This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
SriNarasimha005
Collaborator
‎2020-10-14 07:35 AM
Jump to solution

How to add VLAN interface in cluster

Hi Experts,

We're running Checkpoint cluster firewalls (R77.30) which are managed by the Smartconsole (R80.30) and now we're planning to add a new VLAN interface.

I've read some resources stating, there may be some problems when the interfaces are fetched. Could you please suggest the best practice to be adhered to avoid any outage.

Thanks in advance

 

Cheers,

Sri

0 Kudos
1 Solution

Accepted Solutions
Mike_A
Advisor
‎2020-10-16 10:42 PM
Jump to solution

@PhoneBoy is correct, what I have seen, are issues, when "Get Interfaces with Topology" is selected overwriting any existing Anti Spoofing settings.

To avoid any issues with already defined interfaces, you should add the interface to each GW in the cluster and then "Get Interfaces without Topology" and define any Anti Spoofing you desire manually. 

 

Example below is using existing interface eth0 and VLAN ID 200 with subnet 192.168.200.0/24 and assuming this is a topology defined by IP/Subnet

 

GW1

add interface eth0 vlan 200

set interface eth0.200 ipv4-address 192.168.200.2 mask-length 24

save config

 

GW2

add interface eth0 vlan 200

set interface eth0.200 ipv4-address 192.168.200.3 mask-length 24

save config

 

SmartConsole

Open cluster object, select "Network Management"

Drop down "Get Interfaces" and select "Get Interfaces without Topology"

Define your new interface Network Type (Cluster) and cluster IP address (192.168.200.1)

Select Modify under "Topology" and define network accordingly (either Network is defined by interface IP and NetMask, or an Anti Spoofing Group as needed)

Publish and Install Policy

On GW cphaprob -a if (should now show the new interface and cluster address)

View solution in original post

5 Replies
PhoneBoy
Admin
Admin
‎2020-10-16 02:53 PM
Jump to solution

The main issue is doing "Get Interfaces with Topology" as I recall correctly.
At least that's what I've seen reports on. 
If you add the interfaces to the relevant objects and configure them manually, there shouldn't be any issue.

0 Kudos
Mike_A
Advisor
‎2020-10-16 10:42 PM
Jump to solution

@PhoneBoy is correct, what I have seen, are issues, when "Get Interfaces with Topology" is selected overwriting any existing Anti Spoofing settings.

To avoid any issues with already defined interfaces, you should add the interface to each GW in the cluster and then "Get Interfaces without Topology" and define any Anti Spoofing you desire manually. 

 

Example below is using existing interface eth0 and VLAN ID 200 with subnet 192.168.200.0/24 and assuming this is a topology defined by IP/Subnet

 

GW1

add interface eth0 vlan 200

set interface eth0.200 ipv4-address 192.168.200.2 mask-length 24

save config

 

GW2

add interface eth0 vlan 200

set interface eth0.200 ipv4-address 192.168.200.3 mask-length 24

save config

 

SmartConsole

Open cluster object, select "Network Management"

Drop down "Get Interfaces" and select "Get Interfaces without Topology"

Define your new interface Network Type (Cluster) and cluster IP address (192.168.200.1)

Select Modify under "Topology" and define network accordingly (either Network is defined by interface IP and NetMask, or an Anti Spoofing Group as needed)

Publish and Install Policy

On GW cphaprob -a if (should now show the new interface and cluster address)

SriNarasimha005
Collaborator
‎2020-10-17 07:38 AM
In response to Mike_A
Jump to solution

Hi Mike,

Thanks for the reply.

Also, can you please suggest what rollback option should be followed to minimize the outage (if something goes wrong)? Just by reverting the installation history or by reverting the snapshot.

Thanks.

0 Kudos
HeikoAnkenbrand
MVP Platinum
MVP Platinum
‎2020-10-17 10:31 AM
In response to SriNarasimha005
Jump to solution

Small note:

You should only be careful with the cluster if you change the highest or lowest VLAN. The ClusterXL CCP packets are sent via this. If the VLAN is not configured correctly, ClusterXL problems may occur.

 

➜ CCSM Elite, CCME, CCTE ➜ www.checkpoint.tips
Mike_A
Advisor
‎2020-10-19 03:37 PM
In response to SriNarasimha005
Jump to solution

First I would delete the tagged interface from each GW. Inside the cluster object just highlight the newly created interface and delete. When removing an interface, I personally never get the topology (with or without), I just delete the interface I want to be removed. Then install policy. 

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events