This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
SriNarasimha005
Collaborator
‎2025-04-08 03:31 AM

Firewall Management Traffic via Cluster VIP

Hi There,

We've checkpoint firewalls running in a 'staging' phase configured to support on R81.20 Take 98. When the firewall is trying to initiate a connection from the Management interface (Syslog/Authentication server), observed that it's getting changed to the Cluster VIP IP address.

This is applicable for both the firewalls running in Active/standby and this causes issues with the authentication server as the VIP IP isn't part of the device admin in Radius server.

I don't have any Hide NAT configured to support this configuration.

Can someone please assist on this matter? Thank you.

0 Kudos
5 Replies
G_W_Albrecht
MVP Silver
MVP Silver
‎2025-04-08 04:27 AM

Open a SR# with CP TAC to get this resolved asap! Your post does not help at all to suggest anything...

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
Martijn
Advisor
Advisor
‎2025-04-08 05:43 AM

Hi,

Please check sk31832 - How to prevent a ClusterXL or VRRP Cluster hiding its own traffic behind its Virtual IP ad...

On the management server make changes to $FWDIR/lib/table.def and push policy.

Regards,
Martijn

SriNarasimha005
Collaborator
‎2025-04-24 10:06 PM
In response to Martijn

Hi @Martijn 

Apologies for the late reply.

From the given SK article, I believe it's a default behaviour for the standby firewall to hide behind the VIP when connections are initiated from the member itself.

Also, as given in the provided SK article, it's been suggested not to add 443 as it might negatively impact the VPN tunnel initiation.

With that said, I assume that standby Firewall be able to reach the Internet/CP portal for AV updates via active firewall which is holding the VIP.

Is my understanding correct..?

Note: I've placed a NO-NAT rule from the firewall to the destination which didn't resolve this issue.

0 Kudos
Martijn
Advisor
Advisor
‎2025-04-25 12:00 AM
In response to SriNarasimha005

Hi,

Hide behind cluster IP is default behaviour and the NO-NAT rule will not help. You have to edit table.def if you want the appliances behave differently.

I mostly use it for traffic like DNS, RADIUS or SecureID. Most of the time this was OK for the standby member to get updates.

You can check with a curl_cli from the standby member

#curl_cli -v -k https://updates.checkpoint.com

Regards,
Martijn

0 Kudos
SriNarasimha005
Collaborator
‎2025-04-25 12:19 AM
In response to Martijn

Hi

Thanks for the reply.

As checked in the given SK article, I believe this is configured using specific ports (DNS, Radius) which is applicable for all the firewalls hosted in that CMA.

no_hide_services_ports = { <PORT_1,PROTOCOL_1>, <PORT_2,PROTOCOL_2>, ..., <PORT_N,PROTOCOL_N> };

Is there anyway we can restrict/modify the file only for specific firewalls?

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events