Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
NicolaiNielsen
Explorer

Setup Cluster HA with 1 WAN IP

Jump to solution

Hi All,

I'm new to Checkpoint and I've been trying to learn how to setup.
I'm trying to setup a Cluster for High Availability, but I can't seem to find definite proof that my topoligy is possible with how Checkpoint works.

Is it possible to have the same single WAN IP on the WAN interface of both the Firewalls?
Or do I need to make VIP on the WAN interfaces as well?

I only have 1 WAN IP from my ISP.

The IP addresses on the picture attached is purely fantasy. Not my real ones.

 

Kind Regards,

Nicolai

0 Kudos
1 Solution

Accepted Solutions
Wolfgang
Leader
Leader

Your management must reach both gateways, via internal or external interfaces. If not you can't install policy.

That's a limititation if you use private IPs on different subnet for the physical cluster interfaces.

Have a look at Configuring Cluster Addresses on Different Subnets section 4. important notes:

  • It is not possible to manage over the Internet the Cluster when IP addresses Addresses of its members and the VIP address are configured on different subnets.
    In such configuration, the IP addresses of cluster members are supposed to be configured with private IP addresses (RFC 1918), and only one Cluster VIP address is supposed to be public.
    Private IP addresses (RFC 1918) are not allowed over the Internet.
    As a result, communication from the external Management Server to the private IP addresses of the physical cluster members will not be possible over the Internet for services such as SIC.

View solution in original post

5 Replies
_Val_
Admin
Admin

Yes you can use a cluster with VIP being on a different IP network than the actual physical interfaces.

Download ClusterXL Admin guide for your version and look for "Cluster IP Addresses on Different Subnets" part in it for details.

0 Kudos
NicolaiNielsen
Explorer

Hi Val,

I have looked at that, but the VIP needs to be pushed from MGMT server.
But the MGMT server is externally.
As the Firewalls doesn't have internet access until the VIP is configured, then I cannot push the VIP from MGMT server?
It's contradicting.

 

Kind Regards,

Nicolai

0 Kudos
Wolfgang
Leader
Leader

Your management must reach both gateways, via internal or external interfaces. If not you can't install policy.

That's a limititation if you use private IPs on different subnet for the physical cluster interfaces.

Have a look at Configuring Cluster Addresses on Different Subnets section 4. important notes:

  • It is not possible to manage over the Internet the Cluster when IP addresses Addresses of its members and the VIP address are configured on different subnets.
    In such configuration, the IP addresses of cluster members are supposed to be configured with private IP addresses (RFC 1918), and only one Cluster VIP address is supposed to be public.
    Private IP addresses (RFC 1918) are not allowed over the Internet.
    As a result, communication from the external Management Server to the private IP addresses of the physical cluster members will not be possible over the Internet for services such as SIC.

View solution in original post

_Val_
Admin
Admin

@NicolaiNielsen, what he says👆🏻

0 Kudos
NicolaiNielsen
Explorer

Hi Wolfgang and Val,

Thanks for the answer.

Because of the limitations, I will make a note that either plan with having the MGMT server internally behind the cluster and/or if the MGMT is externally, I will need at least 3 WAN IP's on the remote site.

0 Kudos