topic Re: Firewall Management Traffic via Cluster VIP in General Topics

Firewall Management Traffic via Cluster VIP

SriNarasimha005 — Tue, 08 Apr 2025 10:32:57 GMT

Hi There,

We've checkpoint firewalls running in a 'staging' phase configured to support on R81.20 Take 98. When the firewall is trying to initiate a connection from the Management interface (Syslog/Authentication server), observed that it's getting changed to the Cluster VIP IP address.

This is applicable for both the firewalls running in Active/standby and this causes issues with the authentication server as the VIP IP isn't part of the device admin in Radius server.

I don't have any Hide NAT configured to support this configuration.

Can someone please assist on this matter? Thank you.

Re: Firewall Management Traffic via Cluster VIP

G_W_Albrecht — Tue, 08 Apr 2025 11:27:32 GMT

Open a SR# with CP TAC to get this resolved asap! Your post does not help at all to suggest anything...

Re: Firewall Management Traffic via Cluster VIP

Martijn — Tue, 08 Apr 2025 12:43:29 GMT

Hi,

Please check sk31832 - How to prevent a ClusterXL or VRRP Cluster hiding its own traffic behind its Virtual IP address

On the management server make changes to $FWDIR/lib/table.def and push policy.

Regards,
Martijn

Re: Firewall Management Traffic via Cluster VIP

SriNarasimha005 — Fri, 25 Apr 2025 06:24:37 GMT

Hi @Martijn

Apologies for the late reply.

From the given SK article, I believe it's a default behaviour for the standby firewall to hide behind the VIP when connections are initiated from the member itself.

Also, as given in the provided SK article, it's been suggested not to add 443 as it might negatively impact the VPN tunnel initiation.

With that said, I assume that standby Firewall be able to reach the Internet/CP portal for AV updates via active firewall which is holding the VIP.

Is my understanding correct..?

Note: I've placed a NO-NAT rule from the firewall to the destination which didn't resolve this issue.

Re: Firewall Management Traffic via Cluster VIP

Martijn — Fri, 25 Apr 2025 07:00:56 GMT

Hi,

Hide behind cluster IP is default behaviour and the NO-NAT rule will not help. You have to edit table.def if you want the appliances behave differently.

I mostly use it for traffic like DNS, RADIUS or SecureID. Most of the time this was OK for the standby member to get updates.

You can check with a curl_cli from the standby member

#curl_cli -v -k https://updates.checkpoint.com

Regards,
Martijn

Re: Firewall Management Traffic via Cluster VIP

SriNarasimha005 — Fri, 25 Apr 2025 07:19:09 GMT

Thanks for the reply.

As checked in the given SK article, I believe this is configured using specific ports (DNS, Radius) which is applicable for all the firewalls hosted in that CMA.

no_hide_services_ports = { <PORT_1,PROTOCOL_1>, <PORT_2,PROTOCOL_2>, ..., <PORT_N,PROTOCOL_N> };

Is there anyway we can restrict/modify the file only for specific firewalls?