This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Maller
Contributor
‎2021-10-25 01:08 AM

best practices to add VLAN interface in a cluster

Hi all

Usually  we have configured new DMZ adding it manually  "add interface etc..."  , to avoid issues using "get interfaces with topology " or "get interfaces without topology". In this way we have been working without issues in R80.10.

Now using this procedure ,we are facing an issue adding new vlan interfaces in a  R80.40 cluster . After install policy , new dmz VIP  are not configured . It does not appear in "cphaprob -a if " 

To solve this issue , we have to use "get interface without topology" .  I don't understand why manually process  is not working now. 

any suggestion?

thanks

 

Manel

Labels
0 Kudos
6 Replies
Yair_Shahar
Employee
Employee
‎2021-10-25 01:40 AM

Hi Manel,

 

Is the DMZ VIP configured in the Cluster Topology? this should be manually configured after getting interfaces.

 

Thanks,

Yair

0 Kudos
Maller
Contributor
‎2021-10-25 03:16 AM
In response to Yair_Shahar

Hi Yair

yes , DMZ VIP is configured. What I don't understand is that  adding interfaces manually "actions -> new interface" in FW object  ,  configuring VIP  and installing policy everything worked fine . This cluster has more than 70 DMZ  and all of them were configured in this way.

Now , since upgrade to R80.40  it seems that  manual way is not valid and we have to do it using "GET interfaces without topology " .

thanks

0 Kudos
Yair_Shahar
Employee
Employee
‎2021-10-26 02:35 AM
In response to Maller

Is it consistent? and happen on more than single interface?

are all IPs and masks configured in Topology match the IPs and masks configured on Gaia?

 

I tried this on R81.10 and it does not seem to occur.

I can try this with R80.40 later on - Which Jumbo Take are you using?

 

Yair

 

0 Kudos
Maller
Contributor
‎2021-10-26 01:05 PM
In response to Yair_Shahar

Hi Yair

Yes , it's consistent. All ip matches between topology and gaia. 

All new dmz are added to bond0.X interface.

This cluster is running r80.40 take 125. 

I opened a SR with support , and yes they said that the right  way to create new dmz is with get interface option . But I think that  option 'add interface' manually should work also and I don't understand why it doesn't work. 

With R80.10 always worked. Problems related to new interfaces creation  started with R80.40  .

Thanks. 

0 Kudos
Yair_Shahar
Employee
Employee
‎2021-10-28 02:15 AM
In response to Maller

Hi,

I have tried this on my lab with R80.40, I'm yet to see this issue occur.

As mentioned - vlan, bond and ip configured on gaia, on cluster topology new interface created and configured manually (didn't use get-interfaces)

after install policy new VIP added to cphaprob -a if - see below bond2..180

Do I miss anything? is there any specific configuration you are using? on management or gateway side?

 

[Expert@cluster-member-83.27-R80.40-294:0]# cphaprob -a if

CCP mode: Manual (Unicast)
Required interfaces: 5
Required secured interfaces: 1


Interface Name: Status:

eth0 UP
eth2 (S) UP
bond1 (HA) UP
bond2.9 (LS) UP
bond2.180 (LS) UP

S - sync, LM - link monitor, HA/LS - bond type

Virtual cluster interfaces: 55

eth0 192.168.83.25 VMAC address: 00:1C:7F:00:4E:8E
bond1 10.83.25.1 VMAC address: 00:1C:7F:00:4E:8E
bond2.9 5.5.5.10 VMAC address: 00:1C:7F:00:4E:8E
bond2.10 30.0.10.3 VMAC address: 00:1C:7F:00:4E:8E
bond2.11 30.0.11.3 VMAC address: 00:1C:7F:00:4E:8E
bond2.12 30.0.12.3 VMAC address: 00:1C:7F:00:4E:8E
bond2.13 30.0.13.3 VMAC address: 00:1C:7F:00:4E:8E
bond2.14 30.0.14.3 VMAC address: 00:1C:7F:00:4E:8E
bond2.15 30.0.15.3 VMAC address: 00:1C:7F:00:4E:8E
bond2.16 30.0.16.3 VMAC address: 00:1C:7F:00:4E:8E
bond2.17 30.0.17.3 VMAC address: 00:1C:7F:00:4E:8E
bond2.18 30.0.18.3 VMAC address: 00:1C:7F:00:4E:8E
bond2.19 30.0.19.3 VMAC address: 00:1C:7F:00:4E:8E
bond2.20 30.0.20.3 VMAC address: 00:1C:7F:00:4E:8E
bond2.21 30.0.21.3 VMAC address: 00:1C:7F:00:4E:8E
bond2.22 30.0.22.3 VMAC address: 00:1C:7F:00:4E:8E
bond2.23 30.0.23.3 VMAC address: 00:1C:7F:00:4E:8E
bond2.24 30.0.24.3 VMAC address: 00:1C:7F:00:4E:8E
bond2.25 30.0.25.3 VMAC address: 00:1C:7F:00:4E:8E
bond2.26 30.0.26.3 VMAC address: 00:1C:7F:00:4E:8E
bond2.27 30.0.27.3 VMAC address: 00:1C:7F:00:4E:8E
bond2.28 30.0.28.3 VMAC address: 00:1C:7F:00:4E:8E
bond2.29 30.0.29.3 VMAC address: 00:1C:7F:00:4E:8E
bond2.30 30.0.30.3 VMAC address: 00:1C:7F:00:4E:8E
bond2.31 30.0.31.3 VMAC address: 00:1C:7F:00:4E:8E
bond2.32 30.0.32.3 VMAC address: 00:1C:7F:00:4E:8E
bond2.33 30.0.33.3 VMAC address: 00:1C:7F:00:4E:8E
bond2.34 30.0.34.3 VMAC address: 00:1C:7F:00:4E:8E
bond2.35 30.0.35.3 VMAC address: 00:1C:7F:00:4E:8E
bond2.36 30.0.36.3 VMAC address: 00:1C:7F:00:4E:8E
bond2.37 30.0.37.3 VMAC address: 00:1C:7F:00:4E:8E
bond2.38 30.0.38.3 VMAC address: 00:1C:7F:00:4E:8E
bond2.39 30.0.39.3 VMAC address: 00:1C:7F:00:4E:8E
bond2.40 30.0.40.3 VMAC address: 00:1C:7F:00:4E:8E
bond2.41 30.0.41.3 VMAC address: 00:1C:7F:00:4E:8E
bond2.42 30.0.42.3 VMAC address: 00:1C:7F:00:4E:8E
bond2.43 30.0.43.3 VMAC address: 00:1C:7F:00:4E:8E
bond2.44 30.0.44.3 VMAC address: 00:1C:7F:00:4E:8E
bond2.45 30.0.45.3 VMAC address: 00:1C:7F:00:4E:8E
bond2.46 30.0.46.3 VMAC address: 00:1C:7F:00:4E:8E
bond2.47 30.0.47.3 VMAC address: 00:1C:7F:00:4E:8E
bond2.48 30.0.48.3 VMAC address: 00:1C:7F:00:4E:8E
bond2.49 30.0.49.3 VMAC address: 00:1C:7F:00:4E:8E
bond2.50 30.0.50.3 VMAC address: 00:1C:7F:00:4E:8E
bond2.51 30.0.51.3 VMAC address: 00:1C:7F:00:4E:8E
bond2.52 30.0.52.3 VMAC address: 00:1C:7F:00:4E:8E
bond2.53 30.0.53.3 VMAC address: 00:1C:7F:00:4E:8E
bond2.54 30.0.54.3 VMAC address: 00:1C:7F:00:4E:8E
bond2.55 30.0.55.3 VMAC address: 00:1C:7F:00:4E:8E
bond2.56 30.0.56.3 VMAC address: 00:1C:7F:00:4E:8E
bond2.57 30.0.57.3 VMAC address: 00:1C:7F:00:4E:8E
bond2.58 30.0.58.3 VMAC address: 00:1C:7F:00:4E:8E
bond2.59 30.0.59.3 VMAC address: 00:1C:7F:00:4E:8E
bond2.60 30.0.60.3 VMAC address: 00:1C:7F:00:4E:8E
bond2.180 60.60.60.60 VMAC address: 00:1C:7F:00:4E:8E

0 Kudos
Maller
Contributor
‎2021-10-28 09:32 AM
In response to Yair_Shahar

Hi

Nothing special neither in gw nor in  console.  This behavior started after upgrade to R80.40 and the upgrade was right .  I'll continue to investigate this matter.

thanks

 

 

thank you

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events