This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
Wolfgang
Authority
Authority
‎2022-09-05 02:25 AM

enable ipv6 on Maestro

How to enable ipv6 on Maestro ?

In gclish "set ipv6-state on" save and reboot. Is it possible todo the reboot one by one appliance in the security group or must be done a reboot on the whole security group ?

Doing it with only one appliance at the time cause no traffic disruption.

0 Kudos
8 Replies
_Val_
Admin
Admin
‎2022-09-05 03:05 AM

Not sure it was tested, but you can reboot one-by-one by reboot -b command. Please note, you have to start your reboots from SMO. So, SMO should be first.

I suggest to test it before going live. Enabling IPv6 will change CoreXL instances on the appliance

0 Kudos
Lari_Luoma
Ambassador Ambassador
Ambassador
‎2022-09-05 10:02 PM

I agree with Val. I think you can enable it one by one, but better to verify first that everything works as planned.

0 Kudos
Wolfgang
Authority
Authority
‎2022-10-13 12:30 AM
In response to Lari_Luoma

Yesterday we tried to enable IPv6 with no success. After enabling IPv6 via gclish => "set ipv6-state on" we did a restart with one of the appliances but these ends up in boot loop:

Oct 12 16:24:26 2022 Firewall-XXX-ch01-02 kernel: [fw4_0];Global param: operation failed: Unknown parameter (param name fwha_mbs_reboot_notify),

Oct 12 16:24:28 2022 Firewall-XXX-ch01-02 shutdown[77256]: shutting down for system reboot

 

We did not had any time for troubleshooting, switch to IPv6 off and everything was fine. At the moment we are investigating the logs. Has anyone enabled IPv6 in a Maestro environment ?

0 Kudos
Wolfgang
Authority
Authority
‎2022-10-24 01:59 AM

@Lari_Luoma and @_Val_ and the community,

After enabling IPv6, reboot one security group member followed by a  crash of the whole Maestro environment and a following discussion with TAC...

Following Gaia R81.10 Administration Guide (System Configuration)  (After you enable or disable IPv6 on a Security Group in a Scalable Platform, you must reboot all the Security Group Members at the same time) we had to reboot the whole SecurityGroup to enable IPv6.

This indicates a complete downtime for the Maestro environment, meaning approximately 30min with no traffic flow. Very bad behaviour for a highly available scalable environment. We and our customer are not happy with that solution.

Yes, we could enable IPv6 before deployment, but we don't want to enable features from the beginning we don't need.

_Val_
Admin
Admin
‎2022-10-24 02:13 AM
In response to Wolfgang

I am sorry to hear that. Could you please provide me your TAC case via PM?

0 Kudos
Machine_Head
Collaborator
Collaborator
‎2023-03-03 06:27 AM
In response to Wolfgang

Hey, any idea if this is fixed or still the case?


Thanks
Juan

0 Kudos
Wolfgang
Authority
Authority
‎2023-03-03 06:33 AM
In response to Machine_Head

@Machine_Head ther's still a need for a reboot of all appliances of the complete Maestro solution. And additional there are still limitations if you want to change something regarding the IPv6 configuration. See my post https://community.checkpoint.com/t5/Maestro/IPv6-on-Maestro-a-nightmare/m-p/169862#M1414 

Machine_Head
Collaborator
Collaborator
‎2023-03-03 06:42 AM
In response to Wolfgang

Sounds like a non-goer for me

Thanks for the info

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
 
Upcoming Maestro Events

    CheckMates Events
    Top