AnsweredAssumed Answered

R80.10 VRRP cluster: To hide or not to hide members ip?

Question asked by Markus Marquardt on Oct 12, 2018
Latest reply on Oct 12, 2018 by Aleksei Shelepov

Hi,

 

during troubleshooting connectivity issue from Gateway to Checkpoint update server on a R80.10 VRRP cluster standby member, it came to my attention, that even the standby Security Gateway in a VRRP cluster is using the cluster ip address to open the outgoing connection, eg. to open a connection to https://usercenter.checkpoint.com/  (seen by using tcpdump on the Gateway).

 

I believe this maybe correct, because option Hide Cluster Members outgoing traffic behind IP address is checked in cluster properties.

 

However, I wonder how it can work, because the next hop (internet router) cannot know how to route traffic back properly. If the reply comes back from internet, destination will be the cluster ip address, so it would be routed to the active cluster member, not to the standby where it originated from.

 

What is the recommendation for this option? Enable or disable it? The documentation is quite sparse, some SKs are stating it should be enabled in a specific case, others are stating it should be disabled.

 

In our environment, we have identity Awareness rolled out, using Identity Agent, and sharing identities between all Gateways.

 

So what would be the pros and cons in this case for this option?

 

Thanks

Markus

Outcomes