Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
phlrnnr
Advisor

Using cluster object in access policy

When using a cluster object in the access policy, what exactly does it represent?  Does it represent all IPs on all interfaces of both cluster members plus virtual IPs for the cluster itself?  Or does it only represent a subset of these?

For example, if I had a firewall cluster with member A and member B configured with the following IPs:

Member A: eth1: 1.1.1.1, eth2: 2.2.2.1
Member B: eth1: 1.1.1.2, eth2: 2.2.2.2
Virtual IP: eth1: 1.1.1.3, eth2: 2.2.2.3

If I configured a rule allowing 10.1.1.1 --> Cluster_Object, ICMP

What would 10.1.1.1 be allowed to ping?

(Note: I am assuming that implied rules are not interfering with any of this)

0 Kudos
Reply
2 Replies
PhoneBoy
Admin
Admin

I believe it’s just the main IP of the object (on general tab).

0 Kudos
Reply
JozkoMrkvicka
Leader
Leader

In R77.30 all VIPs were matched.

In R80.30 only Main IP in Cluster Object is matched. If you need some interface VIP to be used, create host object.

Kind regards,
Jozko Mrkvicka
0 Kudos
Reply