This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Wayne_Situ
Participant
‎2019-05-28 12:23 PM
Jump to solution

Sync interface IP assignment best practice

what is best practice to assign IPs to sync interface?  

we are using rfc1918 IPs with /30 for sync interfaces.  recently we discovered this problem.  the IPs that we are using are also used on the network.  when traffic to these destinations hits the firewall it promptly drops the packets due to the stealth rule and also the route is learned as connected.  is there anyway we can exclude the sync interface from advertised?  or do i need to re-ip all of my firewalls sync to use ip such as 127.0.0.0/30?  thanks

 

C 192.168.80.0/30 is directly connected, eth3-01 Sync

0 Kudos
1 Solution

Accepted Solutions
PhoneBoy
Admin
Admin
‎2019-06-03 10:08 AM
In response to Wayne_Situ
Jump to solution

If your sync IPs are in use elsewhere in your environment, you will need to change your sync IPs.
They should be unique to the cluster and not in use anywhere else in your environment.

View solution in original post

4 Replies
G_W_Albrecht
MVP Silver
MVP Silver
‎2019-05-29 01:24 AM
Jump to solution

See ClusterXL Administration Guide R80.20:

We recommend that you secure the synchronization interfaces using one of the following strategies: 

• Use a dedicated synchronization network. 

• Connecting the physical network interfaces of the Cluster Members directly using a cross-cable. In a cluster with three or more members, use a dedicated hub or switch. 

Notes: 

• See Supported Topologies for Synchronization Network (on page 26). 

• You can synchronize members across a WAN. To do this, do the steps in Synchronizing Clusters on a WAN (on page 54). 

• In ClusterXL, the synchronization network is supported on the lowest VLAN tag of a VLAN interface. For example, if three VLANs with tags 10, 20 and 30 are configured on interface eth1, only interface eth1.10 may be used for synchronization. 

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
Wayne_Situ
Participant
‎2019-05-29 04:54 PM
In response to G_W_Albrecht
Jump to solution

sorry if I wasn't clear with my question.  

I want to know what is the best practice of IP assignment to the Sync interface.  I am using 192.168.80.1 and 192.168.80.2 for the firewalls with /30 mask.  this is a private range and I never thought it would cause a problem until I find out there is an actual system using the same IP.  so when the packet arrived at the firewall, the firewall see the destination as directly connected.  it drops the packet.  from the firewall's route table perspective I never thought the crossover cable for the Sync interface would be advertised.  but it is and it's a problem.

question is do I need to re-ip the sync interfaces?  or my preference is how to stop the sync interface IPs being advertised?

 

0 Kudos
PhoneBoy
Admin
Admin
‎2019-06-03 10:08 AM
In response to Wayne_Situ
Jump to solution

If your sync IPs are in use elsewhere in your environment, you will need to change your sync IPs.
They should be unique to the cluster and not in use anywhere else in your environment.
Maarten_Sjouw
Champion
Champion
‎2019-06-03 11:20 AM
In response to Wayne_Situ
Jump to solution

There is a range of IP's that will not be routed anywhere and should only be used for network connections, this is the 100.64.0.0-100.127.255.255 range, also called the ISP range.
IP's from this range will not interfere with anything else and are growing in popularity for this kind of use.
Regards, Maarten

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events