This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
NicolaiNielsen
Explorer
‎2021-05-27 05:17 AM
Jump to solution

Setup Cluster HA with 1 WAN IP

Hi All,

I'm new to Checkpoint and I've been trying to learn how to setup.
I'm trying to setup a Cluster for High Availability, but I can't seem to find definite proof that my topoligy is possible with how Checkpoint works.

Is it possible to have the same single WAN IP on the WAN interface of both the Firewalls?
Or do I need to make VIP on the WAN interfaces as well?

I only have 1 WAN IP from my ISP.

The IP addresses on the picture attached is purely fantasy. Not my real ones.

 

Kind Regards,

Nicolai

Preview file
25 KB
0 Kudos
1 Solution

Accepted Solutions
Wolfgang
MVP Gold
MVP Gold
‎2021-05-28 06:28 AM
In response to NicolaiNielsen
Jump to solution

Your management must reach both gateways, via internal or external interfaces. If not you can't install policy.

That's a limititation if you use private IPs on different subnet for the physical cluster interfaces.

Have a look at Configuring Cluster Addresses on Different Subnets section 4. important notes:

  • It is not possible to manage over the Internet the Cluster when IP addresses Addresses of its members and the VIP address are configured on different subnets.
    In such configuration, the IP addresses of cluster members are supposed to be configured with private IP addresses (RFC 1918), and only one Cluster VIP address is supposed to be public.
    Private IP addresses (RFC 1918) are not allowed over the Internet.
    As a result, communication from the external Management Server to the private IP addresses of the physical cluster members will not be possible over the Internet for services such as SIC.

View solution in original post

7 Replies
_Val_
Admin
Admin
‎2021-05-27 05:55 AM
Jump to solution

Yes you can use a cluster with VIP being on a different IP network than the actual physical interfaces.

Download ClusterXL Admin guide for your version and look for "Cluster IP Addresses on Different Subnets" part in it for details.

0 Kudos
NicolaiNielsen
Explorer
‎2021-05-28 05:48 AM
In response to _Val_
Jump to solution

Hi Val,

I have looked at that, but the VIP needs to be pushed from MGMT server.
But the MGMT server is externally.
As the Firewalls doesn't have internet access until the VIP is configured, then I cannot push the VIP from MGMT server?
It's contradicting.

 

Kind Regards,

Nicolai

0 Kudos
Wolfgang
MVP Gold
MVP Gold
‎2021-05-28 06:28 AM
In response to NicolaiNielsen
Jump to solution

Your management must reach both gateways, via internal or external interfaces. If not you can't install policy.

That's a limititation if you use private IPs on different subnet for the physical cluster interfaces.

Have a look at Configuring Cluster Addresses on Different Subnets section 4. important notes:

  • It is not possible to manage over the Internet the Cluster when IP addresses Addresses of its members and the VIP address are configured on different subnets.
    In such configuration, the IP addresses of cluster members are supposed to be configured with private IP addresses (RFC 1918), and only one Cluster VIP address is supposed to be public.
    Private IP addresses (RFC 1918) are not allowed over the Internet.
    As a result, communication from the external Management Server to the private IP addresses of the physical cluster members will not be possible over the Internet for services such as SIC.

_Val_
Admin
Admin
‎2021-05-31 01:02 AM
In response to Wolfgang
Jump to solution

@NicolaiNielsen, what he says👆🏻

0 Kudos
NicolaiNielsen
Explorer
‎2021-05-31 03:00 AM
In response to Wolfgang
Jump to solution

Hi Wolfgang and Val,

Thanks for the answer.

Because of the limitations, I will make a note that either plan with having the MGMT server internally behind the cluster and/or if the MGMT is externally, I will need at least 3 WAN IP's on the remote site.

0 Kudos
max71
Participant
‎2023-03-24 03:51 AM
In response to Wolfgang
Jump to solution

Hi Wolfgang, i'm reading in detail the doc as you mention, in external ip address of both chk members i put 10.80.100.1 and 10.80.100.2 end as VIP my public ip address.

The main problem is that as soon as i try to reach internet seems that the checkpoint do not perform a correct match from internal to external network ... 

if i put 3 public ip address without change the config everithing working correctly.

have you some suggest for me to solve my issues ?

 

0 Kudos
PhoneBoy
Admin
Admin
‎2023-03-24 12:51 PM
In response to Wolfgang
Jump to solution

Interestingly enough, in R82, this limitation should be removed when ElasticXL is implemented and all communication happens through an SMO.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events