This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
P_M
Participant
‎2020-04-07 10:50 PM

Logical Server not working (R.80.30)

Hello,

 

I have created several logical servers for load balancing traffic to a group of Internal servers.

The logical servers with Public Virtual IP addresses inwards to the Internal servers work fine, but the logical servers with Internal Virtual IP addresses  towards internal servers are not working. 

All the Virtual IP addresses are on same subnets as the Gateways interfaces.

Only difference being that the addresses on the Public Interface has entries in $FWDIR/conf/local.arp.

Should I create entries for the Internal Virtual IP addresses in $FWDIR/conf/local.arp ?

 

Regards PM

0 Kudos
3 Replies
PhoneBoy
Admin
Admin
‎2020-04-08 05:09 PM

I'm confused what you mean by "internal virtual IP addresses."
There should be servers that answer on those IP addresses.
Can you describe your configuration in more detail?
Screenshots and network diagrams would also help.
0 Kudos
P_M
Participant
‎2020-04-09 06:40 AM
In response to PhoneBoy

Hello,

Sorry I was not clear, and hereby make another attempt to explain my dilemma.

Below are the screenshots of the rule and the configuration for the Logical Server. I attach a diagram of the Network Topology.

The Internal VIP (Logical Server) has a private IP address  of 10.0.0.35 and is on a subnet on one of the FireWall Interface. Behind the Logical Server are two servers (servergroup) that are on the Internal network.

The Clients are on the Internal network, with private IP addresses, i.e. 10.1.2.29 for example, and the servers are in a Firewall segment (DMZ).

P_M_0-1586423450158.png

 

P_M_1-1586423450165.png

 

The External Logical server (with Public IP address) works, and on the External Interface there is Proxy Arp configured for the IP address for the Logical server. 

The Internal Logical server (with Private IP address) does not work, and if I understood CheckPoints Help manual right, then a Proxy Arp for this Logical Server would automatically be created during Publishing/Installation of the rule?

 

Best regards 

Peter

 

NLB -- Logical Server.docx
Preview file
104 KB
0 Kudos
PhoneBoy
Admin
Admin
‎2020-04-09 01:05 PM
In response to P_M

That helps.
What do you see on a tcpdump when you try and access 10.0.0.35 from the internal interface?
What does fw ctl arp say?
In general, a proxy-arp should be created, but perhaps it's not in this case.
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events
    Top