This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Boris_Uskov
Participant
‎2018-04-26 07:04 AM

VSX High Availability + OSPF

Hello, team.

I'm trying to configure ospf on VSX Cluster in HA mode.

I need to make OSPF adjacency with external system over Wrap link and checkpoint virtual switch.

GAIA version is r77.30.

The problem is that it seems, that OSPF process does not go up on wrp interface.

My configuration:

GW01:0> show configuration ospf
show instance 0 configuration ospf
set ospf area backbone on
set ospf interface wrp2 area backbone on
set ospf interface wrp2 priority 1
set ospf area backbone range 10.4.126.0/29 on

--------------------------------

GW01:0> show ospf
show instance 0 ospf

OSPF Router with ID 10.10.10.1 Instance default

SPF schedule delay: 2 secs
Hold time between two SPFs: 5 secs
Number of Areas in this router: 1
Normal: 1 Stub: 0 NSSA: 0
RFC1583 compability mode is on
Number of Virtual Links in this router: 0
Number of UpEvents: 0 Number of DownEvents: 0
Default ASE Cost: 1
Default ASE Type: 1

Area: 0.0.0.0

Number of Interfaces in this area: 0
Number of ABRs: 0 Number of ASBRs: 0
Number of times SPF Algorithm executed: 1
Area ranges are:
10.4.126.0/29 Advertise,Passive
No Area Stubnets Configured

--------------------------------

GW01:0> show ospf interfaces
show instance 0 ospf interfaces

GW01:0>

What I am missing?

Thanks in advance.

Preview file
26 KB
6 Replies
Vladimir
Champion
Champion
‎2018-04-26 07:33 AM

Aren't you supposed to configure OSPF from the context of VS/VR instead of the VS0?

0 Kudos
Boris_Uskov
Participant
‎2018-04-26 07:39 AM
In response to Vladimir

Hi, Vladimir. I'm not going to use Virtual Systems or Virtual Routers at this point of time.

I need only VS0 and Virtual Switch currently.

0 Kudos
Vladimir
Champion
Champion
‎2018-04-26 10:29 AM
In response to Boris_Uskov

Virtual switch is the Layer 2 device, so there will be no OSPF options.

Also, the warp interfaces attached to the virtual switch should have "wrpj" preffix.

"A Warp Link is a virtual point-to-point connection between a Virtual System and a Virtual Router or Virtual Switch. Each side of a Warp Link represents a virtual interface with the appropriate virtual device."

So warp link is not exposed to the outside connectivity.

Boris_Uskov
Participant
‎2018-04-26 11:41 PM
In response to Vladimir

Hi, Vladimir.

Thanks for support.

Actually, I'm trying to configure OSPF between VS0 and outside router through the Virtual Switch. I'm trying to use VS0 wrp2 interface, which points to Virtual Switch. IP connectivity between wrp2 and outside router exists: I can ping outside router from wrp2 interface.

I attached the schema to the question for best understanding, please, take a look.

0 Kudos
Vladimir
Champion
Champion
‎2018-04-27 06:51 PM
In response to Boris_Uskov

When you first converted this cluster to VSX, you were presented with the security policy for it.

By default, for VS0, these rules are present:

VSX Gateway Management

In the VSX Gateway Management window, define security policy rules that protect the VSX Gateway. This policy is installed automatically on the new VSX Gateway.

Note - This policy applies only to traffic destined for the VSX Gateway. Traffic destined for Virtual Systems, other virtual devices, external networks, and internal networks is not affected by this policy.

The security policy consists of predefined rules for these services:

  • UDP - SNMP requests
  • TCP - SSH traffic
  • ICMP - Echo-request (ping)
  • TCP - HTTPS traffic

Unless you've added OSPF to this policy at the time of creation, it may not be permitted from VS0.

If you have not yet created other VS' and installed policies on those, try:

[Expert@HostName:VSID]# vsenv 0
[Expert@HostName:0]# fw unloadlocal

To see if it'll change the behavior.

Otherwise, try unloading policies from other VS' first, and then from VS0 and repeat your experiment.

For the life of me, I cannot recall how, or even if, it is possible to adjust VS0 (VSX) policy after conversion is completed.

Good luck,

Vladimir

0 Kudos
Boris_Uskov
Participant
‎2018-04-28 02:42 AM
In response to Vladimir

Vladimir,

great idea, thank you!

I'll check default security policy. But I'll be able to do it a little bit later.

Thanks for support.

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events