Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted
Contributor

How to add VLAN interface in cluster

Jump to solution

Hi Experts,

We're running Checkpoint cluster firewalls (R77.30) which are managed by the Smartconsole (R80.30) and now we're planning to add a new VLAN interface.

I've read some resources stating, there may be some problems when the interfaces are fetched. Could you please suggest the best practice to be adhered to avoid any outage.

Thanks in advance

 

Cheers,

Sri

0 Kudos
Reply
1 Solution

Accepted Solutions
Advisor

@PhoneBoy is correct, what I have seen, are issues, when "Get Interfaces with Topology" is selected overwriting any existing Anti Spoofing settings.

To avoid any issues with already defined interfaces, you should add the interface to each GW in the cluster and then "Get Interfaces without Topology" and define any Anti Spoofing you desire manually. 

 

Example below is using existing interface eth0 and VLAN ID 200 with subnet 192.168.200.0/24 and assuming this is a topology defined by IP/Subnet

 

GW1

add interface eth0 vlan 200

set interface eth0.200 ipv4-address 192.168.200.2 mask-length 24

save config

 

GW2

add interface eth0 vlan 200

set interface eth0.200 ipv4-address 192.168.200.3 mask-length 24

save config

 

SmartConsole

Open cluster object, select "Network Management"

Drop down "Get Interfaces" and select "Get Interfaces without Topology"

Define your new interface Network Type (Cluster) and cluster IP address (192.168.200.1)

Select Modify under "Topology" and define network accordingly (either Network is defined by interface IP and NetMask, or an Anti Spoofing Group as needed)

Publish and Install Policy

On GW cphaprob -a if (should now show the new interface and cluster address)

View solution in original post

5 Replies
Highlighted
Admin
Admin

The main issue is doing "Get Interfaces with Topology" as I recall correctly.
At least that's what I've seen reports on. 
If you add the interfaces to the relevant objects and configure them manually, there shouldn't be any issue.

0 Kudos
Reply
Advisor

@PhoneBoy is correct, what I have seen, are issues, when "Get Interfaces with Topology" is selected overwriting any existing Anti Spoofing settings.

To avoid any issues with already defined interfaces, you should add the interface to each GW in the cluster and then "Get Interfaces without Topology" and define any Anti Spoofing you desire manually. 

 

Example below is using existing interface eth0 and VLAN ID 200 with subnet 192.168.200.0/24 and assuming this is a topology defined by IP/Subnet

 

GW1

add interface eth0 vlan 200

set interface eth0.200 ipv4-address 192.168.200.2 mask-length 24

save config

 

GW2

add interface eth0 vlan 200

set interface eth0.200 ipv4-address 192.168.200.3 mask-length 24

save config

 

SmartConsole

Open cluster object, select "Network Management"

Drop down "Get Interfaces" and select "Get Interfaces without Topology"

Define your new interface Network Type (Cluster) and cluster IP address (192.168.200.1)

Select Modify under "Topology" and define network accordingly (either Network is defined by interface IP and NetMask, or an Anti Spoofing Group as needed)

Publish and Install Policy

On GW cphaprob -a if (should now show the new interface and cluster address)

View solution in original post

Highlighted
Contributor

Hi Mike,

Thanks for the reply.

Also, can you please suggest what rollback option should be followed to minimize the outage (if something goes wrong)? Just by reverting the installation history or by reverting the snapshot.

Thanks.

0 Kudos
Reply
Highlighted

Small note:

You should only be careful with the cluster if you change the highest or lowest VLAN. The ClusterXL CCP packets are sent via this. If the VLAN is not configured correctly, ClusterXL problems may occur.

 

Tags (1)
Highlighted
Advisor

First I would delete the tagged interface from each GW. Inside the cluster object just highlight the newly created interface and delete. When removing an interface, I personally never get the topology (with or without), I just delete the interface I want to be removed. Then install policy.