- Products
- Learn
- Local User Groups
- Partners
-
More
Celebrate the New Year
With CheckMates!
Value of Security
Vendor Self-Awareness
Join Us for CPX 360
23-24 February 2021
Important certificate update to CloudGuard Controller, CME,
and Azure HA Security Gateways
How to Remediate Endpoint & VPN
Issues (in versions E81.10 or earlier)
Mobile Security
Buyer's Guide Out Now
Important! R80 and R80.10
End Of Support around the corner (May 2021)
On a cluster firewall with VRRP , I have tried to configure one of the interfaces on the firewall , when I first tried with get topology but could not get the correct topology,
I have configured it on the active firewall of the cluster but when I installed the policy I am getting below error
Installation Targets Version Policy Type Details
NEWYORK-CLUSTER R77.30 Network Security The Topology information must be configured for object newyorkfw1, interface eth6, in order to use the selected features.
NEWYORK-CLUSTER R77.30 Network Security Failed to generate the rulebase
NEWYORK-CLUSTER R77.30 Network Security Operation ended with errors.
NEWYORK-CLUSTER R77.30 Network Security Operation ended with errors.
You have a cluster object NEWYORK-CLUSTER which consists of newyorkfw1 and newyorkfw2, I suppose. Open NEWYORK-CLUSTER object properties, go to Topology tab, click Edit button. There is eth6 in the list of interfaces, what type of interface is set there, cluster/private/sync? Cluster interfaces must have cluster virtual IP address defined. Right click on it, choose Edit interface, go to Topology tab, define topology. Be careful, as if you incorrectly define topology you might block access to the firewall. If it is not a cluster interface, you need to do the same for eth6 interface of the second member of the cluster.
Also if you got some topology, but didn't get the correct one, probably it is configured in a wrong way on devices themselves.
I would highly recommend to read Admin Guides before configuring firewalls.
ClusterXL Administration Guide
I would also add that personally, I would stay away from "Get Interfaces with Topology" option, except when deploying a brand new cluster.
It's been known to cause some unpleasant issues as well as creates "phantom" network objects.
IMHO, best to "Get Interfaces" and define topology manually.
I fully agree.
Jessica, configure your cluster topology consistent on both, the gateway side as well as the centrally configured management side. Stay away from reading in the topology from the getways as Vladimir recommended.
thank you Aleksei, Vladimir and Danny you all are the best, all working
About CheckMates
Learn Check Point
Advanced Learning
WELCOME TO THE FUTURE OF CYBER SECURITY