This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Michael_Horne
Advisor
‎2022-06-27 12:32 AM

Cascading interface faiilure

Hello All,

Is it possible to cascade link failure form one interface to another.  If the Internet facing link fails, then we want to take down a specific interface on the Check Point gateway. When the Internet facing link comes up, then the specific interface is reactivated.  There are monitored IPs, but there seems no way to link the status of an interface to a monitored IP.

We are looking at if Check Point can replace Fortinet for particular customer and this is one feature the Fortinet has, that I cannot find a similar feature for on the Checkpoint.

The Fortinet feature is the following, if Port3 goes down then Port 4 is also shutdown. 

It woudl be possible with a script that is running periodically on the gateway, but a customized script is something that the customer would feel comfortable supporting.

Many thanks,

Michael

 

0 Kudos
3 Replies
Chris_Atkinson
Employee Employee
Employee
‎2022-06-27 01:08 AM

Is there dynamic routing used in this environment?

If the interfaces are bridged you have the option of Link State Propagation:

https://sc1.checkpoint.com/documents/R81/WebAdminGuides/EN/CP_R81_Installation_and_Upgrade_Guide/Top...

CCSM R77/R80/ELITE
0 Kudos
Michael_Horne
Advisor
‎2022-06-27 01:52 AM
In response to Chris_Atkinson

Hello Chris,

The FW is running in routed mode.  

Regards,

Michael

0 Kudos
Timothy_Hall
Legend Legend
Legend
‎2022-06-27 05:30 AM
In response to Michael_Horne

If you are using ClusterXL you can adapt the clusterXL_monitor_ips script to do what you want.  sk92904: How to configure $FWDIR/bin/clusterXL_monitor_process script to run automatically on Gaia /...

This script is used to ping an IP address and then issue a pnote when the IP no longer responds, thus causing a failover.  Replace the following lines in the script:

$FWDIR/bin/cphaconf set_pnote -d host_monitor -t 0 -s ok register -----> Comment out this line

$FWDIR/bin/cphaconf set_pnote -d host_monitor -s problem report -----> ifdown (interfacename)

$FWDIR/bin/cphaconf set_pnote -d host_monitor -s ok report -----> ifup (interfacename)

Note that downing an interface like this will cause a failover due to an Interface Active Check pnote being triggered.

Gaia 4.18 (R82) Immersion Tips, Tricks, & Best Practices
Self-Guided Video Series Coming Soon
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events