- Products
- Learn
- Local User Groups
- Partners
- More
Welcome to Maestro Masters!
Talk to Masters, Engage with Masters, Be a Maestro Master!
Join our TechTalk: Malware 2021 to Present Day
Building a Preventative Cyber Program
Be a CloudMate!
Check out our cloud security exclusive space!
Check Point's Cyber Park is Now Open
Let the Games Begin!
As YOU DESERVE THE BEST SECURITY
Upgrade to our latest GA Jumbo
CheckFlix!
All Videos In One Space
Please help to understand how to configure internet facing interface in #Clusterxl and also Clusterxl with ISP redundancy
Scenario 1: Clusterxl high availability 14 Public IP from ISP
Scenario 2 : Clusterxl high availability 14 Public IP from 2 separate ISP ( #ISP_Redundancy )
Assuming your ISP allocated you a /28 (14 addresses after you exclude the network and broadcast), you're going to need 3 IP addresses: one for each cluster member, and one for the VIP for ClusterXL.
I presume the ISP's default router will also take one of those IP addresses (as the default route).
Both cluster members will be configured to use that default route.
In any case, this along with the ISP Redundancy requirement should be a fairly standard configuration covered by the Product Documentation: ClusterXL R80.10 (Part of Check Point Infinity)
If you have specific questions after reading the docs and can provide more details about your proposed configuration, feel free to ask.
Hi Dameon ,
I have followed your instruction but not sure about default gateway and static NAT . Also, I am confused about the ISP redundancy faileover , The faileover will happen in the same Firewall or faileover to standby firewall ?
Default Gateway :
For each member what default gateway should configure? (ClusterXL mode)
NAT :
For static NAT to a web server ( static NAT to one of the IP of /28 NOT firewall IP ) do I need to create alias for each IP address and assign to Firewall external address ?
How should I configure static NAT for clusterxl in ISP redundancy ?
Thanks in advance for your help .
ISP Redundancy is local to the specific gateway.
In a cluster it should be configured on both members.
The default route should be your primary ISPs next hop IP (again, configured on both members).
For NAT, you do not need to create that static IP as an alias, you merely need to make a rule in the NAT rulebase.
You can have multiple public IPs (for the different ISP links) for your webserver.
This specific example is covered in the documentation: How To Configure ISP Redundancy
Thanks for your reply .
if Default gateway configured as primary and primary Internet failed how firewall will handle the secondary ISP route ?
(in cluster object I have enabled the USO redundancy as primary/backup mode with next hop IP address but not sure I have to add default gateway or not in gui static route or not )
Also,The static NAT to my web server is not working without creating an aliases !!!!
Thank you very much Dameon .
hello
I configured cluster in R80.10 distributed configuration. our ISP switch port is trunk mode. how will i configure trunk in external interface. i read if i add vlan 10 in eth1 . trunk is automatic added in eth1. my problem isn't working in external trunk port interface. how will i configure trunk in cluster external interfaces ?
Basically you treat each VLAN as if it were a physical interface.
This means:
Note also about the following limitation when using VLANs with ClusterXL: Monitoring of VLAN interfaces in ClusterXL
Thanks for answer. This is my topology. i need configure trunk in checkpoint. below is what i did.
1. Assign VLAN on both checkpoint eth1.
2. Put default gateway to ISP 1.1.1.4
3. did Get topology and configured network to external in eth1.
4. WG is watchguard firewall.
problem is: could not ping from Checkpoint to WG and ISP.
is my topology correct for this cluster?
A VLAN trunk only works if both ends are configured the same way.
If you plug the WatchGuard interface with a Trunk into a switch port, then that switch port must:
Same with both Check Point devices, both on the WatchGuard side of things and on the Cisco side of things.
Also, on the gateway topology, the interface that should be marked as external is eth1.10 (the VLAN interface) not eth1 (the physical one).
On a separate note, load sharing configurations (while supported) are generally not advised.
If the cluster members exceed 50% utilization and one node fails, the other member will become overloaded (which may cause a complete outage).
thanks for answer. I understood from your answer that trunk port is work. maybe i missed some configuration . can you say me some check list configuration for this topology ? can you give phone number ? i have a some question cluster in checkpoint R80.10 ? is it possible ?
About CheckMates
Learn Check Point
Advanced Learning
YOU DESERVE THE BEST SECURITY