Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
SriNarasimha005
Contributor
Jump to solution

How to add VLAN interface in cluster

Hi Experts,

We're running Checkpoint cluster firewalls (R77.30) which are managed by the Smartconsole (R80.30) and now we're planning to add a new VLAN interface.

I've read some resources stating, there may be some problems when the interfaces are fetched. Could you please suggest the best practice to be adhered to avoid any outage.

Thanks in advance

 

Cheers,

Sri

0 Kudos
1 Solution

Accepted Solutions
Mike_A
Advisor

@PhoneBoy is correct, what I have seen, are issues, when "Get Interfaces with Topology" is selected overwriting any existing Anti Spoofing settings.

To avoid any issues with already defined interfaces, you should add the interface to each GW in the cluster and then "Get Interfaces without Topology" and define any Anti Spoofing you desire manually. 

 

Example below is using existing interface eth0 and VLAN ID 200 with subnet 192.168.200.0/24 and assuming this is a topology defined by IP/Subnet

 

GW1

add interface eth0 vlan 200

set interface eth0.200 ipv4-address 192.168.200.2 mask-length 24

save config

 

GW2

add interface eth0 vlan 200

set interface eth0.200 ipv4-address 192.168.200.3 mask-length 24

save config

 

SmartConsole

Open cluster object, select "Network Management"

Drop down "Get Interfaces" and select "Get Interfaces without Topology"

Define your new interface Network Type (Cluster) and cluster IP address (192.168.200.1)

Select Modify under "Topology" and define network accordingly (either Network is defined by interface IP and NetMask, or an Anti Spoofing Group as needed)

Publish and Install Policy

On GW cphaprob -a if (should now show the new interface and cluster address)

View solution in original post

5 Replies
PhoneBoy
Admin
Admin

The main issue is doing "Get Interfaces with Topology" as I recall correctly.
At least that's what I've seen reports on. 
If you add the interfaces to the relevant objects and configure them manually, there shouldn't be any issue.

0 Kudos
Mike_A
Advisor

@PhoneBoy is correct, what I have seen, are issues, when "Get Interfaces with Topology" is selected overwriting any existing Anti Spoofing settings.

To avoid any issues with already defined interfaces, you should add the interface to each GW in the cluster and then "Get Interfaces without Topology" and define any Anti Spoofing you desire manually. 

 

Example below is using existing interface eth0 and VLAN ID 200 with subnet 192.168.200.0/24 and assuming this is a topology defined by IP/Subnet

 

GW1

add interface eth0 vlan 200

set interface eth0.200 ipv4-address 192.168.200.2 mask-length 24

save config

 

GW2

add interface eth0 vlan 200

set interface eth0.200 ipv4-address 192.168.200.3 mask-length 24

save config

 

SmartConsole

Open cluster object, select "Network Management"

Drop down "Get Interfaces" and select "Get Interfaces without Topology"

Define your new interface Network Type (Cluster) and cluster IP address (192.168.200.1)

Select Modify under "Topology" and define network accordingly (either Network is defined by interface IP and NetMask, or an Anti Spoofing Group as needed)

Publish and Install Policy

On GW cphaprob -a if (should now show the new interface and cluster address)

SriNarasimha005
Contributor

Hi Mike,

Thanks for the reply.

Also, can you please suggest what rollback option should be followed to minimize the outage (if something goes wrong)? Just by reverting the installation history or by reverting the snapshot.

Thanks.

0 Kudos
HeikoAnkenbrand
Champion Champion
Champion

Small note:

You should only be careful with the cluster if you change the highest or lowest VLAN. The ClusterXL CCP packets are sent via this. If the VLAN is not configured correctly, ClusterXL problems may occur.

 

➜ CCSM Elite, CCME, CCTE ➜ www.checkpoint.tips
Mike_A
Advisor

First I would delete the tagged interface from each GW. Inside the cluster object just highlight the newly created interface and delete. When removing an interface, I personally never get the topology (with or without), I just delete the interface I want to be removed. Then install policy. 

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events