This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
bjbakker1984
Explorer
11 hours ago

Advertise (dual) WAN via BGP in ClusterXL

Hi guys, 

 

I was having issues with a ClusterXL set-up and wanted to know if there is a solution. 

 

So here is what currently is correctly working (non-clusterXL): 

- device: 1575 appliance, R81.10.15_996003919 (.10 build doesn't support loopback yet via GUI)

- firewallrules to allow BGP

- single WAN interface has a /31 public IP from the provider. 

- loopback interface with /28 from provider that is advertised on BGP back to peer on WAN.

- a dorment (not connected) second WAN connection on different carrier with /31 public IP in same BGP set-up.

 

Last week we wanted to add a second firewall. This stopped working even BEFORE the member device was added.

Here is what we did:

- reset WAN interfaces to DHCP to bypass subnet restrictions on the HA wizard (seems it needs at least 3 usable IPs on all interfaces without DHCP, even if you are not going to use it. Else the wizard won't finish).

- set first device as primary cluster member with only LAN/internal interfaces in HA mode

- readded WAN interface /31 set-up (this is non-HA)

Now the problem is that "BGP peer is not reachable" (/var/log/routed). Even though only internal networks are now HA.

It seems that the non-HA interface is no longer used for advertising the BGP route. Mind you, the default gateway is still there and ANY other traffic is passed. Just not training data for the BGP.

When you Delete the cluster configuration it magically starts working again.

 

 

Second (less important for now) thing is that we have 2 /31 lines. So my thoughts were to add both to both firewalls (non-HA ofcourse) and leave one disconnected on the devices so that the firewall only uses one and the active firewall advertises on the connected one. This since the HA set-up needs at least 3 usable IP-adresses for the HA.

- second device: 1575 appliance, R81.10.15_996003919 (.10 build doesn't support loopback yet)

- loopback interface with /28 from provider that is advertised on BGP back to peer on WAN.

- firewall rules to allow SYNC traffic

- add as member to the cluster group

- WAN interface has a /31 public IP from the primary line 

- DMZ interface has a /31 public IP from other line.

 

0 Kudos
1 Reply
sigal
Employee
Employee
2 hours ago

Hi,
R81.10.15 does not yet support loopback in cluster mode. This functionality is currently planned for Q2.
As for the 3 usable IP addresses for the HA - this is no longer correct. You can use private IPs for the physical interfaces on each gateway and routable IP as VIP. See https://sc1.checkpoint.com/documents/SMB_R81.10.X/AdminGuides_Locally_Managed/EN/Content/Topics/Conf...

Thanks.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events