This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Ricardo_Gros
Collaborator
‎2018-11-23 04:19 AM

DAIP cluster

Hi,

I was trying to figure a way to build a DAIP SMB cluster  that is centrally managed.

This is actually as it seems not supported because the Cluster object on management side is missing the Dynamic IP box.

However i was wondering if there is really a technical reason why this does not work on a topology where the Dynamic IP sits on a 3rd party Router and the Checkpoint Cluster is behind it.

As far as i understand the DAIP gateways will only fetch the policy and the Logging is also outbound so it would actually not be much different from a single gateway setup with DAIP on 3rd party device.

Has some one tried this? does this make sense?

6 Replies
PhoneBoy
Admin
Admin
‎2018-11-23 09:13 AM

Clustering assumes the IPs of all cluster members are fixed and on the same subnets.

You cannot make that assumption when the gateways get their IP via DHCP.

When you check DAIP, the gateway is assumed to be obtaining an IP from DHCP and will not have a fixed address.

Now, if in reality, the cluster members are going to get a static IP from the DHCP server, then you define it in SmartDashboard with a fixed IP and do NOT set the DAIP flag in the object.

0 Kudos
Ricardo_Gros
Collaborator
‎2018-11-23 10:03 AM
In response to PhoneBoy

Hi,

Thanks for the answer, the checkpoint cluster itself has no dynamic ip

The topology is this:

The Router has receives the IP from the provider.

Behind it is the Cluster, with static IP on the Transport network. all connected over a switch( not relevant for this discussion).

The management is reachable over the internet so any incoming connection would have to be to the Public IP of the router.

My idea was to have the Cluster set as Dynamic and have both gateways fetch the policy, this way only outbound communication is  required like on a normal DAIP single gateway solution.

I wanted to test this but the Dyn option is not available on the cluster object.

0 Kudos
PhoneBoy
Admin
Admin
‎2018-11-24 09:21 PM
In response to Ricardo_Gros

The assumption is that if the gateway has static IPs, it's reachable bidirectionally.

In the case of a truly dynamic gateway, the assumption is that it has outbound only access (and could even be behind a NAT).

0 Kudos
Ricardo_Gros
Collaborator
‎2018-11-25 02:57 AM
In response to PhoneBoy

But, in this case both are behind a NAT and have only outbound access. However on Management the Cluster object does not allow for DAIP so this cannot be configured at all. 

My doubt was if this would  make sense to be possible in this topology.

0 Kudos
PhoneBoy
Admin
Admin
‎2018-11-25 07:54 AM
In response to Ricardo_Gros

I think the only way you can have this sort of configuration is if you manage the gateway with a SmartLSM profile.

ATRG: SmartProvisioning 

0 Kudos
Ricardo_Gros
Collaborator
‎2018-11-25 10:13 AM
In response to PhoneBoy

i will look into this, thank you.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events