This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Nandhakumar
Contributor
‎2022-03-30 03:47 AM

Outgoing packets from cluster member NAT issue

Having weird issue in Checkpoint Cluster member. 

We have configured cluster member but when i try to do telnet one of our internal server from Active node its getting succeed but same not getting succeed from Standby node.

When i analyzed logs, it seems active node physical interface ip is hidden behind respective interface cluster VIP IP as source.

In standby node, NAT not happening and it uses physical interface IP. 

 

Now my question, how can we make config so that standby node also nat its physical ip with cluster vip for outgoing interface. i created manual NAT rule but there is no luck.

Same works when i make standby node to active by failover traffic. At the same active will become standby, so in this case it will fail in this node.

 

 

0 Kudos
2 Replies
Juan_
Collaborator
‎2022-03-30 06:33 AM

I suggest to set your standby member as a "Silent Standby"

Set these Kernel parameters:

fwha_silent_standby_mode=1
fwha_cluster_hide_active_only=0

 

Set the same parameters in both members.

You can set them on the fly:

fw ctl set int fwha_silent_standby_mode 1

fw ctl set int  fwha_cluster_hide_active_only 0

More info:

SK169154 

 

To make it permanent see sk26202 

 

If your management is below R80.40 you will need rules for the standby to initiate connections, as these will be evaluated in policy on the active.

0 Kudos
Nandhakumar
Contributor
‎2022-03-30 09:24 PM
In response to Juan_

Thanks for your help but unfortunately this doesn't helped me to resolve my issue.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    In-Person

    Tue 07 Oct 2025 @ 09:30 AM (CEST)

    CheckMates Live Denmark!
    CheckMates Events