This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Noah_T
Participant
‎2019-01-17 03:51 PM

Removing a VLAN from Interface

One of physical interface on a SG 15000 Series firewall cluster is trunked with 1 vlan and I need to remove that vlan and turn off the interface . What is the correct procedure to do that ?

 Cluster with active/standby setup. Gateways are on GAIA R77.30 , managed by R80 CMA. 

8 Replies
Gomboragchaa
Advisor
‎2019-01-17 04:59 PM

Delete the VLAN Interface from GAiA Web portal or Clish..

Turn off the physical interface. 

All changes must do on each member of gateways.

Then Update Topology Table on Smartconsole

0 Kudos
Noah_T
Participant
‎2019-01-17 05:47 PM
In response to Gomboragchaa

Gomboragchaa Jamganjav

Should it be removed 1st on Standby Gateway ?

After updating the topology table should a policy push be required ?

0 Kudos
Norbert_Bohusch
Advisor
‎2019-01-18 04:24 AM
In response to Gomboragchaa

if you update topology after removing it from gateways, this will break cluster status for sure!

Noah_T
Participant
‎2019-01-18 08:54 AM
In response to Norbert_Bohusch

Thanks Norbert.

I would like to follow the steps you outlined. Below is my Plan,

1) Remove the interface from the topology table in SmartConsole and push the policy.

( Current output of cphaprob -a if is below & cphaprb stat - Active/Standby )

Required interfaces: 4
Required secured interfaces: 1)

after step 1 would the output be as below ?

( Current output of cphaprob -a if is below & cphaprb stat - Active/Standby )

Required interfaces: 3
Required secured interfaces: 1)

2) delete IF from standby (clish)

3) delete IF from active (clish)

4) admin down the physical interface on both nodes

0 Kudos
LadislavNemecek
Participant
‎2019-01-18 03:14 AM

Delete vlan then admin down interface on both members.

Would prefer to start with standby node, especially if interface/vlan set as a cluster monitored

After changes on firewall nodes level, update topology on cluster object in CMA  and push policy

0 Kudos
Gaurav_Pandya
Advisor
‎2019-01-18 03:44 AM

Hi,

As it is in cluster, I would suggest to follow instruction as per sk57100.

 

0 Kudos
Norbert_Bohusch
Advisor
‎2019-01-18 04:22 AM

sk57100 is a good choice.

But I must admit, that I never followed it completely. So I never stopped a member for this type of maintenance. 

I normally use the following to remove an interface:

- remove it from topology in cluster object through SmartConsole

- check chaprob -a if for the change on both members

- delete IF from standby (clish)

- delete IF from active (clish)

0 Kudos
Gaurav_Pandya
Advisor
‎2019-01-18 04:30 AM
In response to Norbert_Bohusch

This seems to be Good steps

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events