This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
ABOUT CHECKMATES & FAQ
Create a Post
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Help

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Michael_Horne
Advisor
‎2022-06-27 12:32 AM

Cascading interface faiilure

Hello All,

Is it possible to cascade link failure form one interface to another.  If the Internet facing link fails, then we want to take down a specific interface on the Check Point gateway. When the Internet facing link comes up, then the specific interface is reactivated.  There are monitored IPs, but there seems no way to link the status of an interface to a monitored IP.

We are looking at if Check Point can replace Fortinet for particular customer and this is one feature the Fortinet has, that I cannot find a similar feature for on the Checkpoint.

The Fortinet feature is the following, if Port3 goes down then Port 4 is also shutdown. 

It woudl be possible with a script that is running periodically on the gateway, but a customized script is something that the customer would feel comfortable supporting.

Many thanks,

Michael

 

0 Kudos
3 Replies
Chris_Atkinson
Employee
Employee
‎2022-06-27 01:08 AM

Is there dynamic routing used in this environment?

If the interfaces are bridged you have the option of Link State Propagation:

https://sc1.checkpoint.com/documents/R81/WebAdminGuides/EN/CP_R81_Installation_and_Upgrade_Guide/Top...

0 Kudos
Michael_Horne
Advisor
‎2022-06-27 01:52 AM
In response to Chris_Atkinson

Hello Chris,

The FW is running in routed mode.  

Regards,

Michael

0 Kudos
Timothy_Hall
Champion
Champion
‎2022-06-27 05:30 AM
In response to Michael_Horne

If you are using ClusterXL you can adapt the clusterXL_monitor_ips script to do what you want.  sk92904: How to configure $FWDIR/bin/clusterXL_monitor_process script to run automatically on Gaia /...

This script is used to ping an IP address and then issue a pnote when the IP no longer responds, thus causing a failover.  Replace the following lines in the script:

$FWDIR/bin/cphaconf set_pnote -d host_monitor -t 0 -s ok register -----> Comment out this line

$FWDIR/bin/cphaconf set_pnote -d host_monitor -s problem report -----> ifdown (interfacename)

$FWDIR/bin/cphaconf set_pnote -d host_monitor -s ok report -----> ifup (interfacename)

Note that downing an interface like this will cause a failover due to an Interface Active Check pnote being triggered.

New 2021 IPS/AV/ABOT Immersion Self-Guided Video Series
now available at http://www.maxpowerfirewalls.com
0 Kudos