Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Markus_Marquard
Contributor

R80.10 VRRP cluster: To hide or not to hide members ip?

Hi,

during troubleshooting connectivity issue from Gateway to Checkpoint update server on a R80.10 VRRP cluster standby member, it came to my attention, that even the standby Security Gateway in a VRRP cluster is using the cluster ip address to open the outgoing connection, eg. to open a connection to https://usercenter.checkpoint.com/  (seen by using tcpdump on the Gateway).

I believe this maybe correct, because option Hide Cluster Members outgoing traffic behind IP address is checked in cluster properties.

However, I wonder how it can work, because the next hop (internet router) cannot know how to route traffic back properly. If the reply comes back from internet, destination will be the cluster ip address, so it would be routed to the active cluster member, not to the standby where it originated from.

What is the recommendation for this option? Enable or disable it? The documentation is quite sparse, some SKs are stating it should be enabled in a specific case, others are stating it should be disabled.

In our environment, we have identity Awareness rolled out, using Identity Agent, and sharing identities between all Gateways.

So what would be the pros and cons in this case for this option?

Thanks

Markus

0 Kudos
3 Replies
Daniel_Taney
Advisor

This may not exactly answer your question, but if you have this option enabled already, I'd be careful about just turning it off. 


I believe if you disable this option, you will need Manual or Automatic NAT rules created for all traffic that needs to get out to the Internet. This can be very beneficial if you want 100% total granular control over what can or can't get out to the Internet. However, if your NAT policy isn't structured that way already, you may experience some unintended side effects by turning it off. 

I haven't used VRRP as a clustering option in GAIA, but I assume the Standby member works because its outbound traffic is being NAT'd behind the active gateway the same way any other traffic destined for the Internet on your network does. 

R80 CCSA / CCSE
0 Kudos
Maarten_Sjouw
Champion
Champion

This option has been there in VRRP configured clusters for many years and we always turn it off, exactly because of the issue you give, each gateway needs to collect updates and needs to be able to independently get to the address it wants to access.

There is no impact on turning the option off, other than it will all the sudden start to work.

Regards, Maarten
0 Kudos
AlekseiShelepov
Advisor

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events