This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
dede79
Contributor
‎2023-03-02 12:38 AM
Jump to solution

SMB 1500 R81.10 - Cluster Virtual IP address belongs to a different subnet

Hello,

 

I need to configure VIP on different subnet on a SMB cluster - centrally managed - on WAN link (have not enought pub. IPs and Mgmt is directly connected).

So private IPs for the interfaces and a public IP as VIP. Problem is to set the default gateway - SMB Internet connection only allows configure Gateway in the same subnet. Adding a manual default route is also no possible.

 

Any idea?

1 Solution

Accepted Solutions
Chris_Atkinson
Employee Employee
Employee
‎2023-03-02 02:44 AM
Jump to solution

sk159772 suggests this should be possible in R81.10.x

CCSM R77/R80/ELITE

View solution in original post

18 Replies
G_W_Albrecht
Legend Legend
Legend
‎2023-03-02 01:41 AM
Jump to solution

Ask TAC - https://sc1.checkpoint.com/documents/R81.10/WebAdminGuides/EN/CP_R81.10_ClusterXL_AdminGuide/Topics-... could apply.

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
Chris_Atkinson
Employee Employee
Employee
‎2023-03-02 02:44 AM
Jump to solution

sk159772 suggests this should be possible in R81.10.x

CCSM R77/R80/ELITE
G_W_Albrecht
Legend Legend
Legend
‎2023-03-02 03:14 AM
In response to Chris_Atkinson
Jump to solution

ID Description Found In Resolved In
01615874 When defining a locally managed cluster, the Virtual IP address of a clustered interface has to be in the same subnet as the real IP addresses of the cluster members. R80.20 GA R81.10.00

 

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
dede79
Contributor
‎2023-03-02 04:07 AM
In response to G_W_Albrecht
Jump to solution

I use centrally managed - but actually as said I heve no idea how to configure the default gateway.

0 Kudos
xAnTx
Employee
Employee
‎2023-03-02 04:41 AM
In response to dede79
Jump to solution

Hi!
Are you trying to configure DG before or after cluster configuration?
As far as I know, DG could be configured in subnet, other than actual IP address, only when cluster configuration already done on the appliance.
Means - try to configure cluster first (with all needed IPs), install policies, and only after that - change DG on members themselves.

0 Kudos
dede79
Contributor
‎2023-03-02 05:20 AM
In response to xAnTx
Jump to solution

cluster is configured - actually the issue is in configuring the default route on gaia embedded itself!

0 Kudos
Amir_Ayalon
Employee
Employee
‎2023-03-02 05:29 AM
In response to dede79
Jump to solution

Have you tried R81.10.05 ?

0 Kudos
dede79
Contributor
‎2023-03-06 12:09 AM
In response to Amir_Ayalon
Jump to solution

for some reason my last post was deleted with the screensot of the issue.

0 Kudos
G_W_Albrecht
Legend Legend
Legend
‎2023-03-06 12:21 AM
In response to dede79
Jump to solution

Did you contact TAC already ?

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
dede79
Contributor
‎2023-03-08 02:07 AM
In response to G_W_Albrecht
Jump to solution

I pushed issue to Checkpoint SE .....will post the solution here if I get one

0 Kudos
RS_Daniel
Advisor
‎2023-06-28 10:42 AM
In response to dede79
Jump to solution

Hello @dede79 ,

We are facing a similar scenario, need to have member interfaces in a different subnet than virtual IP. Were you able to make it work? was default route possible?

Regards

(1)
Chris_Atkinson
Employee Employee
Employee
‎2023-06-29 04:26 PM
In response to RS_Daniel
Jump to solution

Have you tested R81.10.07 (996001430) out of interest?

CCSM R77/R80/ELITE
0 Kudos
Chris_Atkinson
Employee Employee
Employee
‎2023-06-29 07:37 PM
In response to dede79
Jump to solution

Successfully tested this to the extent my lab allows on a locally managed cluster running R81.10.07 (996001430).

Time permitting will follow-up similar tests on a centrally managed variant also.

Image1.pngImage2.PNG

Image3.png

CCSM R77/R80/ELITE
0 Kudos
FerPr0c03
Participant
‎2023-06-28 07:04 PM
Jump to solution

Hi @dede79 

Were you able to solve the problem with the default routes? I have the same scenario and same problem.
Could you help me? thanks

 

 

0 Kudos
Chris_Atkinson
Employee Employee
Employee
‎2023-06-28 09:53 PM
In response to FerPr0c03
Jump to solution

Please open a case with TAC if not already and I will follow up internally, thanks.

 

Share the SR number with me in private message.

CCSM R77/R80/ELITE
0 Kudos
Jones
Collaborator
Collaborator
‎2024-06-11 08:20 AM
In response to Chris_Atkinson
Jump to solution

Hi,

I would also like to know if there is a supported solution for centrally managed SPARK cluster with a Cluster IP Address on different subnets on the WAN interface. Could you share the solution please?

Kind Regards,

Jones

0 Kudos
Steven_Sultana
Contributor
‎2024-09-13 12:16 AM
In response to Jones
Jump to solution

sk182234 claims that such a solution is possible for both Locally and Centrally Managed Clusters.

How do I configure a cluster on Quantum Spark appliances with only one public address?
Is it necessar...

The feature "Single routable IP" for clusters is supported starting from the R81.10.05 release.

  • For Locally Managed appliances, see the R81.10.X Locally Managed Administration Guide topic "Configuring High Availability" section "Single Routable IP Cluster."

  • For Centrally Managed appliances, see the R81.10.X Centrally Managed Administration Guide topic "Configuring High Availability" section "Configuring a Single Routable IP Cluster in Central Management."

Example diagram:

Steven_Sultana_0-1726211695911.png

 

 

0 Kudos
perfect4situa
Participant
‎2025-03-10 01:01 PM
Jump to solution

Even if there a section in documentation about the configuration of Single Routable IP (https://sc1.checkpoint.com/documents/SMB_R81.10.X/AdminGuides_Centrally_Managed/EN/Content/Topics/Co...) as described in https://community.checkpoint.com/t5/SMB-Gateways-Spark/Implementing-High-Availability-Firewall-Clust... I recently close a ticket with TAC and they say that there is no way to do this configuration with Spark Appliances in Centrally Managed mode.

I suggest to you the "local transport network" between gateway and router

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events