This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Luis_Miguel_Mig
Advisor
‎2019-03-05 03:07 AM

Cluster XL - Interface Preference

Hi,

could a firewall that is connected to different segments have different  monitoring preference per interface?
So for example, if there is a failure in a segment that it is not very important, I would like the cluster to failover if it is necessary.

But if there is a second failure on a segment that it is more important I would like the cluster to failover again it was necessary because that segtment is more important.

monitored interfaces don't suit in this scenario because I need the cluster virtual IP.

$FWDIR/conf/discntd.if could work, so I can exclude the less important segment from monitoring. However, I have  read that FWDIR/conf/discntd.if  is not relevant in versions above R77.20

Thanks.
Luis

0 Kudos
7 Replies
Timothy_Hall
MVP Gold
MVP Gold
‎2019-03-05 06:51 AM

All ClusterXL HA interfaces defined as "Cluster" where a Cluster/Virtual IP is being presented have essentially equal priority.  The ClusterXL HA cluster member with the most working interfaces will "win" via CCP and go active.  You can define an interface as Private and therefore non-monitored, but I don't think there is any way to present a Cluster/Virtual IP on an interface defined that way.  You might be able to play some games with proxy ARP on the Private interface though.

Your request can be done with VRRP however using different priority deltas.  For a non-critical interface define a low priority delta that upon failure will not degrade the effective priority of the Master below the base priority of the Backup.  However if another interface now fails on the Master, that interface's priority delta will be enough to drop the effective priority of the Master below the base priority of the Backup, and a full failover will occur (assuming you have set up monitored circuits correctly).

Generally I try to avoid VRRP in favor of ClusterXL though, with VRRP it is way too easy to cause split-brains and routing back holes if everything is not set up 100% correctly.

--
"IPS Immersion Training" Self-paced Video Class
Now Available at http://www.maxpowerfirewalls.com

Gaia 4.18 (R82) Immersion Tips, Tricks, & Best Practices Video Course
Now Available at https://shadowpeak.com/gaia4-18-immersion-course
Luis_Miguel_Mig
Advisor
‎2019-03-05 07:22 AM
In response to Timothy_Hall

And what about $FWDIR/conf/discntd.if? Does it work in R80.20?
And would it make sense to run a cluster interface (added to $FWDIR/conf/discntd.if) with the purpose of avoiding HA states changes due to changes in that cluster interface? Just wondering if there is any drawback in adding interfaces to $FWDIR/conf/discntd.if that I can't foresee.

0 Kudos
Timothy_Hall
MVP Gold
MVP Gold
‎2019-03-05 07:06 PM
In response to Luis_Miguel_Mig

I don't think discntd.if is supported any more in R77.30 and later, since an interface can just be defined as "Private" in the SmartConsole which is basically the same thing.  Also if the interface does not appear in the Cluster topology at all (but is defined in the Gaia OS) ClusterXL will just ignore it in R77.30+.  I don't think creating the discntd.if file will have any effect but you are welcome to try.

--
"IPS Immersion Training" Self-paced Video Class
Now Available at http://www.maxpowerfirewalls.com

Gaia 4.18 (R82) Immersion Tips, Tricks, & Best Practices Video Course
Now Available at https://shadowpeak.com/gaia4-18-immersion-course
0 Kudos
Luis_Miguel_Mig
Advisor
‎2019-03-06 02:03 AM
In response to Timothy_Hall

I suppose the difference is that discntd.if would allow me to have a non monitored cluster interface vs the private interface that wouldn't allow me to have a virtual IP

G_W_Albrecht
MVP Silver
MVP Silver
‎2019-03-08 01:44 AM

In Next Generation Security Gateway Guide R80.20 p.22, the discntd.if file is used to implement Mirror and Decrypt in Gateway mode - so it is still used...

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
Luis_Miguel_Mig
Advisor
‎2019-03-08 02:31 AM
In response to G_W_Albrecht

Ok, thanks. It sounds good

0 Kudos
G_W_Albrecht
MVP Silver
MVP Silver
‎2019-03-08 03:53 AM
In response to Luis_Miguel_Mig

Next Generation Security Gateway Guide R80.20 also does explain changing the discntd.if file in VSX environment...

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events