This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
ABOUT CHECKMATES & FAQ
Create a Post
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Help

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Maller
Contributor
‎2021-10-25 01:08 AM

best practices to add VLAN interface in a cluster

Hi all

Usually  we have configured new DMZ adding it manually  "add interface etc..."  , to avoid issues using "get interfaces with topology " or "get interfaces without topology". In this way we have been working without issues in R80.10.

Now using this procedure ,we are facing an issue adding new vlan interfaces in a  R80.40 cluster . After install policy , new dmz VIP  are not configured . It does not appear in "cphaprob -a if " 

To solve this issue , we have to use "get interface without topology" .  I don't understand why manually process  is not working now. 

any suggestion?

thanks

 

Manel

Labels
0 Kudos
6 Replies
Yair_Shahar
Employee
Employee
‎2021-10-25 01:40 AM

Hi Manel,

 

Is the DMZ VIP configured in the Cluster Topology? this should be manually configured after getting interfaces.

 

Thanks,

Yair

0 Kudos
Maller
Contributor
‎2021-10-25 03:16 AM
In response to Yair_Shahar

Hi Yair

yes , DMZ VIP is configured. What I don't understand is that  adding interfaces manually "actions -> new interface" in FW object  ,  configuring VIP  and installing policy everything worked fine . This cluster has more than 70 DMZ  and all of them were configured in this way.

Now , since upgrade to R80.40  it seems that  manual way is not valid and we have to do it using "GET interfaces without topology " .

thanks

0 Kudos
Yair_Shahar
Employee
Employee
‎2021-10-26 02:35 AM
In response to Maller

Is it consistent? and happen on more than single interface?

are all IPs and masks configured in Topology match the IPs and masks configured on Gaia?

 

I tried this on R81.10 and it does not seem to occur.

I can try this with R80.40 later on - Which Jumbo Take are you using?

 

Yair

 

0 Kudos
Maller
Contributor
‎2021-10-26 01:05 PM
In response to Yair_Shahar

Hi Yair

Yes , it's consistent. All ip matches between topology and gaia. 

All new dmz are added to bond0.X interface.

This cluster is running r80.40 take 125. 

I opened a SR with support , and yes they said that the right  way to create new dmz is with get interface option . But I think that  option 'add interface' manually should work also and I don't understand why it doesn't work. 

With R80.10 always worked. Problems related to new interfaces creation  started with R80.40  .

Thanks. 

0 Kudos
Yair_Shahar
Employee
Employee
‎2021-10-28 02:15 AM
In response to Maller

Hi,

I have tried this on my lab with R80.40, I'm yet to see this issue occur.

As mentioned - vlan, bond and ip configured on gaia, on cluster topology new interface created and configured manually (didn't use get-interfaces)

after install policy new VIP added to cphaprob -a if - see below bond2..180

Do I miss anything? is there any specific configuration you are using? on management or gateway side?

 

[Expert@cluster-member-83.27-R80.40-294:0]# cphaprob -a if

CCP mode: Manual (Unicast)
Required interfaces: 5
Required secured interfaces: 1


Interface Name: Status:

eth0 UP
eth2 (S) UP
bond1 (HA) UP
bond2.9 (LS) UP
bond2.180 (LS) UP

S - sync, LM - link monitor, HA/LS - bond type

Virtual cluster interfaces: 55

eth0 192.168.83.25 VMAC address: 00:1C:7F:00:4E:8E
bond1 10.83.25.1 VMAC address: 00:1C:7F:00:4E:8E
bond2.9 5.5.5.10 VMAC address: 00:1C:7F:00:4E:8E
bond2.10 30.0.10.3 VMAC address: 00:1C:7F:00:4E:8E
bond2.11 30.0.11.3 VMAC address: 00:1C:7F:00:4E:8E
bond2.12 30.0.12.3 VMAC address: 00:1C:7F:00:4E:8E
bond2.13 30.0.13.3 VMAC address: 00:1C:7F:00:4E:8E
bond2.14 30.0.14.3 VMAC address: 00:1C:7F:00:4E:8E
bond2.15 30.0.15.3 VMAC address: 00:1C:7F:00:4E:8E
bond2.16 30.0.16.3 VMAC address: 00:1C:7F:00:4E:8E
bond2.17 30.0.17.3 VMAC address: 00:1C:7F:00:4E:8E
bond2.18 30.0.18.3 VMAC address: 00:1C:7F:00:4E:8E
bond2.19 30.0.19.3 VMAC address: 00:1C:7F:00:4E:8E
bond2.20 30.0.20.3 VMAC address: 00:1C:7F:00:4E:8E
bond2.21 30.0.21.3 VMAC address: 00:1C:7F:00:4E:8E
bond2.22 30.0.22.3 VMAC address: 00:1C:7F:00:4E:8E
bond2.23 30.0.23.3 VMAC address: 00:1C:7F:00:4E:8E
bond2.24 30.0.24.3 VMAC address: 00:1C:7F:00:4E:8E
bond2.25 30.0.25.3 VMAC address: 00:1C:7F:00:4E:8E
bond2.26 30.0.26.3 VMAC address: 00:1C:7F:00:4E:8E
bond2.27 30.0.27.3 VMAC address: 00:1C:7F:00:4E:8E
bond2.28 30.0.28.3 VMAC address: 00:1C:7F:00:4E:8E
bond2.29 30.0.29.3 VMAC address: 00:1C:7F:00:4E:8E
bond2.30 30.0.30.3 VMAC address: 00:1C:7F:00:4E:8E
bond2.31 30.0.31.3 VMAC address: 00:1C:7F:00:4E:8E
bond2.32 30.0.32.3 VMAC address: 00:1C:7F:00:4E:8E
bond2.33 30.0.33.3 VMAC address: 00:1C:7F:00:4E:8E
bond2.34 30.0.34.3 VMAC address: 00:1C:7F:00:4E:8E
bond2.35 30.0.35.3 VMAC address: 00:1C:7F:00:4E:8E
bond2.36 30.0.36.3 VMAC address: 00:1C:7F:00:4E:8E
bond2.37 30.0.37.3 VMAC address: 00:1C:7F:00:4E:8E
bond2.38 30.0.38.3 VMAC address: 00:1C:7F:00:4E:8E
bond2.39 30.0.39.3 VMAC address: 00:1C:7F:00:4E:8E
bond2.40 30.0.40.3 VMAC address: 00:1C:7F:00:4E:8E
bond2.41 30.0.41.3 VMAC address: 00:1C:7F:00:4E:8E
bond2.42 30.0.42.3 VMAC address: 00:1C:7F:00:4E:8E
bond2.43 30.0.43.3 VMAC address: 00:1C:7F:00:4E:8E
bond2.44 30.0.44.3 VMAC address: 00:1C:7F:00:4E:8E
bond2.45 30.0.45.3 VMAC address: 00:1C:7F:00:4E:8E
bond2.46 30.0.46.3 VMAC address: 00:1C:7F:00:4E:8E
bond2.47 30.0.47.3 VMAC address: 00:1C:7F:00:4E:8E
bond2.48 30.0.48.3 VMAC address: 00:1C:7F:00:4E:8E
bond2.49 30.0.49.3 VMAC address: 00:1C:7F:00:4E:8E
bond2.50 30.0.50.3 VMAC address: 00:1C:7F:00:4E:8E
bond2.51 30.0.51.3 VMAC address: 00:1C:7F:00:4E:8E
bond2.52 30.0.52.3 VMAC address: 00:1C:7F:00:4E:8E
bond2.53 30.0.53.3 VMAC address: 00:1C:7F:00:4E:8E
bond2.54 30.0.54.3 VMAC address: 00:1C:7F:00:4E:8E
bond2.55 30.0.55.3 VMAC address: 00:1C:7F:00:4E:8E
bond2.56 30.0.56.3 VMAC address: 00:1C:7F:00:4E:8E
bond2.57 30.0.57.3 VMAC address: 00:1C:7F:00:4E:8E
bond2.58 30.0.58.3 VMAC address: 00:1C:7F:00:4E:8E
bond2.59 30.0.59.3 VMAC address: 00:1C:7F:00:4E:8E
bond2.60 30.0.60.3 VMAC address: 00:1C:7F:00:4E:8E
bond2.180 60.60.60.60 VMAC address: 00:1C:7F:00:4E:8E

0 Kudos
Maller
Contributor
‎2021-10-28 09:32 AM
In response to Yair_Shahar

Hi

Nothing special neither in gw nor in  console.  This behavior started after upgrade to R80.40 and the upgrade was right .  I'll continue to investigate this matter.

thanks

 

 

thank you

0 Kudos