no_hide_services_ports & Management HA

Scottc98 — Fri, 22 Mar 2024 00:38:32 GMT

Issue:

I have a issue with radius working properly on a cluster and need to ensure that the source-ip used matches the NAS-ip. My understanding in the past is to follow sk31832 and modify the table.def file globally and add in "<1812, 17>" , save and then install policy on the devices to take affect.

i.e.

before

no_hide_services_ports = { <4500,17>, <500, 17>, <259, 17>, <1701, 17>, <5500, 17>};

after

no_hide_services_ports = { <4500,17>, <500, 17>, <259, 17>, <1701, 17>, <5500, 17>, <1812, 17>};

Questions:

is this still the only way to achieve this in R81.10 or R81.20?
1. Feels like we should be able to do this on some no hide nat rule in each access policy verses setting this globally for all gateways.
In a SMS management HA setup, does both Management servers need to be updated manually or is this synchronized over the secondary if edited on the primary member?
1. Only had to do this in the past on a single SMS server and can't see to find any docs that touches to this point.
2. If it synchronizes, is that done automatically or is it something having to be driven by some 'install database' on both servers?
Being that this type of change affects all GWs, is there any ill affect to any VSX clusters?
1. I have not setup radius on those R81.10 VSX clusters (VSLS) yet but wanted to be sure.
  1. it seems per documentation that this modification "IS" a requirement before I do set it up here (Accurate?)
    1. REF: https://sc1.checkpoint.com/documents/R81.10/WebAdminGuides/EN/CP_R81.10_VSX_AdminGuide/Topics-VSXG/Working-with-Authentication.htm

Thanks in advance

Re: no_hide_services_ports & Management HA

PhoneBoy — Fri, 22 Mar 2024 15:07:15 GMT

Management HA does not sync changes to .def files, so you'll have to do this on both.
Don't believe this has a negative impact on VSX.

Re: no_hide_services_ports & Management HA

CheckPointerXL — Tue, 02 Apr 2024 13:47:43 GMT

are you sure? i converted different standalone mds to ha and i'm pretty sure it sync'd different .def files...

Re: no_hide_services_ports & Management HA

Scottc98 — Fri, 19 Apr 2024 00:54:25 GMT

@CheckPointerXL

I can confirm that the table.def 100% sync'd over to the standby management when we made our changes. Only had to touch the primary active node.

topic Re: no_hide_services_ports & Management HA in General Topics

no_hide_services_ports & Management HA

Re: no_hide_services_ports & Management HA

Re: no_hide_services_ports & Management HA

Re: no_hide_services_ports & Management HA