- Products
- Learn
- Local User Groups
- Partners
- More
Introduction to Lakera:
Securing the AI Frontier!
Quantum Spark Management Unleashed!
Check Point Named Leader
2025 Gartner® Magic Quadrant™ for Hybrid Mesh Firewall
HTTPS Inspection
Help us to understand your needs better
CheckMates Go:
SharePoint CVEs and More!
Hi All,
If you are using Smart-Cloud to manage your Security Gateways and are looking to deploy a Cluster - You will need to do this using the ADD EXISTING GATEWAY option.
When you provision/add a new gateway from Smart Cloud, this will create the Gateway Object within Smart Console. Now if these gateways need to be part of a cluster, then you will have to add them using the ADD EXISTING GATEWAY option.
Additionally the topology will now have the maas_tunnel interface also detected as part of the GET INTERFACES with TOPOLOGY.
I had my interface topology configured as below to work successfully.
Hope this is helpful.
Thank you for sharing this. This is indeed the way to do it today in Smart-1 Cloud.
Since Cluster is a very common deployment, I also wanted to share that we are working on a simpler way to do this, which will be similar to the way you connect a regular gateway.
This will be rolled out automatically for Smart-1 Cloud users.
When will this new deployment be ready?
Hello Abbas,
Thanks for sharing this, as I'm trying to setup my first cluster in Smart-1 Cloud.
I successfully connected the gateways and establish communication with Management Server with SIC Trust, and so far I have the maas_tunnel, inside, outside and sync interfaces for each GW. However when I try to setup a cluster following the wizard / or even classic mode as you suggest above, can you please advise what IP do we configure as a Cluster VIP IPv4 address ?
I also read the documentation, but all it says is not to use an IP from 100.64.x.x network. Still I don't figure out what IP I should use as a Cluster VIP.
Our deployment is in R80.40
Thanks for your help in advance,
Konstantinos
Hello Konstantinos,
The gateways get the automatic IP when establishing the maas tunnel, for the Cluster itself, you should provide your own virtual IP. Similar when connecting a cluster to an on-prem management, nothing special here for Smart-1 Cloud.
If you still have some challenges, please let me (@Anat_Eytan-Davi) or @Amiad_Stern know and we will be happy to assist,
BR,
Anat.
Hello Anat,
Thanks for your explanation. I understood that once you connect the GWs to the smart-1 Cloud, those get their 100.64.x.x/32 IPs ( MaaS tunnel IP). For the cluster VIP, I figured I could use the VIP of the inside interface ( cluster ).
Once the cluster was setup, in the Network Topology, the Inside / Outside / Sync interfaces, would be appear as it should. Nevertheless, there would be 2 entries, each for a different GW, where there would be the maas tunnel /32 IP.
I’m not sure if this is the expected outcome, to have in the Cluster Network Topology, different maas interface / per GW
Unfortunately, I cannot provide you with any screenshots, as finally we deployed the Management Server on premise ( VM-Open Server).
However, if there will be a case where I’ll need to setup a cluster on Smart-1 Cloud, I’ll return back to the same post.
Anyhow, thanks for your contribution and support on this case.
Kind Regards,
Konstantinos
Nice info!
Hello,
I need to move an on prem cluster to the cloud, I imported the management with success but now it's not clear what to do with the gateways: I added my two gateways and they created their new maas_tunnel interfaces 100.64.x.x/32, but how can I define the vip for them?
Or is it not necessary?
The whole process is not explained anywhere, do I have to add rules for the 100.64.x.x IPs?
Can you helping me in the steps to migrate my on premise cluster to be managed from the SMS Cloud?
Thanks
Hi,
You can create a new Cluster object, or use an existing Cluster object.
The Cluster Virtual IP is not automatically given by the system, and you need to assign one.
Make sure not to give an IP address from this subnet: 100.64.x.x
Next phase is to navigate to Cluster Members > click Add > click Add Existing Gateway > select the Security Gateway object.
You need to allow the communication between the Security Gateway and the service:
HTTPS (TCP 443) to your domain at Smart-1 Cloud:
<Service-Identifier>.maas.checkpoint.com
For Smart-1 Cloud deployments in Europe:
cloudinfra-gw.portal.checkpoint.com
For Smart-1 Cloud deployments in the United States:
cloudinfra-gw-us.portal.checkpoint.com
I do recommend to check the admin guide, especially the section for advanced configuration: Smart-1 Cloud Advanced Configuration (checkpoint.com)
Please feel free to reach out if the process is still unclear or for any additional question to me (anate@checkpoint.com) or to maas@checkpoint.com
Anat.
I'm seeing some differences in the information here when setting up a new Azure R81 IaaS cluster connected to MaaS.
The mass_tunnel interfaces are 100.100.0.*/32 while the management service is on 10.64.0.* This is causing traffic to head out the external interface. For the primary member this is not an issue, but the secondary keeps disconnecting when the policy is applied. Looking at the connection it is hiding behind the cluster VIP which we don't want it to do. I have tried sk34180 as a workaround/fix for this, but to no avail, as it keeps reverting to hiding the standby's traffic via the VIP.....
But should the traffic for the management service go via the MaaS tunnel?
Hello,
What is the best practice to overcome the Standby cluster member can communicate via the MaaS Tunnel?
Thank you!
Hi Garbo,
The standby member should communicate through the maas tunnel.
What is the problem that you see in your setup ?
BR
Hi Rafi,
The current STANDBY cluster member always lost its connection with the Smart-1 Cloud.
It can be reproduced anytime with a controlled cluster failover.
The maas_tunnel disappears from the STANDBY member interfaces when >show interfaces command is executed and appears on the ACTIVE member.
It can be seen in the /var/log/messages file of the new STANDBY member, when initiating a controlled cluster failover:
ntpd[13416]: Deleting interface #10 maas_tunnel, 100.100.xx.yyy#123, interface stats: received=0, sent=0, dropped=0, active_time=932 secs
Thank you and best regards!
Hi,
I would recommend to check the internet connectivity on the STANDBY member after the failover. Each member should have connectivity to the cloud in order to establish the tunnel and create the maas_tunnel interface. Even if the tunnel went down during the failover, it should go up again. If you have shell prompt, you can test internet connectivity by running curl_cli and also you can inspect what is printed when you run "maas status" command.
BR
If mass tunnel interfaces Subnets and IP's are different then what configuration we need to do?
Hello @Rajeshk - Can you share more context or specifics regarding your question?
Leaderboard
Epsum factorial non deposit quid pro quo hic escorol.
User | Count |
---|---|
2 | |
1 |
Tue 30 Sep 2025 @ 08:00 AM (EDT)
Tips and Tricks 2025 #13: Strategic Cyber Assessments: How to Strengthen Your Security PostureTue 07 Oct 2025 @ 10:00 AM (CEST)
Cloud Architect Series: AI-Powered API Security with CloudGuard WAFTue 30 Sep 2025 @ 08:00 AM (EDT)
Tips and Tricks 2025 #13: Strategic Cyber Assessments: How to Strengthen Your Security PostureThu 09 Oct 2025 @ 10:00 AM (CEST)
CheckMates Live BeLux: Discover How to Stop Data Leaks in GenAI Tools: Live Demo You Can’t Miss!Wed 22 Oct 2025 @ 11:00 AM (EDT)
Firewall Uptime, Reimagined: How AIOps Simplifies Operations and Prevents OutagesAbout CheckMates
Learn Check Point
Advanced Learning
YOU DESERVE THE BEST SECURITY