This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
ABOUT CHECKMATES & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
jessica_smith
Contributor
‎2018-09-12 12:58 PM

adding/configuring interface causing error in cluster setup - policy error

On a cluster firewall with VRRP , I have tried to configure one of the interfaces on the firewall , when I first tried with get topology but could not get the correct topology,
I have configured it on the active firewall of the cluster but when I installed the policy ‭I am getting below error


Installation Targets Version Policy Type Details
NEWYORK-CLUSTER R77.30 Network Security The Topology information must be configured for object newyorkfw1, interface eth6, in order to use the selected features.
NEWYORK-CLUSTER R77.30 Network Security Failed to generate the rulebase
NEWYORK-CLUSTER R77.30 Network Security Operation ended with errors.
NEWYORK-CLUSTER R77.30 Network Security Operation ended with errors.

4 Replies
AlekseiShelepov
Advisor
‎2018-09-12 01:17 PM

You have a cluster object NEWYORK-CLUSTER which consists of newyorkfw1 and newyorkfw2, I suppose. Open NEWYORK-CLUSTER object properties, go to Topology tab, click Edit button. There is eth6 in the list of interfaces, what type of interface is set there, cluster/private/sync? Cluster interfaces must have cluster virtual IP address defined. Right click on it, choose Edit interface, go to Topology tab, define topology. Be careful, as if you incorrectly define topology you might block access to the firewall. If it is not a cluster interface, you need to do the same for eth6 interface of the second member of the cluster.

Also if you got some topology, but didn't get the correct one, probably it is configured in a wrong way on devices themselves.

I would highly recommend to read Admin Guides before configuring firewalls.
ClusterXL Administration Guide 

Gaia Administration Guide 

Vladimir
Champion
Champion
‎2018-09-12 01:22 PM

I would also add that personally, I would stay away from "Get Interfaces with Topology" option, except when deploying a brand new cluster.

It's been known to cause some unpleasant issues as well as creates "phantom" network objects.

IMHO, best to "Get Interfaces" and define topology manually. 

Danny
Champion
Champion
‎2018-09-12 02:36 PM
In response to Vladimir

I fully agree.

Jessica, configure your cluster topology consistent on both, the gateway side as well as the centrally configured management side. Stay away from reading in the topology from the getways as Vladimir recommended.

jessica_smith
Contributor
‎2018-09-13 11:43 AM

thank you Aleksei, Vladimir and Danny Smiley Happy you all are the best, all working Smiley Happy 

0 Kudos