This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Gongya_Yu
Collaborator
‎2024-06-02 09:18 PM
Jump to solution

Cloudguard cluster interface configuration

In the following cluster interface configuration, does eth1 pass the data traffic ?
CP-cluster-int-conf.PNG

if I have two route tables, one for eth0 and the other one for eth1. one route table for eth0 with a default route pointing to eni-eth0 and subnet association with 172.16.11.0/24, the other route table for eth1 with a default route pointing to eni-eth1 and subnet association with 172.16.10.0/24. Any issue with this ?

thanks so much !!

0 Kudos
2 Solutions

Accepted Solutions
Nir_Shamir
Employee Employee
Employee
‎2024-06-04 02:09 AM
In response to Gongya_Yu
Jump to solution

Hi,

yes , sync interfaces also pass data traffic. if they are configured as sync the the connections sync is also passing on those interfaces.

you routing configuration is not correct. you should only have one default route (towards eth0 GW). You need to delete the other default route because it will cause routing issues (traffic is spread to both interfaces).

View solution in original post

0 Kudos
Nir_Shamir
Employee Employee
Employee
‎2024-06-04 10:11 PM
In response to Gongya_Yu
Jump to solution

in AWS Cluster the default is pointing to the ACTIVE member of the cluster. when there's a failover happens we push out an API to AWS and change the default route to the new ACTIVE member.

View solution in original post

0 Kudos
7 Replies
Amir_Senn
MVP Silver CHKP MVP Silver CHKP
MVP Silver CHKP
‎2024-06-03 03:50 AM
Jump to solution

Hi,

I could answer better if you may share more details. "Leads To" writes to Azure but ENI is AWS term while in Azure we usually route to load balancer. Some of the configuration also depends on version.

 

In general, the default route to ENI directs all traffic to be inspected. All traffic directed at your VPC/VNET through the front end subnet will be directed to the solution. For backend, putting ENI as default for internal subnets will ensure EW inspection as well as NS.

Kind regards, Amir Senn
0 Kudos
Gongya_Yu
Collaborator
‎2024-06-03 09:12 AM
In response to Amir_Senn
Jump to solution

I have the following which is very close to our prod.
eth-int-topology.PNG

eth-RT.PNG

Right now the firewall works as one-armed.

Question 1: if the interface is defined to be sync only, does that interface still pass data traffic ?
Question 2: when is eth1-RT used ?  I am wondering eth1-RT is not used here at all.

thanks a lot !!

0 Kudos
Nir_Shamir
Employee Employee
Employee
‎2024-06-04 02:09 AM
In response to Gongya_Yu
Jump to solution

Hi,

yes , sync interfaces also pass data traffic. if they are configured as sync the the connections sync is also passing on those interfaces.

you routing configuration is not correct. you should only have one default route (towards eth0 GW). You need to delete the other default route because it will cause routing issues (traffic is spread to both interfaces).

0 Kudos
Gongya_Yu
Collaborator
‎2024-06-04 05:05 AM
In response to Nir_Shamir
Jump to solution

thanks a million.

This is what I like to confirm. 
Even though we did not get any issue, I still like to confirm the correct way to do.  

thanks again !!

0 Kudos
Gongya_Yu
Collaborator
‎2024-06-04 11:21 AM
In response to Nir_Shamir
Jump to solution

One more question to bother, for the cluster, still only one default route is needed ? If default route points to Member A interface for next-hop, what happens if member A fails ?

thanks a lot !!

0 Kudos
Nir_Shamir
Employee Employee
Employee
‎2024-06-04 10:11 PM
In response to Gongya_Yu
Jump to solution

in AWS Cluster the default is pointing to the ACTIVE member of the cluster. when there's a failover happens we push out an API to AWS and change the default route to the new ACTIVE member.

0 Kudos
Gongya_Yu
Collaborator
‎2024-06-05 06:27 AM
In response to Nir_Shamir
Jump to solution

thanks so much !!!

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events