This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Matlu
MVP Silver
MVP Silver
‎2023-06-01 03:16 PM
Jump to solution

ClusterXL management changes

Hello, team.

I currently have a couple of ClusterXLs, hooked up to an SMS.
All in version R81.10

I understand that the IPs that appear in the SmartConsole, are the management IPs, is that correct?

By decision and "reordering" of the client, the "management" IPs will be changed to those of the gateways.

What seems strange to me, is that for so long, they have been working with a VIRTUAL IP for each Cluster, which is a PUBLIC IP, and for the gateways as such, they have been working with private IPs.
I don't understand why.

CL.png

To be able to do the process of changing the IPs of each cluster, it must be considered a "service interruption"?
Is it recommended to have a working window?

What is the order to change the IPs in the gateways?
Should the passive one be started first, then the active one?
At the end change it in the same SmartConsole?

Thanks for your comments.

0 Kudos
1 Solution

Accepted Solutions
PhoneBoy
Admin
Admin
‎2023-06-01 03:30 PM
Jump to solution

The "management" IP is the IP that's listed in the General tab of the relevant gateway object (also called the Main IP).
A Cluster IP can be on a different subnet from the gateway's configured interfaces, which is a useful feature: https://support.checkpoint.com/results/sk/sk32073

Generally, changing IP addresses of a gateway or cluster should be done in a maintenance window.
Make the OS level changes first, then make the changes in SmartConsole.
Similar to: https://support.checkpoint.com/results/sk/sk62024 

View solution in original post

(1)
9 Replies
PhoneBoy
Admin
Admin
‎2023-06-01 03:30 PM
Jump to solution

The "management" IP is the IP that's listed in the General tab of the relevant gateway object (also called the Main IP).
A Cluster IP can be on a different subnet from the gateway's configured interfaces, which is a useful feature: https://support.checkpoint.com/results/sk/sk32073

Generally, changing IP addresses of a gateway or cluster should be done in a maintenance window.
Make the OS level changes first, then make the changes in SmartConsole.
Similar to: https://support.checkpoint.com/results/sk/sk62024 

(1)
Matlu
MVP Silver
MVP Silver
‎2023-06-02 05:11 AM
In response to PhoneBoy
Jump to solution

Sorry,

By "start on each operating system", they mean start on each ClusterXL gateway, correct?

 

Does the order matter?

Or is it better to start by changing the management IPs, always by the passive member, and then the active one?

Or is it indifferent?

 

Regards.

0 Kudos
the_rock
MVP Platinum
MVP Platinum
‎2023-06-02 05:23 AM
In response to Matlu
Jump to solution

Hey bro,

Im fairly sure what it implies is to do changes on OS level first (meaning Gaia clish or web UI) and then app level (ie smart console object topology). I always do everything first on standby, then master and that works well.

Cheers,

Andy

Best,
Andy
0 Kudos
Matlu
MVP Silver
MVP Silver
‎2023-06-02 05:42 AM
In response to the_rock
Jump to solution

For this type of activity (Change the management IP of each GW, of ClusterXL), there is no need to "break" the ClusterXL during the "Maintenance Window", right?

 

Thanks for your time, and sorry for the "silly" doubts. 🙂

0 Kudos
the_rock
MVP Platinum
MVP Platinum
‎2023-06-02 05:43 AM
In response to Matlu
Jump to solution

No, you dont need to break the cluster, but to be 100% safe, maybe better to do off hours.

Andy

Best,
Andy
Matlu
MVP Silver
MVP Silver
‎2023-06-02 06:50 AM
In response to the_rock
Jump to solution

It is better to always keep the criterion of doing it in a "working window", but knowing that it is not necessary to break the ClusterXL.
Just as a "precautionary" measure, right?

Thanks, bro.

0 Kudos
the_rock
MVP Platinum
MVP Platinum
‎2023-06-02 06:50 AM
In response to Matlu
Jump to solution

Thats my mentality as well, correct.

Andy

Best,
Andy
0 Kudos
the_rock
MVP Platinum
MVP Platinum
‎2023-06-02 05:46 AM
In response to Matlu
Jump to solution

Never be sorry about asking any questions mate...regardless of some people thinking question may sound silly or stupid, if answer will save you headache down the road, then everyone wins.

Andy

Best,
Andy
(1)
the_rock
MVP Platinum
MVP Platinum
‎2023-06-01 06:54 PM
Jump to solution

You got perfect answer from @PhoneBoy , thats exactly how you would do the order, as per 2nd sk he provided.

Good luck bro!

Andy

Best,
Andy
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events