This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
FortiFan
Explorer
‎2024-09-03 10:46 PM

No VMAC address on cluster interface

Hi Everyone

I've created a new interface with the Cluster Network Type in a ClusterXL environment, but the virtual IP doesn't have a MAC address, so the clients connected to that network can't talk to anything outside of their VLAN, as the virtual IP is their standard gateway. They can however reach the member IP's that are configured on the two cluster members. 

I've run the command "cphaprob -a if" on the CLI and I don't see the interface that I created there.

I've created the interfaces on the two appliances on the gaia Web GUI and then created the interface for the virtual IP on the SmartConsole, and then I installed a policy on the device. 

I hope my post makes sense, as it's the first time in my career working with Checkpoint.

Can someone guide me a little on how to find out what I did wrong? 

Thanks. 

0 Kudos
2 Replies
Bob_Zimmerman
Authority
Authority
‎2024-09-04 06:56 AM

First, a note. Check Point clustering doesn't involve virtual MAC addresses by default. The VIPs resolve to the real MAC address of the active member's interface. You can enable a shared virtual MAC by opening your cluster object, going to "ClusterXL and VRRP", and checking the box "Use Virtual MAC". With the way Check Point's clustering works, this normally is not necessary.

The fact the interface doesn't show up in 'cphaprob -a if' means something is wrong with the interface config. It sounds like you've taken the right steps to build the cluster interface, but I suspect the interface name doesn't match the interfaces on the firewall. In SmartConsole, open your cluster object, go to "Network Management", open the cluster interface you made, and go to the Advanced section. Look at "Interfaces Names" at the bottom. The name there needs to match the name of the interface as seen on the firewall command line. I believe it's even case-sensitive.

0 Kudos
FortiFan
Explorer
‎2024-09-05 12:25 AM
In response to Bob_Zimmerman

Thank you for your reply. Everything looked fine when another colleague and I looked at it, so I don't really know what I did wrong. I've deleted all the interfaces and created them again and it works now.

What I've not mentioned that could've interferred is that I've configured a DHCP Relay on member interfaces and instead of leaving the primary interface blank, I've put the IP address of the interface in the field. I've deleted it now and it says Primary Address (automatic) and everything works as expected.  

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events
    li.common.scroll-to.top