This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Blason_R
MVP Gold
MVP Gold
‎2022-11-28 09:51 AM
Jump to solution

Can I achieve below topology?

Hi All,

I have R81 cluster firewall and now the requirement came up to configure and terminate another MPLS link. However due to the interface connector constraint where the link is delivered is a 5Gb/s link and I do not have 10Gb/s NIC. Hence we decide the terminate the link on one firewall and keep that interface at private.

So my topology is

FW1

cluster :

VIP10.10.10.10

VIP 10.10.20.10

 

FW1 

eth0 10.10.10.20

eth1 10.10.20.20

Sync 10.10.30.20

eth2 10.10.40.20

 

Fw2

eth0 10.10.10.30

eth1 10.10.20.30

Sync 10.10.30.10

 

So on firewall 1 10.10.40.20 is a Private interface configured and my next router is 10.10.40.50 on which I need to configure the BGP peering. I noticed that my peering is not coming up. Can someone please confirm if this topology will work? I mean if the firewalls are in cluster and if I need to use one interface which is not a part of cluster; will it be able to route the traffic?

 

 

Thanks and Regards,
Blason R
CCSA,CCSE,CCCS
0 Kudos
1 Solution

Accepted Solutions
Chris_Atkinson
MVP Platinum CHKP MVP Platinum CHKP
MVP Platinum CHKP
‎2022-11-29 01:50 AM
In response to Blason_R
Jump to solution

Please refer sk116815, unfortunately such configuration is unsupported.

CCSM R77/R80/ELITE

View solution in original post

10 Replies
PhoneBoy
Admin
Admin
‎2022-11-28 05:15 PM
Jump to solution

Did you mark eth2 as unmonitored/private in the cluster object?

0 Kudos
the_rock
MVP Diamond
MVP Diamond
‎2022-11-28 05:59 PM
Jump to solution

I read your post and phoneboy brought up very good point. Eth2, based on what you wrote, would be marked as private (NON clustered) interface in this scenario, so to answer your question, yes, it would be possible.

Best,
Andy
"Have a great day and if its not, change it"
0 Kudos
Oliver_Fink
Advisor
Advisor
‎2022-11-29 12:37 AM
Jump to solution

As far as I understand the situation, interface eth2 will be able to route traffic as long as FW1 ist the active one. With FW2 active, the traffic from eth0 and eth1 will not reach eth2 on FW1.

0 Kudos
Blason_R
MVP Gold
MVP Gold
‎2022-11-29 12:42 AM
In response to Oliver_Fink
Jump to solution

Hi Team,

 

I tested this scenario in my lab and unfortunately the BGP peering was not coming up at all on that non-monitored interface. I tried all the things but this not coming up. I then again for testing purpose created a cluster on that interface and it immediately came up. I guess once the cluster is defined checkpoint was not accepting a traffic on non-monitored interface. 

 

I removed the cluster from that interface and peering is lost for sure.

Thanks and Regards,
Blason R
CCSA,CCSE,CCCS
0 Kudos
Oliver_Fink
Advisor
Advisor
‎2022-11-29 01:00 AM
In response to Blason_R
Jump to solution

You want to use this private interface for setting BGP routing for the cluster? I do not think it would work on a private interface. One question is: How should the other node get this routing information?

Or am I misunderstanding something completely?

0 Kudos
Blason_R
MVP Gold
MVP Gold
‎2022-11-29 01:35 AM
In response to Oliver_Fink
Jump to solution

Yes - BGP peering is configured on private interface and peering was not coming up unless and until that interface is added as part of cluster. Other node is fine in case of failure - I can adjust on it and understood in case of failure traffic will not be failed over.

 

Thanks and Regards,
Blason R
CCSA,CCSE,CCCS
0 Kudos
Chris_Atkinson
MVP Platinum CHKP MVP Platinum CHKP
MVP Platinum CHKP
‎2022-11-29 01:50 AM
In response to Blason_R
Jump to solution

Please refer sk116815, unfortunately such configuration is unsupported.

CCSM R77/R80/ELITE
Oliver_Fink
Advisor
Advisor
‎2022-11-29 02:27 AM
In response to Chris_Atkinson
Jump to solution

That was what I expected. Thanks for the SK – which reads:

RouteD daemon does not allow the Dynamic Routing protocols to initialize on non-Cluster interfaces.

That makes some sense to me.

0 Kudos
Alex-
MVP Silver
MVP Silver
‎2022-11-29 02:56 AM
In response to Blason_R
Jump to solution

You could use R81.10 which supports a loopback in ClusterXL for dynamic protocols.

 

What's New in R81.10

Clustering

  • Use a loopback interface with Dynamic Routing in ClusterXL environments.
0 Kudos
Sorin_Gogean
Advisor
‎2022-11-29 05:51 AM
Jump to solution

Hello,

 

My 2 cents on the topic, since you don't have enough 10Gb ports on the cluster members, why aren't you using some Access switches (a cluster for redundancy) to extend the ports and create Vlans over bundled 10Gb members interfaces? 

Then you can terminate as many connections to the Access switch and you can overcome the limitations of the lack of ports. 

In our environment we have bundled two 10Gb towards the LAN side and two 10Gb towards the WAN side.

On the WAN bundle interface, we have subinterfaces/vlans used accordingly... 

 

Thank you,

PS: for redundancy/high availability, don't terminate things into single ports - my take here.....

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events