This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
abihsot__
Advisor
‎2020-03-04 12:08 AM
Jump to solution

Moving Gaia portal IP to a new interface

Hi,

clusterxl, two nodes, R80.20.

I want to move gaia portal IP to a new physical interface.

My idea was to use temporary another IP of different interface as gaia portal while manipulating interfaces.

I though it should work, but gaia portal doesn't load although it seems to listen on any IP:

tcp 0 0 0.0.0.0:8443 0.0.0.0:* LISTEN

In smartconsole in cluster object there is a section "platform portal", however it has only one setting - main url. So I can't modify it per node separately, right?

 

0 Kudos
1 Solution

Accepted Solutions
Maarten_Sjouw
Champion
Champion
‎2020-03-04 01:09 AM
In response to abihsot__
Jump to solution

Ok, so you need the full step by step guide...

  • ssh to member 1 of the cluster
  • ssh from member 1 to member 2 on the sync network (if not allowed by policy set it to be allowed)
  • on member 2 issue the following commands from clish (the hostname> prompt)
    • to remove the ip form the old interface:
      • delete intyerface eth1 ipv4-address 
    • Top add IP 1.2.3.4/25 to the eth3 interface:
      • set interface eth3 ipv4-address 1.2.3.4 mask-length 25
    • update SmartConsole for member 2
    • push policy
  • ssh into member 2 on the 1.2.3.4 IP
  • ssh from member 2 to member 1 on the sync network
  • on member 12 issue the following commands from clish (the hostname> prompt)
    • to remove the ip form the old interface:
      • delete intyerface eth1 ipv4-address 
    • Top add IP 1.2.3.5/25 to the eth3 interface:
      • set interface eth3 ipv4-address 1.2.3.5 mask-length 25
    • update SmartConsole for member 1
    • push policy

You have now completed the change of the interfaces .

Regards, Maarten

View solution in original post

0 Kudos
12 Replies
Maarten_Sjouw
Champion
Champion
‎2020-03-04 12:44 AM
Jump to solution

When you change IP addresses on a cluster node, you also need to change the interface name in the cluster configuration in SmartConsole. Let's assume you moved the IP from interface eth1 to eth3

Double click the cluster object, go to the tab Network Management, find the interface with the IP you assigned for the Gaia portal.

 
 
 
 
 
 
 
 
 

Interface.JPG

With interface names you change the name from eth1 to eth3 and push policy.

Regards, Maarten
0 Kudos
abihsot__
Advisor
‎2020-03-04 12:54 AM
In response to Maarten_Sjouw
Jump to solution

Hi,

but before modifying cluster object with new interface name eth1 to eth3, in Gaia portal the IP should have been transferred already to eth3, right? Are you saying once modified in cluster object it will transfer IP in Gaia automatically? That would be awesome because so far I did like this: go to gaia, move IP to the new interface, modify cluster object with new interface and push the policy.

 

I am stuck only on interface which has Gaia portal on it, and I cannot modify it because it complains "you are going to modify interface which you are connected to".

 

0 Kudos
Maarten_Sjouw
Champion
Champion
‎2020-03-04 01:09 AM
In response to abihsot__
Jump to solution

Ok, so you need the full step by step guide...

  • ssh to member 1 of the cluster
  • ssh from member 1 to member 2 on the sync network (if not allowed by policy set it to be allowed)
  • on member 2 issue the following commands from clish (the hostname> prompt)
    • to remove the ip form the old interface:
      • delete intyerface eth1 ipv4-address 
    • Top add IP 1.2.3.4/25 to the eth3 interface:
      • set interface eth3 ipv4-address 1.2.3.4 mask-length 25
    • update SmartConsole for member 2
    • push policy
  • ssh into member 2 on the 1.2.3.4 IP
  • ssh from member 2 to member 1 on the sync network
  • on member 12 issue the following commands from clish (the hostname> prompt)
    • to remove the ip form the old interface:
      • delete intyerface eth1 ipv4-address 
    • Top add IP 1.2.3.5/25 to the eth3 interface:
      • set interface eth3 ipv4-address 1.2.3.5 mask-length 25
    • update SmartConsole for member 1
    • push policy

You have now completed the change of the interfaces .

Regards, Maarten
0 Kudos
abihsot__
Advisor
‎2020-03-04 01:18 AM
In response to Maarten_Sjouw
Jump to solution

Now I got it! Totally forgot about ssh between the cluster nodes using other interfaces. Thanks!

0 Kudos
abihsot__
Advisor
‎2020-05-14 12:55 AM
In response to abihsot__
Jump to solution

Hi there,

I ran into another issue while using this procedure.

 

The procedure works fine if the interface is not part of "required interfaces" here:

#cphaprob -a if

CCP mode: Automatic
Required interfaces: 8
Required secured interfaces: 1

eth5 UP non sync(non secured), unicast
eth3 UP non sync(non secured), unicast
eth4 UP non sync(non secured), unicast
Sync UP sync(secured), unicast
Mgmt Non-Monitored non sync(non secured)
bond1 UP non sync(non secured), unicast, bond Load Sharing (bond1.1)
bond1 UP non sync(non secured), unicast, bond Load Sharing (bond1.2)
bond2 UP non sync(non secured), unicast, bond Load Sharing (bond2.3)
bond2 UP non sync(non secured), unicast, bond Load Sharing (bond2.4)

 

Once I try to migrate IP from bond1.1 to bond2.1 on standby node, the interface dissapears from this table and "required interfaces" becomes 7, and cluster do not want to failover because of lower number of interfaces available. Meanwhile new interface appears with correct bond in "Virtual cluster interfaces" table below. 

I found in checkpoint documentation that interfaces for this table are selected by the gateway atomatically and I cannot intervene here. It all went well with interfaces which were not in this table and now I am stuck here. Only two vlans left and I can't move them.

Any ideas hot to proceed?

0 Kudos
Maarten_Sjouw
Champion
Champion
‎2020-05-14 01:27 AM
In response to abihsot__
Jump to solution

You can still flip over by running cphastop on the active member.
Regards, Maarten
0 Kudos
abihsot__
Advisor
‎2020-05-14 01:47 AM
In response to Maarten_Sjouw
Jump to solution

But that would be disruptive to sync'ed connections? I want to have as minimal impact as possible.
0 Kudos
Maarten_Sjouw
Champion
Champion
‎2020-05-14 01:58 AM
In response to abihsot__
Jump to solution

the sync is still working and with the cphastop you will just disable the primary member so the other one can take over and should not be disruptive.
It would be better though to do it at the end of the business day to prevent disruptions as much as possible.
Regards, Maarten
0 Kudos
abihsot__
Advisor
‎2020-05-14 02:06 AM
In response to Maarten_Sjouw
Jump to solution

Oh, I forgot to mention that while modifying interfaces on standby node I put it in down state to avoid cluster flapping by using "clusterXL_admin down" command. Once finished with modifying interfaces and I want to do clusterXL_admin up, it won't jointhe cluster as number of required interfaces is not equal. My guess is that at such condition connections won't be synchronized.

 

0 Kudos
Maarten_Sjouw
Champion
Champion
‎2020-05-14 06:38 AM
In response to abihsot__
Jump to solution

Then I'm afraid you will have to make the move when you have a window to do so.
Regards, Maarten
0 Kudos
abihsot__
Advisor
‎2020-05-14 06:41 AM
In response to Maarten_Sjouw
Jump to solution

I just need a way to temporary remove bond1.x interfaces from that list. Somehow two vlans bond2.x (migrated ones) appeared in there...

0 Kudos
abihsot__
Advisor
‎2020-06-18 07:57 AM
In response to abihsot__
Jump to solution

ok, so migration is completed. In the end I was able to manipulate which interfaces were monitored in ClusterXL by using sk92826, which helped to remove interfaces from "required list"

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events