of both cluster members plus virtual IPs for the cluster itself? Or does it only represent a subset of these?

For example, if I had a firewall cluster with member A and member B configured with the following IPs:

Member A: eth1: 1.1.1.1, eth2: 2.2.2.1
Member B: eth1: 1.1.1.2, eth2: 2.2.2.2
Virtual IP: eth1: 1.1.1.3, eth2: 2.2.2.3

If I configured a rule allowing 10.1.1.1 --> Cluster_Object, ICMP

What would 10.1.1.1 be allowed to ping?

(Note: I am assuming that implied rules are not interfering with any of this)

Re: Using cluster object in access policy

PhoneBoy — Sat, 19 Dec 2020 05:34:18 GMT

I believe it’s just the main IP of the object (on general tab).

Re: Using cluster object in access policy

JozkoMrkvicka — Sun, 20 Dec 2020 07:35:33 GMT

In R77.30 all VIPs were matched.

In R80.30 only Main IP in Cluster Object is matched. If you need some interface VIP to be used, create host object.