This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
leonid1890
Contributor
‎2023-12-25 03:02 AM

SMB Cluster - Management Interface

Hello,

 

I create SMB Cluster R80.20.50 via Smart Console in High Availability mode.

This cluster have s2s with Gaia 7000.

My Goal: to create managmenet inteface on each gateway of the SMB which is not monitored by the cluster 
in order to get access to each device seperatly.

In topology table I configred this interface as "Non-Monitored Private" and it is internal.

The problem is that I still got access to Avtive member interface and not to the standby.

 

I think this is because of the site to site.

Any suggestions?

0 Kudos
9 Replies
PhoneBoy
Admin
Admin
‎2023-12-26 12:59 PM

What version/JHF is your management?
Setting a "Non-Monitored Private" interface isn't necessary here, but you may need to disable cluster fold NAT.
It is settable via the CLI from R81.10.00: https://sc1.checkpoint.com/documents/SMB_R81.10.X/CLI/EN/Content/Topics/170583.htm

0 Kudos
leonid1890
Contributor
‎2023-12-26 11:07 PM
In response to PhoneBoy

Hello,

 

My Smart Console version is R81.10

I don't use NAT on my SMB Cluster.

0 Kudos
PhoneBoy
Admin
Admin
‎2023-12-27 06:18 AM
In response to leonid1890

Clustering does this "NAT" by default.
It should also be settable in your software release via the CLI as well.
How precisely are you attempting to access the secondary member?

0 Kudos
leonid1890
Contributor
‎2023-12-27 06:25 AM
In response to PhoneBoy

1. I checked inside my SMB Cluster NAT settings:

perform-cluster-hide-fold: false

 

2. I tried to access secondary cluster member via WAN or via one the LAN interfaces.

but it didn't work.

I am trying to find way to have access both of cluster members when the site to site is working.

0 Kudos
PhoneBoy
Admin
Admin
‎2023-12-27 06:35 AM
In response to leonid1890

How are you attempting to perform this access?
Have you used tcpdump to see if the traffic is reaching the secondary member or not?

0 Kudos
leonid1890
Contributor
‎2023-12-27 06:51 AM
In response to PhoneBoy

Trying access via SSH / HTTPs

I can't used tcpdump on the secondary member because I don't have access when site to site is working.

When I remove site to site I have access to both of the Cluster members via WAN interface.

0 Kudos
the_rock
Legend
Legend
‎2023-12-27 10:32 AM
In response to leonid1890

Might be worth TAC case or do remote session, sounds like something simple might be missing here.

Best,

Andy

0 Kudos
PhoneBoy
Admin
Admin
‎2023-12-27 11:06 AM
In response to leonid1890

With the VPN in place, it would be expected for the traffic to traverse the primary node.
However, you should still be able to:

  • Reach the primary node
  • SSH from the primary node to the secondary node

Are you able to do that?
I also think working with TAC on this would be advisable.

0 Kudos
leonid1890
Contributor
‎2023-12-31 11:24 PM
In response to PhoneBoy

Ok thanks, I will check with TAC

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events