Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Martijn
Advisor
Advisor

Domain Server tries to contact VS on a VSX cluster

Hi all,

We have a customer with Multi Domain and VSX. The first Domain Server is managing the VSX clusters (VS0) while the other Domain Servers are managing the virtual systems within those security domains. These virtual systems are created on several VSX clusters. This all works great and no problem there.

But taking a closer log at the logs, we can see the Domain Servers are trying to reach the virtual firewalls for the Check Point management services like CPD_AMON. There is no route between these virtual firewalls and the subnet in which the Domain Servers are located.There is no need to because all (policy install, logging, monitoring) is done via VS0. And this is the power of Multi Domain and VSX.

I can understand the Domain Server is 'unaware' of MDM and does not 'know' the firewall its manage is a virtual system on a VSX cluster. It is just doing what it is suposed to do. Monitoring the gateway.

Is there a way to change this behaviour? As I said, all is working, but the logs are filled with these log entries.

Thanks.

Martijn

0 Kudos
6 Replies
Kaspars_Zibarts
Employee Employee
Employee

Just to confirm as description is a bit fuzzy Smiley Happy you are seeing traffic from CMA that manages VSX (VS0) to actual VS(x)?

0 Kudos
Vladimir
Champion
Champion

I am just curious as to why would you want to change this behavior?

Since DMS' are managing their respective VS', I would expect to see the traffic you are describing addressing them directly. Even in the absence of the routing to particular VS, there got to be internal logic that correctly attributes traffic to the proper target VS, perhaps simply omitting internal management network IPs.

In the absence of this data, what would you expect to see in the logs: management traffic addressed to VS0 with no identifiable target? 

0 Kudos
Martijn
Advisor
Advisor

Hi,

The Multi Domain Servers and the VSX clusters (VS0) are located in a firewall management network.

This firewall management network is protected by a non-VSX cluster. This cluster is the default gateway of the Multi Domain servers.

There is not route from the Domain Servers to the virtual systems. Not even physically.

So every time a Domain Server tries to contact a virtual system on the VSX clusters, it is send via the default gateway and is dropped by this non-VSX cluster securing the firewall management network.

So the traffic is not dropped by a virtual system (VS0 or any other virtual system) but by a completely other non-VSX cluster. So internal logic is not relevant here.

All is working and Monitor is showing all VS's OK within the Domain Servers. Policy installs, logging, it all works.  So there is no need for the Domain Server to contact the VS's this way.

I have added a simple network drawing.

The MDM servers and VSX clusters (VS0) are located in network 1.2.3.0 / 24. The Multi Domain server is 1.2.3.1 and the Domain Server managing VS1 is 1.2.3.2.

The default gateway for the VSX clusters and Multi Domain servers is 1.2.3.254. The non-VSX cluster.

VS1 is created in a VSX cluster with IP-addresses 2.3.4.5 and 6.7.8.9. Let's say 2.3.4.5 is the main address.

In the non-VSX cluster 1.2.3.254 we can see packets being dropped from 1.2.3.2 to 2.3.4.5 for Check Point services.

Simple Setup

Regards,

Martijn

0 Kudos
Kaspars_Zibarts
Employee Employee
Employee

I got intrigued Smiley Happy checked my MDS/VSX and found that only two out of seven VSes had the same symptoms (VS CMA connecting to VS on 18192). Logs were at certain set intervals, looked 2hrs. Then compared it to another CMA - again only one VS out of two had the same. I can say with 100% certainty that only R80.10 VSX had the symptoms. R76SP50 VSX didn't Smiley Happy And it didn't matter what blades were enabled on gateways - that fact did not seem to correlate at all.

So R80.x is trying to do some extra work there. Could always check CPD logs and see if i can match timestamps as we allow this traffic

0 Kudos
Vladimir
Champion
Champion

OK. I am closer to comprehending the problem.

Can you take a look at the ARP table on your default gateway and check if there are references to VS1 IPs.

Do the same on your MDS please.

0 Kudos
Martijn
Advisor
Advisor

Hi all,

Thanks for responding to my posts.

I do not have access to the site (we are the reseller) at the moment, so I cannot check ARP entries.

But I will ask my customer to check.

Good to see other seeing the same on their R80.x VSX clusters. I never noticed it in R77.x.

Regards,

Martijn

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events