This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Matlu
Advisor
‎2023-06-07 12:54 PM

Deploying new VLANs in production

Hello, world.

A query, I currently have a ClusterXL which has configured in its interface Eth2 of each Firewall:

FW 01 -> 10.20.20.1
FW 02 -> 10.20.20.2
VIP -> 10.20.20.254

What we need, is to put a new segment in that same interface, (10.100.100.0/22)

In this scenario, it is ideal to leave configured the segment that currently already has the interface, and add the new segment as a VLAN?

Or is it necessary to leave the interface blank by default and configure the 2 segments as different VLANs?

What is the best practice in your experience?

This type of configuration, it is advisable to always start it in the passive member, and then in the active, and all this, in a working window, right ????

Thanks for your comments.

0 Kudos
3 Replies
PhoneBoy
Admin
Admin
‎2023-06-07 02:51 PM

In general, changes of this nature should be done on the passive member first, OS level changes first, then update the configuration in SmartConsole.
And yes, this will definitely need to be done in a maintenance window.

0 Kudos
Matlu
Advisor
‎2023-06-07 03:02 PM
In response to PhoneBoy

Thank you for your response.

For this type of configuration that I have exposed.

Do you think it is necessary, to break the ClusterXL????

In your experience, is it feasible to leave the interface as it is now configured, with one IP, and add the new segment as a VLAN?
Or is it better to "leave the interface blank" and configure the 2 segments as distinct VLANs? ????

Greetings.

0 Kudos
PhoneBoy
Admin
Admin
‎2023-06-07 03:10 PM
In response to Matlu

Note that ClusterXL requires the interface configuration to be the same on both cluster members.
Generally interfaces with VLANs should only have VLANs configured on it (i.e. no IP on the physical interface).
That implies "leave the interface blank" as you put it.
Not sure if that's a hard requirement or just best practice.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events