This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Nathan_Ressel
Employee Alumnus
Employee Alumnus
‎2023-06-30 01:44 PM

ZScaler GRE to CP Cluster

See attachment for solution.

Preview file
681 KB
2 Replies
Raj_Khatri
Advisor
‎2023-07-10 08:21 AM

Hi Nathan,

Thanks for providing the solution in the attached cluster guide.  I have a few questions - 

If a cluster is setup in an active/standby HA configuration, there is a single external VIP.  This is used to provision the Zscaler GRE tunnel.   Zscaler provides a /29 subnet to be used for the GRE tunnel configuration for 2 tunnels.  This does not provide a configuration for 4 tunnels.

As mentioned in the guide, it mentions 2 separate tunnel configurations.  Please advise if 2 public IPs were utilized on the firewall cluster.  This is not clearly noted.

Also, can you share a screenshot of the SmartConsole Network Management window showing the interface configuration?

If the same GRE configuration is mirrored onto both firewalls, what issues would that present as only a single firewall will be active at any given time.

Thanks

Guerric_LM
Explorer
‎2023-11-03 03:40 AM
In response to Raj_Khatri

Hello Raj,

For one of my customer i configured GRE tunnels with 2 tunnels, even if in GRE tunnel configuration you specified local address of gateway, active member will replace it by cluster VIP in GRE tunnel establishment and to encapsulate traffic.

So you can use the same local address for differents tunnels, that's what i did and it works.

Also i disagree the configurations steps regarding network topology, here is what i configured :

As Zscaler do not provide enough IP address i used the IP provided for my node as cluster VIP in topology. As local address in tunnel i used another IP address.
I declared the VIP as scopelocal route as explained in Configuring Cluster Addresses on Different Subnets (checkpoint.com)


I attach GRE tunnel configuration, scopelocal routes and the topology configured

GRE conf.png

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events