Adding new cluster interface and anti-spoofing

velo

I'm adding a new sub-interface to an existing cluster. I'm going to be following this guide:

https://support.checkpoint.com/results/sk/sk57100

My new sub-interface will be used to route traffic to a remote site (172.16.100.0/24) I will add a static route on each member pointing to this subnet via this new interface.

After creating the interface on each member in Gaia portal, I'm going to use the "get interfaces without topology" in Smart Dashboard. How should I setup the "Leads to" section? Which one of the following two options should I use?

Network defined by static routes
Specific (create an object for the remote network and select it here)

I don't want to "get interfaces with topology" because I don't want to mess with any existing setup. I recall I read somewhere that if you're using the "defined by static routes" option you might need to use "get interfaces with topology"

I want to use the lowest impact, least chance of risk option because it's an important environment.

Thanks

AkosBakos

Hi @velo

I suggest you that the "get interfaces with topology" is not safe to use on an working setup. If you use it, all of the Interface information will be overwritten. If somewhere is set an anti-spoofing group, that will be overwritten too, so don't use it.

This is the suggested method in the mentioned SK too.

About your question, how to set up the new interface:

It depends on your need. If the confgured IP and MASK represents the network behind, you can use "Network defined by static routes" safely

Akos

velo

Thanks Akos

I'm not going to use the "get interfaces with topology" option as that will make changes like you say.

But I thought I read somewhere that if you use the "Network defined by static routes" option, you needed to get the "get interfaces with topology" option for it to pick up the routes, but maybe that is not the case.

You are correct, IP and Mask will represent the network behind the new interface. I will use:

"get interfaces without topology"
"Network defined by static routes"

Hopefully that shout be OK.

Thanks

AkosBakos

Hi @velo

This statement is misleading. 😉

You can change this setting anytime.

akos

velo

Yes you're quite right, that would be silly. Thanks!

Duane_Toler

If you are using the option "Network defined by routes" (it's not static routes; just routing in general), then the gateway will poll the Gaia routing daemon (RouteD) every few seconds to learn the contents of the routing table (the FIB). With this information, the gateway will auto-adjust the anti-spoofing topology without needing to make new objects manually.

You will use this option in dynamic routing environments, but you can just as easily do it with static routes ("static routes" are a routing protocol; just not a dynamic routing protocol)

velo

Great to know, thank you. Makes sense.

velo

Just another question. Do I need to add any firewall policy to allow CPP to communicate on these new interfaces?

Look at the SK article, I think it's actually incomplete. There is no mention of pushing a policy after the change.

Stop the clustering on Standby member
Perform all operations on Standby member
Perform all operations on Active member
Perform all operations in SmartDashboard
Start the clustering on Standby member

AkosBakos

Hi

Do I need to add any firewall policy to allow CPP to communicate on these new interfaces? No.

You won't be notified to push a policy, just simle push it 🙂

Akos

velo

Thanks for the info. I only mention the push because I think it enabled clustering on that interface only after the push.

Thanks for the info.

AkosBakos

The policy install is that movement wich enable the clustering on the interface. All the settings are remain on the Management until you push policy,

Therefore the first investigation step is the pushing policy 🙂

velo

100%, thanks for the info. That's why I think it might be a good idea to mention that in the SK article.

Thanks 🙂

Are you a member of CheckMates?

Adding new cluster interface and anti-spoofing