This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
NorthernNetGuy
Advisor
‎2018-10-19 05:40 AM
Jump to solution

ClusterXL HA - Adding interface on only 1 unit

I have a CusterXL HA setup (2 units), And a 2nd small external IP range that I'll be migrating over to our checkpoint firewall.

I only have 1 IP address available to define an interface with on our cluster in that IP range (With future plans to put everything behind a reverse proxy, to free up addresses so I can do a proper HA setup).

Is it okay to add an additional interface on only one of the units (active), and reference that IP in the Proxy ARP ? I'm not sure if this will have any bad interactions with ClusterXL, as all my other interfaces in the cluster are setup properly with VIPs. I don't expect any bad behavior, but I'd like to see if anyone else has done this, and their experiences.

I know this will make the services unavailable if there is a failover, but that has been deemed acceptable for us in the short term.

*edited for spelling

1 Solution

Accepted Solutions
Vladimir
Champion
Champion
‎2018-10-19 11:18 AM
In response to NorthernNetGuy
Jump to solution

You can. See screenshot below:

Use "Monitored Private" if you want the cluster to failover, should the interface go down, or "Non-monitored Private" if you rather remain on the active member this interface belongs to.

View solution in original post

0 Kudos
10 Replies
Vladimir
Champion
Champion
‎2018-10-19 05:47 AM
Jump to solution

One IP is all you need to setup vIP on the cluster. You can use IPs from different subnet for the physical interfaces and assign your single remaining IP from working range to be the vIP on the cluster.

 

Configuring Cluster Addresses on Different Subnets

Only one routable IP address is required in a ClusterXL cluster, for the virtual cluster interface that faces the Internet. All cluster member physical IP addresses can be non-routable.

Configuring different subnets for the cluster IP addresses and the member addresses is useful in order to:

  • Enable a multi-machine cluster to replace a single-machine gateway in a pre-configured network, without the need to allocate new addresses to the cluster members.
  • Allow organizations to use only one routable address for the ClusterXL Gateway Cluster. This saves routable addresses.
0 Kudos
NorthernNetGuy
Advisor
‎2018-10-19 06:36 AM
In response to Vladimir
Jump to solution

I remember seeing this SK before. I'm reading over the article and it's a bit confusing.

Here's my interpretation of it, simplified into a couple lines:
The switch port that the physical interfaces connect to will still be our external VLAN, but the physical interfaces on the gateway will be defined as an IP in a different subnet, and that subnet is defined within the gateway. I would then use a static route within the gateway to route between the two subnets within the gateway?

Then because, of proxy ARP and VIP, the physical interface on the gateway will still be able to receive and transceiver as the VIP is what is used as the primary address?

Is that kind of the gist of it?

0 Kudos
Vladimir
Champion
Champion
‎2018-10-19 07:17 AM
In response to NorthernNetGuy
Jump to solution

It is pretty much how I read it too.

_Val_
Admin
Admin
‎2018-10-19 05:47 AM
Jump to solution

You may want to look here: Configuring Cluster Addresses on Different Subnets 

0 Kudos
NorthernNetGuy
Advisor
‎2018-10-19 11:11 AM
In response to _Val_
Jump to solution

This seems like a good option that I'd like to implement, however I'd still like to know if my original example would work.

Can I make a non-cluster interface in a clusterXL setup? To have just one of my gateways in the cluster have a unique interface would be nice.

0 Kudos
Vladimir
Champion
Champion
‎2018-10-19 11:18 AM
In response to NorthernNetGuy
Jump to solution

You can. See screenshot below:

Use "Monitored Private" if you want the cluster to failover, should the interface go down, or "Non-monitored Private" if you rather remain on the active member this interface belongs to.

0 Kudos
NorthernNetGuy
Advisor
‎2018-10-19 11:31 AM
In response to Vladimir
Jump to solution

This is what I'm looking for

I'm unfamiliar with this view though. Topology settings menu in r80.10 is different for me, unless this is in the global properties advanced configuration?

In 80.10 I see private, but no mention of monitored on non monitored.

0 Kudos
Vladimir
Champion
Champion
‎2018-10-19 11:38 AM
In response to NorthernNetGuy
Jump to solution

I had to use the R77.30 demo to pull this up for you, as R80.++ does not include clusters or VSXs.

According to documentation:

ClusterXL R80.10 (Part of Check Point Infinity) Administration Guide 

Both "Private" and "Monitored Private" are still supported.

0 Kudos
NorthernNetGuy
Advisor
‎2018-10-19 11:47 AM
In response to Vladimir
Jump to solution

Thank you very much for your help Vladimir, very detailed responses. I think I got it from here!

0 Kudos
Vladimir
Champion
Champion
‎2018-10-19 11:54 AM
In response to NorthernNetGuy
Jump to solution

You are quite welcome:)

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events