Adding a VLAN Interface into firewall cluster

Srinivasan_N · ‎2020-10-16

Hi Experts,

We're planning to add a VLAN Interface into the firewall cluster (R77.30) and the Smart console version is R80.30

Have gone through SK57100 which says 'maintenance window' is required and it may cause an outage when fetching the topology.

While the article sk118518 says it can be done without fetching the topology and the plan is:-

To create a VLAN interface on both the firewalls via Gaia portal

Smart console -> Create a new Interface with 'cluster'

Create the interface with VIP address and click on Modify -> Enter the gateway members interface IP addresses of both the firewalls

Enable Anti-Spoofing

Save and install the policy.

With this option, believe anti-spoofing isn't overridden for other interfaces or no topology/routing changes will be made.

Is this correct way to do or can you please suggest the best way to achieve this without any outage or failover.

Thanks,

Kaspars_Zibarts · ‎2020-10-16

What you described should work totally ok. Wether to do manual spoofing or fetch topology automatically is a personal choice. We use automated option and never really had any problems. No interruptions or failovers during configuration. I just find manual prone to errors if you have high number of interfaces and routes.

Srinivasan_N · ‎2020-10-17

Hi Kaspars,

Thanks for the reply.

Hope by adding this, new interfaces will be reported when the "cphaprob -a if" issued.

Also, can you please suggest what rollback option should be followed to minimize the outage (if something goes wrong)? Just by reverting the installation history or by reverting the snapshot.

Thanks.

Adding a VLAN Interface into firewall cluster

Azure AD application proxy and HTTPS Inspection

Adding a SAN to a CSR to be used for IPSec\SSL VPN

Tacacs Server Grouping

CheckPoint Firewall -TO- CheckPoint Firewall IPS...

Help with policy for domain/FQDN policies and SaaS...