This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
IZoom
Contributor
Contributor
‎2021-10-12 08:20 AM

SMB cluster passive node GAIA access

Hello mates,

I have cluster from SMB. The GAIA access is working only to the active node. I am confused from that - even I have enabled

set admin-access interfaces ANY access allow

 

I am not able to access passive node directly. Only one way is to access SMB over SSH from active node. Do exist there workaround how to access passive node (in best case) via HTTPS://<passive_node_IP>:4434

Cluster has dedicated sync interface, managed is from smart-1 cloud.

Thx for any advice.

0 Kudos
11 Replies
IZoom
Contributor
Contributor
‎2021-10-12 08:25 AM

in FW logs I can see only traffic dropped with message information: Address spoofing. I am not able to find a root cause why spoofing is detected or debug that. 

0 Kudos
_Val_
Admin
Admin
‎2021-10-12 11:48 PM

Versions and models in use, locally or centrally managed?

0 Kudos
IZoom
Contributor
Contributor
‎2021-10-13 12:25 AM
In response to _Val_

I believe it's a generic problem, whatever I am running 2x 1800 (80.20.30) in cluster managed by Smart-1 cloud.

0 Kudos
_Val_
Admin
Admin
‎2021-10-13 05:49 AM
In response to IZoom

It is not a general issue. You should be able to access both members via their private IP addresses with both WebUI and SSH, if you are not doing it via VPN connection.

Mind, Standby member has very limited menu with WebUI.

If this is not your case, please open a TAC case. 


0 Kudos
IZoom
Contributor
Contributor
‎2021-10-14 12:09 AM
In response to _Val_

well. I have only VPN access right now. I am sure during onsite install I had the same issue. As soon I added interface to cluster and assign virtual IP -> I lost access to passive node. The active node is available from cluster IP and node IP.

 

I need to access the GAIA only due to creating/updating new VLANs and in some cases to update DCHP settings.

0 Kudos
_Val_
Admin
Admin
‎2021-10-14 12:15 AM
In response to IZoom

Huh, that explains it. Move WebUI out of the VPN. It will not work through the tunnel.

0 Kudos
IZoom
Contributor
Contributor
‎2021-10-14 01:14 AM
In response to _Val_

Out of VPN when access GAIA from WAN is enabled, I can reach both nodes. To be honest, I am not comfortable with allowed access to GAIA from WAN.

From inside the network (not VPN) I cannot reach passive node on any interface 

 

0 Kudos
G_W_Albrecht
MVP Silver
MVP Silver
‎2021-10-14 01:17 AM
In response to _Val_

Use HTTPS://<passive_node_IP>:4434 - set in Device > System > Administrator Access !

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
IZoom
Contributor
Contributor
‎2021-10-14 03:50 AM
In response to G_W_Albrecht

Yeah, This is configured well, whatever there is no option to set specific interface, where the service listen. Actually this is solved by firewall rule. The issue is that no client device is on management LAN, therefore all traffic has to be routed (without routing it's working well).

sk106425 -> seems there is only way to disable antispoofing on management interface.

0 Kudos
G_W_Albrecht
MVP Silver
MVP Silver
‎2021-10-13 02:00 AM

I assume you in reality rather do run Embedded GAiA 8) For an SMB cluster you have to finish First Time Configuration Wizard on both devices first - that had been possible ? You did follow Quantum Spark 1500, 1600 and 1800 Appliance Series R80.20.30 Centrally Managed Administration Guide p.18ff ? Then you should have three IP addresses:

- local WAN IP of Node 1 (active)

- local WAN IP of Node 2 (standby)

- virtual Cluster IP

When High Availability is enabled on the WAN interface, then the cluster requires an additional unique virtual IP address. This virtual IP address is visible to the network and ensures that cluster failover events are transparent to all hosts on the network.

If you want access to the cluster, you get to the active node, but both nodes also are available using their local IP. As you do change all settings on active node only, as the standby will sync the changes automatically, you usually only use the virtual cluster IP !

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
IZoom
Contributor
Contributor
‎2021-10-14 12:22 AM
In response to G_W_Albrecht

Hello. Thank you for advise.

I was not aware of special documentation "R80.20.30 Centrally Managed Administration Guide". I have red the basic documentation and Smart-1 cloud documentation, nowhere was mentioned anything like that. Everywhere was just mentioned that in management cluster object needs to be pre-created with dummy GW first. The conversion of standalone GW to cluster is not supported.

In my case all nodes has own IP on each interface and own virtual IP for each clustered interface. (included WAN - Public IP) + dedicated sync interface (set under topology)

As you do change all settings on active node only, as the standby will sync the changes automatically, you usually only use the virtual cluster IP !

I suppose this is not true for the OS basics such a DHCP, don't you?

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events