This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Vladimir
Champion
Champion
‎2018-01-08 07:20 AM

Why is the Cluster ID field missing in R80.10 FTW?

Just noticed it recently during initial configuration of R80.10 Cluster: there is no cluster ID field in the first time configuration wizard.

Can someone clarify if there is now a different mechanism resolving same ID issues and how doe it deal with clusters already present in the infrastructure with IDs defined?

Thank you,

Vladimir

0 Kudos
5 Replies
Nick_Van_Rymena
Explorer
‎2018-01-08 07:45 AM

Hi,

From R80.10 onwards there is indeed a new algorithm which does automatic selection for the MAC magic.

The procedure is explained in sk25977 under (III-1-E) Change Source MAC Addresses - Gateway Mode - Gaia R80.10 - Procedure.

Kr,

Nick

Kaspars_Zibarts
MVP Gold CHKP MVP Gold CHKP
MVP Gold CHKP
‎2018-01-08 08:11 AM

I guess the old "magic" number sk25977 explains what's changed and how it was applied before R80.10

I don't want to copy any details here as it's quite long article Smiley Happy

0 Kudos
Vladimir
Champion
Champion
‎2018-01-08 08:18 AM
In response to Kaspars_Zibarts

Kaspars,

It is hard for me to believe that CP would on purpose remove the cluster id feature and will force the old method on us.

Likely, some new mechanism is in place and I am trying to determine what it is.

0 Kudos
Vladimir
Champion
Champion
‎2018-01-08 08:24 AM

Thank you Kaspars and Nick!

I've just finished reading through the SK and have found the R80.10 section in it, sorry for not spotting it earlier.

67d2287b-bb00-4
Explorer
‎2019-10-25 05:33 AM
In response to Vladimir

From sk25977: 

qoute

Starting in Gaia R80.10, the 5th byte of the Source MAC address (MAC magic) in all types of CCP packets is assigned automatically.

During the initial configuration of the cluster members, they apply the following algorithm to set the MAC magic value:...

unqoute

When does the "initial configuration" happen? Is it when I run the FTW on the device (at this time I have not yet configured all interfaces) or is it the fist time I push a policy to the gateways, where they are part of a cluster? This is important as I have to share one VLAN with another existing CheckPoint ClusterXL setup.

If it is when I push the policy, can I be sure that the gateway (even if I enable clusterXL in the FTW) will not interfere with the other cluster(s) even if I configure and enable all interfaces? In that case it is important the the shared VLAN is connected to the new cluster first time I push the policy, so the other cluster's CCP traffic can be detected...

Thanks in advance.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events