This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
TOM_MORAN
Contributor
‎2025-09-15 02:26 AM
Jump to solution

have different physical interfaces in a cluster in same ip range

Hi I am moving an interface from a single 1 gb interface eg eth5 to 2 x10gb interface in a bond.

The ip addresses assigned are staying the same.

MGT is R81.20 & firewalls are R81.10 hfa 147

The issue is that topology needs an interface, can we have different ip addresses in topolgy? has anyone done this ?

The aim in to do this without a major outage

Any help is appreciated

What i would like to do is :

Standby fw :

1) remove ip address from eth5

2) add bond

3) assign ip address 

4) add bond to topolgy

5) confirm fw in h/a

6) failover to primary firewall

7) do steps 1 -6

 

 

 

0 Kudos
2 Solutions

Accepted Solutions
Danny
MVP Platinum
MVP Platinum
‎2025-09-15 02:43 AM
Jump to solution

This kind of interface migration is quite common when upgrading from 1Gb to 10Gb links. Since you're keeping the same IP addresses, the key challenge is updating the topology in SmartCenter correctly and ensuring anti-spoofing doesn't interfere during the transition.

I suggest an updated step-by-step guide:

  • backup your SmartCenter and security gateway configuration
  • in SmartCenter, update the interface topology of your cluster in advance (if possible)
    • navigate to the cluster object
    • under Network Management, locate the interface you're replacing (e.g., eth5)
    • replace it with the new bonded interface (bondX) and assign the same IP
    • make sure the topology reflects the correct IP and netmask
    • if you can't update the topology before the physical change, be ready to do it immediately after
    • on the relevant interface (eth5 or bondX), set anti-spoofing to Detect or Disabled during the change
      • this prevents drops due to topology mismatch while the interface is being reconfigured
  • on your Standby firewall
    • perform the steps you prepared
    • push the new Security Policy from your SmartCenter and untick the checkbox that would cancel policy installation if one cluster member reports an error
    • failover to the standby member to make it active
  •  on your second firewall (now standby)
    • repeat steps 1–7
    • once both firewalls are updated and stable, re-enable anti-spoofing on the bond interfaces and push policy again
    • ensure bond interface names are consistent across both cluster members
    • verify that the cluster is synchronized and both members show the correct interface status

View solution in original post

Bob_Zimmerman
MVP Gold
MVP Gold
‎2025-09-15 08:29 AM
In response to Danny
Jump to solution

I find this process I shared last month easier. There's no need to mess with antispoofing at all. It relies on the fact the members of a cluster don't actually need to use the same interface name to back a given cluster interface and VIP. As long as your cluster is working properly, there isn't any risk to traffic at all.

View solution in original post

5 Replies
Danny
MVP Platinum
MVP Platinum
‎2025-09-15 02:43 AM
Jump to solution

This kind of interface migration is quite common when upgrading from 1Gb to 10Gb links. Since you're keeping the same IP addresses, the key challenge is updating the topology in SmartCenter correctly and ensuring anti-spoofing doesn't interfere during the transition.

I suggest an updated step-by-step guide:

  • backup your SmartCenter and security gateway configuration
  • in SmartCenter, update the interface topology of your cluster in advance (if possible)
    • navigate to the cluster object
    • under Network Management, locate the interface you're replacing (e.g., eth5)
    • replace it with the new bonded interface (bondX) and assign the same IP
    • make sure the topology reflects the correct IP and netmask
    • if you can't update the topology before the physical change, be ready to do it immediately after
    • on the relevant interface (eth5 or bondX), set anti-spoofing to Detect or Disabled during the change
      • this prevents drops due to topology mismatch while the interface is being reconfigured
  • on your Standby firewall
    • perform the steps you prepared
    • push the new Security Policy from your SmartCenter and untick the checkbox that would cancel policy installation if one cluster member reports an error
    • failover to the standby member to make it active
  •  on your second firewall (now standby)
    • repeat steps 1–7
    • once both firewalls are updated and stable, re-enable anti-spoofing on the bond interfaces and push policy again
    • ensure bond interface names are consistent across both cluster members
    • verify that the cluster is synchronized and both members show the correct interface status
TOM_MORAN
Contributor
‎2025-09-15 03:23 AM
In response to Danny
Jump to solution

very appreciated 

the_rock
MVP Platinum
MVP Platinum
‎2025-09-15 04:45 AM
In response to TOM_MORAN
Jump to solution

I would also add...always do "get interfaces WITHOUT topology"

Andy

Best,
Andy
0 Kudos
Bob_Zimmerman
MVP Gold
MVP Gold
‎2025-09-15 08:29 AM
In response to Danny
Jump to solution

I find this process I shared last month easier. There's no need to mess with antispoofing at all. It relies on the fact the members of a cluster don't actually need to use the same interface name to back a given cluster interface and VIP. As long as your cluster is working properly, there isn't any risk to traffic at all.

the_rock
MVP Platinum
MVP Platinum
‎2025-09-15 08:34 AM
In response to Bob_Zimmerman
Jump to solution

Very detailed process, thanks Bob!

Best,
Andy
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events