topic Re: Cluster in Bridge mode in Spark Firewall (SMB)

Cluster in Bridge mode

LGRES — Tue, 21 Nov 2023 13:28:30 GMT

How to deploy active/standby cluster in bridge mode on SMB 1800 appliances R81.10.08 centrally managed?

According to documentation: A cluster in a Bridge Active/Standby mode is supported, but appliances are working only in Cluster Mode: High Availability (Active Up) with IGMP Membership.

Re: Cluster in Bridge mode

PhoneBoy — Tue, 21 Nov 2023 15:10:52 GMT

Per the product documentation, you cannot create a cluster when you have a switch or bridge defined in the network settings on the appliance.
See: https://sc1.checkpoint.com/documents/SMB_R81.10.X/AdminGuides_Centrally_Managed/EN/Content/Topics/Configuring-High-Availability.htm?Highlight=Cluster%20bridge

Re: Cluster in Bridge mode

LGRES — Mon, 27 Nov 2023 13:46:51 GMT

How then to deploy cluster in bridge mode, if there is no cpconfig command in Gaia Embedded?

Re: Cluster in Bridge mode

Tom_Hinoue — Mon, 27 Nov 2023 14:12:51 GMT

Check this SK for configuring a bridge cluster for centrally managed SMBs.

How to create a centrally managed cluster for Embedded Gaia SMB gateways

Since this is for R77.20.XX, also refer to the admin guide, though I believe there is not much difference between the versions.

Quantum Spark 1500, 1600, and 1800 Appliances R81.10.X Centrally Managed Administration Guide

Also the alternative for cpconfig is enabling a specific kernel parameter in fwkern.conf in both members and reboot the gateway.

fwha_active_standby_bridge_mode=1

You can find this information in this SK as well.

Cluster in Active-Standby bridge mode in 1200R / 1400 centrally managed appliances

Re: Cluster in Bridge mode

PhoneBoy — Tue, 28 Nov 2023 15:00:53 GMT

The way I interpret this statement is that a cluster in bridge mode is not supported on SMB appliances.
I would confirm with TAC, though: https://help.checkpoint.com

Re: Cluster in Bridge mode

Chris_Atkinson — Tue, 28 Nov 2023 15:21:53 GMT

Definitely one for TAC, the section beneath this (prerequisites) contains a contradictory statement.

Re: Cluster in Bridge mode

G_W_Albrecht — Thu, 30 Nov 2023 12:03:59 GMT

Also see in sk178604Check Point R81.10.X for 1500, 1600, and 1800 appliance Known Limitations and Resolved Issues:

-	If a bridge is configured on network interfaces, a cluster can only be created when the Quantum Spark appliance is Centrally Managed.	R81.10.00	-
Networking - Bridge
SMBGWY-2478	Bridge interfaces cannot be disabled.	R81.10.00	-
SMB-10543	Embedded Gaia appliances conform to the Maintrain bridge (L2) limitations listed in sk101371	R81.10.00	-
SMB-12375	Attempting to assign the pivot port of a switch to a bridge using the CLI fails, but does not display an error.	R81.10.00	-
-	Site-to-Site VPN is not supported with layer 2 (bridge) connection types.	R81.10.00	-
SMBGWY-2443	When more than one VAP is added to a local network switch or bridge, it cannot be unassigned. Workaround: delete it and then recreate it.

Re: Cluster in Bridge mode

Tom_Hinoue — Fri, 01 Dec 2023 00:32:51 GMT

Yes, my understanding is that a bridge mode cluster is possible in R81.10.XX if centrally managed, as well I have tested this in lab before.

Maybe some SK's or the admin guide need to be updated, so it includes specific directions on how to configure a centrally managed bridge cluster 🙂

Re: Cluster in Bridge mode

G_W_Albrecht — Fri, 01 Dec 2023 08:46:24 GMT

There is:

sk122659: Cluster in Active-Standby bridge mode in 1200R / 1400 centrally managed appliances

Re: Cluster in Bridge mode

G_W_Albrecht — Fri, 01 Dec 2023 09:17:58 GMT

...but the newest is mentioned in the table, sk101371: Bridge Mode on Gaia OS and SecurePlatform OS

Should be named Gaia OS and Gaia Embedded, as shown as OS in the SK !

Re: Cluster in Bridge mode

Tom_Hinoue — Fri, 01 Dec 2023 09:44:49 GMT

Oh I meant by that currently it only mentions 1200R/1400 and not the current 1500/1600/1800s 🙂