This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
yukaia
Contributor
‎2025-04-16 05:18 PM
Jump to solution

ElasticXL Appliance Sync Interface Question.

Hello all,

 

I'm playing with my personal remote lab currently in preparation for a project at $DAYJOB to deploy three 9800's in an ElasticXL cluster and I have a question about the Sync interfaces, given that sync plays an even more important part in an ElasticXl cluster. We're looking at using a pair of sfp+ 10gbe ports per gateway for our sync, does anyone know what the supported process is to configure an ElastiXL cluster this way?

I've poked around at the appliances in my lab and noticed that there's a bond interface for Sync with the 1gbe sync port added to, I'm assuming that when I initially configure the SMO for the cluster that I can just add the two sfp+ interfaces to the sync bond and be fine, would that be correct? I'd change things up in my lab, but it's a 7 hour drive away at a friend's colo right now.

Regards,

Zack.

2 Solutions

Accepted Solutions
Lesley
Mentor Mentor
Mentor
a month ago
Jump to solution

 

Important:

  • The "Sync" ports of all ElasticXL Cluster Members in the same ElasticXL Cluster must connect to the same Layer 2 broadcast domain (a dedicated Layer 2 switch, or a dedicated VLAN).

  • Only one ElasticXL Cluster is supported in the same Layer 2 broadcast domain (connecting Sync interfaces of different ElasticXL Clusters is not supported).

  • Configuring the Sync interface as VLAN Trunk is not supported.

  • ElasticXL Cluster sends all traffic over the Sync network in clear-text (non-encrypted).

  • ElasticXL Cluster automatically configures the IP address of the sync network to 192.0.2.0/24.

    If needed, later it is possible to change the IP address of the sync network.

ElasticXL Cluster renames the physical interfaces on the appliances:

  • The "Mgmt" interface becomes a subordinate interface in the Bond called "magg1".

  • The "Sync" interface is renamed to "eth1-Sync" and becomes a subordinate interface in the Bond called "Sync".

Lesley_0-1744918003286.png

 

Notes - Gaia OS does not show the bond interface "Sync" (or its subordinate interfaces) in Gaia Portal and in the Gaia Clish "set" commands. This is to prevent any changes to this infrastructure interface.

 

  • Does ElasticXL Cluster support a bond of Sync interfaces?

    Yes - the default configuration is a Bond called "Sync" that contains the eth1-Sync ("Sync") interface of the Security Appliance.

    By design, this interface is hidden.

So indeed bond should already be there. I am not sure if you add a SFP it will automatic add it to the SYNC. It think it picks it during the initial config. It should be possible if I read this know limitation. I would just indeed to add via gaia clish

PMTR-107433 ElasticXL Adding an unassigned interface to or from Sync bond leads to the flags reset and, as a result, it disrupts the ElasticXL detection and ElasticXL drops the packets.
-------
If you like this post please give a thumbs up(kudo)! 🙂

View solution in original post

(1)
Bob_Zimmerman
Authority
Authority
a month ago
In response to yukaia
Jump to solution

For confirmation, here's my lab ElasticXL cluster:

[Expert@DallasticXL-s01-01:0]# clish -c "show configuration" | grep 1024
add bonding group 1024 
set bonding group 1024 mode active-backup 
set bonding group 1024 primary eth1-Sync 
set bonding group 1024 xmit-hash-policy layer2 
add bonding group 1024 interface eth1-Sync

Note that you should both add the interfaces you want to use and set one of them to be primary (or change the bond to a mode which doesn't have a primary). You should probably also remove eth1-Sync once you have done so.

View solution in original post

5 Replies
emmap
Employee
Employee
‎2025-04-16 07:31 PM
Jump to solution

The sync bond comes up as bonding group 1024 so I believe you can just add / remove interfaces to / from that, yes.

0 Kudos
yukaia
Contributor
a month ago
In response to emmap
Jump to solution

Thanks, that's what I was guessing, but I wasn't entirely sure.

0 Kudos
Bob_Zimmerman
Authority
Authority
a month ago
In response to yukaia
Jump to solution

For confirmation, here's my lab ElasticXL cluster:

[Expert@DallasticXL-s01-01:0]# clish -c "show configuration" | grep 1024
add bonding group 1024 
set bonding group 1024 mode active-backup 
set bonding group 1024 primary eth1-Sync 
set bonding group 1024 xmit-hash-policy layer2 
add bonding group 1024 interface eth1-Sync

Note that you should both add the interfaces you want to use and set one of them to be primary (or change the bond to a mode which doesn't have a primary). You should probably also remove eth1-Sync once you have done so.

yukaia
Contributor
a month ago
In response to Bob_Zimmerman
Jump to solution

Thanks for confirming that, I had more or less the same process in mind.

0 Kudos
Lesley
Mentor Mentor
Mentor
a month ago
Jump to solution

 

Important:

  • The "Sync" ports of all ElasticXL Cluster Members in the same ElasticXL Cluster must connect to the same Layer 2 broadcast domain (a dedicated Layer 2 switch, or a dedicated VLAN).

  • Only one ElasticXL Cluster is supported in the same Layer 2 broadcast domain (connecting Sync interfaces of different ElasticXL Clusters is not supported).

  • Configuring the Sync interface as VLAN Trunk is not supported.

  • ElasticXL Cluster sends all traffic over the Sync network in clear-text (non-encrypted).

  • ElasticXL Cluster automatically configures the IP address of the sync network to 192.0.2.0/24.

    If needed, later it is possible to change the IP address of the sync network.

ElasticXL Cluster renames the physical interfaces on the appliances:

  • The "Mgmt" interface becomes a subordinate interface in the Bond called "magg1".

  • The "Sync" interface is renamed to "eth1-Sync" and becomes a subordinate interface in the Bond called "Sync".

Lesley_0-1744918003286.png

 

Notes - Gaia OS does not show the bond interface "Sync" (or its subordinate interfaces) in Gaia Portal and in the Gaia Clish "set" commands. This is to prevent any changes to this infrastructure interface.

 

  • Does ElasticXL Cluster support a bond of Sync interfaces?

    Yes - the default configuration is a Bond called "Sync" that contains the eth1-Sync ("Sync") interface of the Security Appliance.

    By design, this interface is hidden.

So indeed bond should already be there. I am not sure if you add a SFP it will automatic add it to the SYNC. It think it picks it during the initial config. It should be possible if I read this know limitation. I would just indeed to add via gaia clish

PMTR-107433 ElasticXL Adding an unassigned interface to or from Sync bond leads to the flags reset and, as a result, it disrupts the ElasticXL detection and ElasticXL drops the packets.
-------
If you like this post please give a thumbs up(kudo)! 🙂
(1)

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    In-Person

    Tue 20 May 2025 @ 11:30 AM (PDT)

    Las Vegas: Check Point Hybrid Mesh
    In-Person

    Wed 21 May 2025 @ 11:30 AM (MST)

    Tempe, AZ: Check Point Hybrid Mesh
    In-Person

    Tue 03 Jun 2025 @ 09:00 AM (CEST)

    CheckMates LIve France - Workshop Check Point Quantum
    In-Person

    Tue 03 Jun 2025 @ 06:00 PM (EDT)

    Montreal: CPX Recap
    In-Person

    Tue 10 Jun 2025 @ 06:00 PM (EDT)

    Quebec City: CPX Recap
    CheckMates Events