Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Ricardo_Gros
Collaborator

DAIP cluster

Hi,

I was trying to figure a way to build a DAIP SMB cluster  that is centrally managed.

This is actually as it seems not supported because the Cluster object on management side is missing the Dynamic IP box.

However i was wondering if there is really a technical reason why this does not work on a topology where the Dynamic IP sits on a 3rd party Router and the Checkpoint Cluster is behind it.

As far as i understand the DAIP gateways will only fetch the policy and the Logging is also outbound so it would actually not be much different from a single gateway setup with DAIP on 3rd party device.

Has some one tried this? does this make sense?

6 Replies
PhoneBoy
Admin
Admin

Clustering assumes the IPs of all cluster members are fixed and on the same subnets.

You cannot make that assumption when the gateways get their IP via DHCP.

When you check DAIP, the gateway is assumed to be obtaining an IP from DHCP and will not have a fixed address.

Now, if in reality, the cluster members are going to get a static IP from the DHCP server, then you define it in SmartDashboard with a fixed IP and do NOT set the DAIP flag in the object.

0 Kudos
Ricardo_Gros
Collaborator

Hi,

Thanks for the answer, the checkpoint cluster itself has no dynamic ip

The topology is this:

The Router has receives the IP from the provider.

Behind it is the Cluster, with static IP on the Transport network. all connected over a switch( not relevant for this discussion).

The management is reachable over the internet so any incoming connection would have to be to the Public IP of the router.

My idea was to have the Cluster set as Dynamic and have both gateways fetch the policy, this way only outbound communication is  required like on a normal DAIP single gateway solution.

I wanted to test this but the Dyn option is not available on the cluster object.

0 Kudos
PhoneBoy
Admin
Admin

The assumption is that if the gateway has static IPs, it's reachable bidirectionally.

In the case of a truly dynamic gateway, the assumption is that it has outbound only access (and could even be behind a NAT).

0 Kudos
Ricardo_Gros
Collaborator

But, in this case both are behind a NAT and have only outbound access. However on Management the Cluster object does not allow for DAIP so this cannot be configured at all. 

My doubt was if this would  make sense to be possible in this topology.

0 Kudos
PhoneBoy
Admin
Admin

I think the only way you can have this sort of configuration is if you manage the gateway with a SmartLSM profile.

ATRG: SmartProvisioning 

0 Kudos
Ricardo_Gros
Collaborator

i will look into this, thank you.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events