https://community.checkpoint.com/t5/Spark-Firewall-SMB/DAIP-cluster/m-p/8195#M162 <HTML><HEAD></HEAD><BODY><P>Hi, </P><P>Thanks for the answer, the checkpoint cluster itself has no dynamic ip</P><P></P><P></P><P>The topology is this:</P><P></P><P>The Router has receives the IP from the provider.</P><P>Behind it is the Cluster, with static IP on the Transport network. all connected over a switch( not relevant for this discussion).</P><P></P><P>The management is reachable over the internet so any incoming connection would have to be to the Public IP of the router.</P><P></P><P></P><P>My idea was to have the Cluster set as Dynamic and have both gateways fetch the policy, this way only outbound communication is&nbsp; required like on a normal DAIP single gateway solution.</P><P>I wanted to test this but the Dyn option is not available on the cluster object.</P><P></P><P><IMG alt="" class="image-1 jive-image j-img-original" src="https://community.checkpoint.com/legacyfs/online/checkpoint/74988_topology.png" /></P></BODY></HTML> Fri, 23 Nov 2018 18:03:51 GMT Ricardo_Gros 2018-11-23T18:03:51Z https://community.checkpoint.com/t5/Spark-Firewall-SMB/DAIP-cluster/m-p/8193#M160 <HTML><HEAD></HEAD><BODY><P>Hi, </P><P></P><P>I was trying to figure a way to build a DAIP SMB cluster&nbsp; that is centrally managed.</P><P></P><P>This is actually as it seems not supported because the Cluster object on management side is missing the Dynamic IP box.</P><P></P><P>However i was wondering if there is really a technical reason why this does not work on a topology where the Dynamic IP sits on a 3rd party Router and the Checkpoint Cluster is behind it.</P><P></P><P>As far as i understand the DAIP gateways will only fetch the policy and the Logging is also outbound so it would actually not be much different from a single gateway setup with DAIP on 3rd party device.</P><P></P><P></P><P>Has some one tried this? does this make sense?</P></BODY></HTML> Fri, 23 Nov 2018 12:19:50 GMT https://community.checkpoint.com/t5/Spark-Firewall-SMB/DAIP-cluster/m-p/8193#M160 Ricardo_Gros 2018-11-23T12:19:50Z https://community.checkpoint.com/t5/Spark-Firewall-SMB/DAIP-cluster/m-p/8194#M161 <HTML><HEAD></HEAD><BODY><P>Clustering assumes the IPs of all cluster members are fixed and on the same subnets.</P><P>You cannot make that assumption when the gateways get their IP via DHCP.</P><P>When you check DAIP, the gateway is assumed to be obtaining an IP from DHCP and will not have a fixed address.</P><P></P><P>Now, if in reality, the cluster members are going to get a static IP from the DHCP server, then you define it in SmartDashboard with a fixed IP and do NOT set the DAIP flag in the object.</P></BODY></HTML> Fri, 23 Nov 2018 17:13:50 GMT https://community.checkpoint.com/t5/Spark-Firewall-SMB/DAIP-cluster/m-p/8194#M161 PhoneBoy 2018-11-23T17:13:50Z https://community.checkpoint.com/t5/Spark-Firewall-SMB/DAIP-cluster/m-p/8195#M162 <HTML><HEAD></HEAD><BODY><P>Hi, </P><P>Thanks for the answer, the checkpoint cluster itself has no dynamic ip</P><P></P><P></P><P>The topology is this:</P><P></P><P>The Router has receives the IP from the provider.</P><P>Behind it is the Cluster, with static IP on the Transport network. all connected over a switch( not relevant for this discussion).</P><P></P><P>The management is reachable over the internet so any incoming connection would have to be to the Public IP of the router.</P><P></P><P></P><P>My idea was to have the Cluster set as Dynamic and have both gateways fetch the policy, this way only outbound communication is&nbsp; required like on a normal DAIP single gateway solution.</P><P>I wanted to test this but the Dyn option is not available on the cluster object.</P><P></P><P><IMG alt="" class="image-1 jive-image j-img-original" src="https://community.checkpoint.com/legacyfs/online/checkpoint/74988_topology.png" /></P></BODY></HTML> Fri, 23 Nov 2018 18:03:51 GMT https://community.checkpoint.com/t5/Spark-Firewall-SMB/DAIP-cluster/m-p/8195#M162 Ricardo_Gros 2018-11-23T18:03:51Z https://community.checkpoint.com/t5/Spark-Firewall-SMB/DAIP-cluster/m-p/8196#M163 <HTML><HEAD></HEAD><BODY><P>The assumption is that if the gateway has static IPs, it's reachable bidirectionally.</P><P>In the case of a truly dynamic gateway, the assumption is that it has outbound only access (and could even be behind a NAT).</P></BODY></HTML> Sun, 25 Nov 2018 05:21:51 GMT https://community.checkpoint.com/t5/Spark-Firewall-SMB/DAIP-cluster/m-p/8196#M163 PhoneBoy 2018-11-25T05:21:51Z https://community.checkpoint.com/t5/Spark-Firewall-SMB/DAIP-cluster/m-p/8197#M164 <HTML><HEAD></HEAD><BODY><P>But, in this case both are behind a NAT and have only outbound access. However on Management the Cluster object does not allow for DAIP so this cannot be configured at all.&nbsp;</P><P>My doubt was if this would&nbsp; make sense to be possible in this topology.</P></BODY></HTML> Sun, 25 Nov 2018 10:57:38 GMT https://community.checkpoint.com/t5/Spark-Firewall-SMB/DAIP-cluster/m-p/8197#M164 Ricardo_Gros 2018-11-25T10:57:38Z https://community.checkpoint.com/t5/Spark-Firewall-SMB/DAIP-cluster/m-p/8198#M165 <HTML><HEAD></HEAD><BODY><P>I think the only way you can have this sort of configuration is if you manage the gateway with a SmartLSM profile.</P><P><A class="link-titled" href="https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&amp;solutionid=sk111626" title="https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&amp;solutionid=sk111626">ATRG: SmartProvisioning</A>&nbsp;</P></BODY></HTML> Sun, 25 Nov 2018 15:54:11 GMT https://community.checkpoint.com/t5/Spark-Firewall-SMB/DAIP-cluster/m-p/8198#M165 PhoneBoy 2018-11-25T15:54:11Z https://community.checkpoint.com/t5/Spark-Firewall-SMB/DAIP-cluster/m-p/8199#M166 <HTML><HEAD></HEAD><BODY><P>i will look into this, thank you.</P></BODY></HTML> Sun, 25 Nov 2018 18:13:11 GMT https://community.checkpoint.com/t5/Spark-Firewall-SMB/DAIP-cluster/m-p/8199#M166 Ricardo_Gros 2018-11-25T18:13:11Z