This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
LGRES
Explorer
‎2023-11-21 05:28 AM

Cluster in Bridge mode

How to deploy active/standby cluster in bridge mode on SMB 1800 appliances R81.10.08 centrally managed?

According to documentation: A cluster in a Bridge Active/Standby mode is supported, but appliances are working only in Cluster Mode: High Availability (Active Up) with IGMP Membership.

0 Kudos
10 Replies
PhoneBoy
Admin
Admin
‎2023-11-21 07:10 AM

Per the product documentation, you cannot create a cluster when you have a switch or bridge defined in the network settings on the appliance.
See: https://sc1.checkpoint.com/documents/SMB_R81.10.X/AdminGuides_Centrally_Managed/EN/Content/Topics/Co...

 

0 Kudos
LGRES
Explorer
‎2023-11-27 05:46 AM
In response to PhoneBoy

How then to deploy cluster in bridge mode, if there is no cpconfig command in Gaia Embedded?

0 Kudos
Tom_Hinoue
Advisor
Advisor
‎2023-11-27 06:12 AM
In response to LGRES

Check this SK for configuring a  bridge cluster for centrally managed SMBs.

How to create a centrally managed cluster for Embedded Gaia SMB gateways 

Since this is for R77.20.XX, also refer to the admin guide, though I believe there is not much difference between the versions.

Quantum Spark 1500, 1600, and 1800 Appliances R81.10.X Centrally Managed Administration Guide 


Also the alternative for cpconfig is enabling a specific kernel parameter in fwkern.conf in both members and reboot the gateway.

fwha_active_standby_bridge_mode=1

You can find this information in this SK as well.

Cluster in Active-Standby bridge mode in 1200R / 1400 centrally managed appliances 

G_W_Albrecht
Legend Legend
Legend
‎2023-11-30 04:03 AM
In response to Tom_Hinoue

Also see in sk178604Check Point R81.10.X for 1500, 1600, and 1800 appliance Known Limitations and Resolved Issues:

- If a bridge is configured on network interfaces, a cluster can only be created when the Quantum Spark appliance is Centrally Managed. R81.10.00 -
Networking - Bridge

SMBGWY-2478		 Bridge interfaces cannot be disabled. R81.10.00 -
SMB-10543 Embedded Gaia appliances conform to the Maintrain bridge (L2) limitations listed in sk101371 R81.10.00 -
SMB-12375 Attempting to assign the pivot port of a switch to a bridge using the CLI fails, but does not display an error. R81.10.00 -
- Site-to-Site VPN is not supported with layer 2 (bridge) connection types. R81.10.00 -

SMBGWY-2443		 When more than one VAP is added to a local network switch or bridge, it cannot be unassigned.

Workaround: delete it and then recreate it.
CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
Tom_Hinoue
Advisor
Advisor
‎2023-11-30 04:32 PM
In response to G_W_Albrecht

Yes, my understanding is that a bridge mode cluster is possible in R81.10.XX if centrally managed, as well I have tested this in lab before.

Maybe some SK's or the admin guide need to be updated, so it includes specific directions on how to configure a centrally managed bridge cluster 🙂

0 Kudos
G_W_Albrecht
Legend Legend
Legend
‎2023-12-01 12:46 AM
In response to Tom_Hinoue

There is:

sk122659: Cluster in Active-Standby bridge mode in 1200R / 1400 centrally managed appliances

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
G_W_Albrecht
Legend Legend
Legend
‎2023-12-01 01:17 AM
In response to G_W_Albrecht

...but the newest is mentioned in the table, sk101371: Bridge Mode on Gaia OS and SecurePlatform OS

Should be named Gaia OS and Gaia Embedded, as shown as OS in the SK !

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
Tom_Hinoue
Advisor
Advisor
‎2023-12-01 01:44 AM
In response to G_W_Albrecht

Oh I meant by that currently it only mentions 1200R/1400 and not the current 1500/1600/1800s 🙂

0 Kudos
PhoneBoy
Admin
Admin
‎2023-11-28 07:00 AM
In response to LGRES

The way I interpret this statement is that a cluster in bridge mode is not supported on SMB appliances.
I would confirm with TAC, though: https://help.checkpoint.com 

0 Kudos
Chris_Atkinson
Employee Employee
Employee
‎2023-11-28 07:21 AM
In response to PhoneBoy

Definitely one for TAC, the section beneath this (prerequisites) contains a contradictory statement.

CCSM R77/R80/ELITE
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events
    Top