This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Kaspars_Zibarts
Employee Employee
Employee
‎2021-04-23 12:53 AM

Cluster with different IP subnets configuration - MVC cluster upgrade challanges

Probably not that widely used feature having Cluster VIP in one subnet and actual interfaces in different as described in ClusterXL admin guide, "Cluster IP Addresses on Different Subnets" section:

image.png

 

Yesterday I noticed interesting behaviour whilst performing multi-version cluster upgrade (R80.30 > R80.40)

After doing initial upgrade on FW2, I attempted to download and install latest Jumbo but gateway failed to connect to Checkpoint services. Logs showed drops on Sync interface on FW1 with source IP of FW2 external interface, say side-B in the diagram 192.168.2.2, destination being updates.checkpoint.com. 

Normally this is covered by implied rules as interface IPs and VIPs are part of the cluster.

In this case 192.168.2.2 was not considered as cluster IP so I had to add explicit rule to allow traffic from 192.168.2.x IP addresses out to Checkpoint services and then it all started working. Including other services like updatable objects.

In more practical terms this was the change in the rule (note that IPs differ from example diagram above)

image.png

 After pushing policy (separately as they run different versions) to both members all started working.

In case it helps someone else!

2 Replies
Wolfgang
Authority
Authority
‎2021-05-03 12:20 PM

Last week we could see the same behaviour and too our MVC upgrade was disruptive.

After policy install with R80.40 and enabling MVC we got two active nodes. One with R80.30 and the other with R80.40.

Neither of the nodes could see the other one. We did not had time for troubleshooting in this maintenance schedule, so we stopped clustering on the older node with cphastop. After upgrade of both nodes to R80.40 everything was fine.

The difference to all my other successfully upgrades is the "Cluster IP Addresses on Different Subnets". Following your post @Kaspars_Zibarts maybe there is a problem with the upgrade procedure in case of using these feature. I‘ll try to replicate this in my lab or maybe someone here has experience with this ?

Wolfgang

0 Kudos
Vladimir
Champion
Champion
‎2021-05-03 07:59 PM

Kaspars, do you have these 192.168.2.x objects NATed?

I've recently encountered different issue with Cluster IP addresses on different subnets, but it was VTI related.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events