This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
ABOUT CHECKMATES & FAQ
Create a Post
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Help

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Nandhakumar
Participant
‎2022-03-30 03:47 AM

Outgoing packets from cluster member NAT issue

Having weird issue in Checkpoint Cluster member. 

We have configured cluster member but when i try to do telnet one of our internal server from Active node its getting succeed but same not getting succeed from Standby node.

When i analyzed logs, it seems active node physical interface ip is hidden behind respective interface cluster VIP IP as source.

In standby node, NAT not happening and it uses physical interface IP. 

 

Now my question, how can we make config so that standby node also nat its physical ip with cluster vip for outgoing interface. i created manual NAT rule but there is no luck.

Same works when i make standby node to active by failover traffic. At the same active will become standby, so in this case it will fail in this node.

 

 

0 Kudos
2 Replies
Juan_
Collaborator
‎2022-03-30 06:33 AM

I suggest to set your standby member as a "Silent Standby"

Set these Kernel parameters:

fwha_silent_standby_mode=1
fwha_cluster_hide_active_only=0

 

Set the same parameters in both members.

You can set them on the fly:

fw ctl set int fwha_silent_standby_mode 1

fw ctl set int  fwha_cluster_hide_active_only 0

More info:

SK169154 

 

To make it permanent see sk26202 

 

If your management is below R80.40 you will need rules for the standby to initiate connections, as these will be evaluated in policy on the active.

0 Kudos
Nandhakumar
Participant
‎2022-03-30 09:24 PM
In response to Juan_

Thanks for your help but unfortunately this doesn't helped me to resolve my issue.

0 Kudos