This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Robert135242
Explorer
4 weeks ago

Management-Server: Addition NIC or VSX-Cluster?

Hi,

we have a setup of
- 1 Management-Server
- 2 Node HA-Cluster
- Management-Network /29 size (don't ask...)
1.1.1.1: Cluster IP
1.1.1.2: Node 1
1.1.1.3: Node 2
1.1.1.4: Management-Server

Obviously this leaves two IP addresses unused within the subnet. I have added a drawing to show the setup.

Now the situation is:
We need to add a 2-Node VSX-Cluster, which will be managed by the existing Management-Server. Since there is only two IP addresses left in the /29, we have patched an additional NIC and gave the Management-Server an additional IP address (2.2.2.6/28), in order to manage the VSX-Cluster via this additional network.

My question:
IMHO there are two options to go proceed:

  1. Go with the setup described above. This is also shown in the drawing (blue color is "new"). Has anybody done this setup and are there any caviats? As far as I remember, Check Point recommends having a single Management-network that contains all CP appliances.

  2. Resize the existing /29 to a /28, which could be done with little effort, since the second half of the future /28 only containts idrac-Cards, which could be migrated easily into a new IP space.

Thank you very much in advance, appreciate your help!

Preview file
194 KB
0 Kudos
3 Replies
_Val_
Admin
Admin
4 weeks ago

The main issue that I see with the proposed setup is that you might cut off the VSX cluster from MGMT if the wrong policy is installed on the HA cluster, routing from Net 1 to Net 2.

I would indeed recommend extending the MGMT subnet to accommodate the new VSX cluster management IPs as an alternative.

 

0 Kudos
Robert135242
Explorer
4 weeks ago
In response to _Val_

But the VSX Cluster is directly connected to the network (2.2.2.0/28) where also the management-server is directly connected. So in theory, this should not be a routing/policy issue?

0 Kudos
Vincent_Bacher
Advisor
Advisor
4 weeks ago

You could perhaps cobble something together, but like Val, I would prefer to expand the management network and configure a clean setup instead of living with some makeshift crutches.

and now to something completely different - CCVS, CCAS, CCTE, CCCS, CCSM elite
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events