Create a Post
EVSolovyev
Collaborator

Update IPS signatures without default

Jump to solution

Hello, everyone.

I have moved HA cluster from static to OSPF. HA cluster is installed in the center of the network and receives the default from the upstream router.It turns out that the active node has a default by OSPF, but the passive node does not receive the default. When we switch nodes, the situation is the same. I.e. in SMS, the passive node always gets an error that it cannot connect to CheckPoint to update the databases.

Alternatively, it is possible to write all subnets of update portals by statics. But this is not a good option I think, because the subnets can change.

Maybe you can suggest something more correct?

If I decide to write static routes to the CheckPoint update portal, do you know which subnets are needed? If there is a list, please tell me where to see it.

0 Kudos
1 Solution

Accepted Solutions
4 Replies
PhoneBoy
Admin
Admin

I'm pretty sure the passive member should also have the default route as well.
Both members should have the same router-id (cluster address).
See: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

EVSolovyev
Collaborator

Hello.

I was check OSPF configuration on both nodes and see no problem in it. The default was added statically, but on standby node I do not see it in routing table.

2021-08-04_134031.jpg

2021-08-04_133839.jpg

0 Kudos
EVSolovyev
Collaborator
0 Kudos
EVSolovyev
Collaborator

"HA cluster is installed in the center of the network and receives the default from the upstream route" - it was incorrect information. The default on the gateway was set statically. The other routes came via OSPF. The IP address of the default route gateway should have been pinged by configuration. For the backup node, this setting means removing the default route from the routing table even if the gateway is pinged.

0 Kudos