The Great Exposure Reset
24 February 2026 @ 5pm CET / 11am EST
CheckMates Fest 2026
Watch Now!AI Security Masters
Hacking with AI: The Dark Side of Innovation
CheckMates Go:
CheckMates Fest
Hey guys,
Wondering if someone would be willing to try this script in their lab to see what they get? I tested it in mine and gave me below. It would simply suggest ranges for sync IPs based on whats already configured.
Lab:
[Expert@CP-FW-01:0]# dos2unix *
dos2unix: converting file check_critical_files.sh to Unix format ...
dos2unix: converting file cp_cluster_ha_report.sh to Unix format ...
dos2unix: converting file cp_cluster_sanity.sh to Unix format ...
dos2unix: converting file cp_suggest_sync_range.sh to Unix format ...
[Expert@CP-FW-01:0]# chmod 777 *
[Expert@CP-FW-01:0]# ./cp_suggest_sync_range.sh
ClusterXL Sync Range Suggestions (non-overlapping with local interfaces/routes)
======================================================================
Detected used networks (interfaces + routes): 5
Top 10 suggestions (/ 30):
1. 10.255.255.0/30 MemberA: 10.255.255.1 MemberB: 10.255.255.2
2. 10.255.255.4/30 MemberA: 10.255.255.5 MemberB: 10.255.255.6
3. 10.255.255.8/30 MemberA: 10.255.255.9 MemberB: 10.255.255.10
4. 10.255.255.12/30 MemberA: 10.255.255.13 MemberB: 10.255.255.14
5. 10.255.255.16/30 MemberA: 10.255.255.17 MemberB: 10.255.255.18
6. 10.255.255.20/30 MemberA: 10.255.255.21 MemberB: 10.255.255.22
7. 10.255.255.24/30 MemberA: 10.255.255.25 MemberB: 10.255.255.26
8. 10.255.255.28/30 MemberA: 10.255.255.29 MemberB: 10.255.255.30
9. 10.255.255.32/30 MemberA: 10.255.255.33 MemberB: 10.255.255.34
10. 10.255.255.36/30 MemberA: 10.255.255.37 MemberB: 10.255.255.38
Notes:
- Use a DEDICATED, non-routed VLAN/segment for Sync if possible.
- Ensure this subnet does NOT overlap anywhere else in your enterprise (not just on this gateway).
- Prefer /30 for 2-member clusters. Use /29 only if you truly need extra hosts.
[Expert@CP-FW-01:0]#
Hey guys,
Wondering if someone would be willing to try this script in their lab to see what they get? I tested it in mine and gave me below. It would simply suggest ranges for sync IPs based on whats already configured.
Lab:
[Expert@CP-FW-01:0]# dos2unix *
dos2unix: converting file check_critical_files.sh to Unix format ...
dos2unix: converting file cp_cluster_ha_report.sh to Unix format ...
dos2unix: converting file cp_cluster_sanity.sh to Unix format ...
dos2unix: converting file c
That script is probably useful for small networks. However, in large and enterprise environments, it's better to rely on IP address management solutions and potentially their APIs to identify available non-routed networks and free /30 subnets.
That script is probably useful for small networks. However, in large and enterprise environments, it's better to rely on IP address management solutions and potentially their APIs to identify available non-routed networks and free /30 subnets.
;
100%. I always use 169.254.x.x, so Im trying to see how to modify the script to suggest broader non routable subnets, rather than just what it gave me.
emmap
About CheckMates
Learn Check Point
Advanced Learning
YOU DESERVE THE BEST SECURITY
