Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
AkosBakos
Contributor

In an HA environment disable CCP packet check on specific interfaces

Hi Community,

I want to disable or switch off the CCP packet check on specific interfaces. Only on 1 interface out of 8.

So if the CCP packet is not receiving on this interfaces, this will not cause cluster failover.

Is it possible somehow?

BR

Akos

0 Kudos
11 Replies
Timothy_Hall
Champion
Champion

Yes just define the desired interfaces as Network Type "private" in the topology of the cluster object.  However I don't think you are allowed to present a cluster/virtual IP address when the interface is in this mode; the firewalls just use their dedicated fixed IP addresses on the private interface.

New 2021 IPS/AV/ABOT Self-Guided Video Series
now available at http://www.maxpowerfirewalls.com
0 Kudos
AkosBakos
Contributor

Hi Timothy,

Yes, this can be a solution, but I need to present 1 IP as gateway, so this can't be a solution.

An I forgot one important thing, this is an SMB cluster R80.20.15

 

BR

Akos

0 Kudos
mcatanzaro
Employee
Employee

You can configure the interface to only monitor the physical link rather than CCP packets:

https://sc1.checkpoint.com/documents/R81/WebAdminGuides/EN/CP_R81_CLI_ReferenceGuide/Topics-CLIG/CXL...

0 Kudos
AkosBakos
Contributor

Hi,

Thanks for the information.

After I posted my question, I found this article

An I forgot one important thing, this is an SMB cluster R80.20.15. The article belongs to R81. Is it applicable on SMB appliances as well?

BR

Akos

0 Kudos
mcatanzaro
Employee
Employee

Not sure if you can do this on Gaia Embedded.

@PhoneBoy  @_Val_ 

Can you guys move this to the SMB forum

0 Kudos
_Val_
Admin
Admin

@mcatanzaro Done. It was not obvious from the start that this is an SMB issue 🙂

AkosBakos
Contributor

You are right, Sorry about that

0 Kudos
G_W_Albrecht
Legend
Legend

This is not possible on locally managed SMBs. On centrally managed, you can configure it: When High Availability is disabled on the interface, the interface is considered non-monitored private (not part of the cluster configuration).

See Quantum Spark 1500, 1600 and 1800 Appliance Series R80.20.30 Centrally Managed Administration Guide p.23

CCSE CCTE SMB Specialist
0 Kudos
AkosBakos
Contributor

@G_W_Albrecht 

Yes, it is a centrally managed SMB cluster. If I set non-monitored private, it will cause lost the ability of the virtual IP which is really important in that two trunc interface.

I know the cluster prerequisites, which describes between cluster interfaces must be layer 2 connection....

In a nutshell:

There is a special device with two interfaces:

 

 

2021-09-15 11_04_42-Clipboard.png

 

 

 

 

 

 


On the special device (appliance) eth1 and eth2 is a linux bond trunc interface. This device is probing its default gateway on both interfaces. The traffic will flow on that IF, which receives the ARP answer faster. 
And no, I can't put an active device there (router, switch, etc.) It is prohibited.

This is a very special scenario

Any idea will appreciate

0 Kudos
G_W_Albrecht
Legend
Legend

Open an SR# with TAC !

CCSE CCTE SMB Specialist
0 Kudos
AkosBakos
Contributor

Done 🙂

0 Kudos