This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Scottc98
Advisor
‎2022-12-29 08:43 AM

Cluster Sync Interface - Response to Web GUI

I have a question in regards to the cluster sync interface between 2 nodes (ClusterXL - Active/Active Bridge mode).

The GWs in question only have 2 IP network interfaces:

  • MGMT:  Used for actual management of the device
  • Sync:  A non routable 192.168.X.X /29 assigned; with a direct cross over cable between the clusters. 

The desired approach/idea here was to only have the MGMT network be reachable from outside of the cluster; with the cluster synch network being truly 'local' for the cluster.  

During a resent scan, we found that the 192.168. synch network was responding to web GUI attempts through the bridge interface.   It just so happens that the default route is going through this bridge and therefore scans from this IP is hitting this GW cluster in question. 

I've never really used the sync interface for any WebGUI/SSH access from any outside network in the past.   The only time I have used it is for SSH from one cluster member to the other during some triag/outages.  

Is it normal for the sync interfaces to respond to these attempts?   Is there anyway to keep this traffic 'local' or ill effect to such?  

I don't have direct access to this cluster (Only Smartconsole 'read-only') so if there are some info needed, let me know and I can request it. 

 

Thanks in advance 🙂

0 Kudos
1 Reply
PhoneBoy
Admin
Admin
‎2022-12-29 09:03 AM

Yes, it's normal, as multiportal (used for all web portals) and SSH listen on all interfaces by default.
You can change the listening IP/port for sshd by following a procedure similar to: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...
Not sure on Multiportal, short of disabling it and configuring a different port for the Gaia WebUI.

A better solution might be blackholing the specific sync subnet on your internal router (that way, no traffic can reach the gateway on those IPs).

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events