https://community.checkpoint.com/t5/Spark-Firewall-SMB/SMB-Cluster-Management-Interface/m-p/201483#M10039 <P>Hello,</P><P>&nbsp;</P><P>I create SMB Cluster R80.20.50 via Smart Console in High Availability mode.</P><P>This cluster have s2s with Gaia 7000.</P><P>My Goal: to create managmenet inteface on each gateway of the SMB which is not monitored by the cluster&nbsp;<BR />in order to get access to each device seperatly.</P><P>In topology table I configred this interface as "Non-Monitored Private" and it is internal.</P><P>The problem is that I still got access to Avtive member interface and not to the standby.</P><P>&nbsp;</P><P>I think this is because of the site to site.</P><P>Any suggestions?</P> Mon, 25 Dec 2023 11:02:38 GMT leonid1890 2023-12-25T11:02:38Z https://community.checkpoint.com/t5/Spark-Firewall-SMB/SMB-Cluster-Management-Interface/m-p/201483#M10039 <P>Hello,</P><P>&nbsp;</P><P>I create SMB Cluster R80.20.50 via Smart Console in High Availability mode.</P><P>This cluster have s2s with Gaia 7000.</P><P>My Goal: to create managmenet inteface on each gateway of the SMB which is not monitored by the cluster&nbsp;<BR />in order to get access to each device seperatly.</P><P>In topology table I configred this interface as "Non-Monitored Private" and it is internal.</P><P>The problem is that I still got access to Avtive member interface and not to the standby.</P><P>&nbsp;</P><P>I think this is because of the site to site.</P><P>Any suggestions?</P> Mon, 25 Dec 2023 11:02:38 GMT https://community.checkpoint.com/t5/Spark-Firewall-SMB/SMB-Cluster-Management-Interface/m-p/201483#M10039 leonid1890 2023-12-25T11:02:38Z https://community.checkpoint.com/t5/Spark-Firewall-SMB/SMB-Cluster-Management-Interface/m-p/201544#M10044 <P>What version/JHF is your management?<BR />Setting a "Non-Monitored Private" interface isn't necessary here, but you may need to disable cluster fold NAT.<BR />It is settable via the CLI from R81.10.00:&nbsp;<A href="https://sc1.checkpoint.com/documents/SMB_R81.10.X/CLI/EN/Content/Topics/170583.htm" target="_blank">https://sc1.checkpoint.com/documents/SMB_R81.10.X/CLI/EN/Content/Topics/170583.htm</A></P> Tue, 26 Dec 2023 20:59:29 GMT https://community.checkpoint.com/t5/Spark-Firewall-SMB/SMB-Cluster-Management-Interface/m-p/201544#M10044 PhoneBoy 2023-12-26T20:59:29Z https://community.checkpoint.com/t5/Spark-Firewall-SMB/SMB-Cluster-Management-Interface/m-p/201551#M10045 <P>Hello,</P><P>&nbsp;</P><P>My Smart Console version is R81.10</P><P>I don't use NAT on my SMB Cluster.</P> Wed, 27 Dec 2023 07:07:16 GMT https://community.checkpoint.com/t5/Spark-Firewall-SMB/SMB-Cluster-Management-Interface/m-p/201551#M10045 leonid1890 2023-12-27T07:07:16Z https://community.checkpoint.com/t5/Spark-Firewall-SMB/SMB-Cluster-Management-Interface/m-p/201608#M10046 <P>Clustering does this "NAT" by default.<BR />It should also be settable in your software release via the CLI as well.<BR />How precisely are you attempting to access the secondary member?</P> Wed, 27 Dec 2023 14:18:26 GMT https://community.checkpoint.com/t5/Spark-Firewall-SMB/SMB-Cluster-Management-Interface/m-p/201608#M10046 PhoneBoy 2023-12-27T14:18:26Z https://community.checkpoint.com/t5/Spark-Firewall-SMB/SMB-Cluster-Management-Interface/m-p/201609#M10047 <P>1. I checked inside my SMB Cluster NAT settings:</P><P>perform-cluster-hide-fold: false</P><P>&nbsp;</P><P>2. I tried to access secondary cluster member via WAN or via one the LAN interfaces.</P><P>but it didn't work.</P><P>I am trying to find way to have access both of cluster members when the site to site is working.</P> Wed, 27 Dec 2023 14:25:25 GMT https://community.checkpoint.com/t5/Spark-Firewall-SMB/SMB-Cluster-Management-Interface/m-p/201609#M10047 leonid1890 2023-12-27T14:25:25Z https://community.checkpoint.com/t5/Spark-Firewall-SMB/SMB-Cluster-Management-Interface/m-p/201612#M10048 <P>How are you attempting to perform this access?<BR />Have you used tcpdump to see if the traffic is reaching the secondary member or not?</P> Wed, 27 Dec 2023 14:35:52 GMT https://community.checkpoint.com/t5/Spark-Firewall-SMB/SMB-Cluster-Management-Interface/m-p/201612#M10048 PhoneBoy 2023-12-27T14:35:52Z https://community.checkpoint.com/t5/Spark-Firewall-SMB/SMB-Cluster-Management-Interface/m-p/201617#M10049 <P>Trying access via SSH / HTTPs</P><P>I can't used&nbsp;<SPAN>tcpdump&nbsp;on the&nbsp;secondary member because I don't have access when site to site is working.</SPAN></P><P><SPAN>When I remove site to site I have access to both of the Cluster members via WAN interface.</SPAN></P> Wed, 27 Dec 2023 14:51:22 GMT https://community.checkpoint.com/t5/Spark-Firewall-SMB/SMB-Cluster-Management-Interface/m-p/201617#M10049 leonid1890 2023-12-27T14:51:22Z https://community.checkpoint.com/t5/Spark-Firewall-SMB/SMB-Cluster-Management-Interface/m-p/201623#M10050 <P>Might be worth TAC case or do remote session, sounds like something simple might be missing here.</P> <P>Best,</P> <P>Andy</P> Wed, 27 Dec 2023 18:32:25 GMT https://community.checkpoint.com/t5/Spark-Firewall-SMB/SMB-Cluster-Management-Interface/m-p/201623#M10050 the_rock 2023-12-27T18:32:25Z https://community.checkpoint.com/t5/Spark-Firewall-SMB/SMB-Cluster-Management-Interface/m-p/201630#M10051 <P>With the VPN in place, it would be expected for the traffic to traverse the primary node.<BR />However, you should still be able to:</P> <UL> <LI>Reach the primary node</LI> <LI>SSH from the primary node to the secondary node</LI> </UL> <P>Are you able to do that?<BR />I also think working with TAC on this would be advisable.</P> Wed, 27 Dec 2023 19:06:09 GMT https://community.checkpoint.com/t5/Spark-Firewall-SMB/SMB-Cluster-Management-Interface/m-p/201630#M10051 PhoneBoy 2023-12-27T19:06:09Z https://community.checkpoint.com/t5/Spark-Firewall-SMB/SMB-Cluster-Management-Interface/m-p/201867#M10058 <P>Ok thanks, I will check with TAC</P> Mon, 01 Jan 2024 07:24:33 GMT https://community.checkpoint.com/t5/Spark-Firewall-SMB/SMB-Cluster-Management-Interface/m-p/201867#M10058 leonid1890 2024-01-01T07:24:33Z