CPUG

The Check Point User Group

A Resource For The Check Point Community.  Fast.  Useful.  Independent.

1. CCSA/CCSE One-Week Dual-Certification Training Course with CPUG in San Francisco!
    Courses Starting (2009) 1/19, 2/9, 3/9, 4/6, 5/4, 6/8, 7/6, 8/3.
2. Join Us On LinkedIn - We now have a CPUG group.


Go Back   CPUG: The Check Point User Group > Check Point Firewall-1/VPN-1 Platforms > Crossbeam
Virtual interface config (VRRP) in Check Point object Virtual interface config (VRRP) in Check Point object
Register FAQ Members List Calendar Search Today's Posts Mark Forums Read

Reply
 
LinkBack Thread Tools Display Modes
  #1 (permalink)  
Old 2008-11-18
Member
  
Join Date: 2007-01-12
Location: Switzerland
Posts: 44
Rep Power: 0
Dominik Zanolari has an average reputation (10+)
Default Virtual interface config (VRRP) in Check Point object
While looking at several cluster configurations done with Check Point NGX (R60, R62, R65) on Crossbeam, I see the following two variations:

General setup, on both variations identical:
- VRRP configured according Crossbeam's config guide
- Cluster properties configured according Check Point's guide, 3rd party OPSEC
- Check Point cluster configured as Other OPSEC, high availability and use state sync
- two ticks on "Hide Cluster members outgoing traffic behind..." and "forward cluster members traffic..."

Now the difference in the topology config:

Setup A:
- "cluster" as network type on all interfaces participating in VRRP
- virtual addresses defined
- one sync link in place

Setup B:
- "private" as network type on all interfaces participating in VRRP
- virtual addresses not definied
- one sync link in place

To my surprise, both configs work for basic operation (i.e. TCP state sync) upon failover. Looking at it closer revealed that Hide NAT fails i.e. state seems not to get synced on Setup B upon failover.

Personally I always configured as in setup A, as I never read or heard otherwise and I will go forward and correct the other configs. Yet I'm interested in getting your opinion. What do you see "out there" and might there be a scenario where configuring the virtual IPs within Check Point creates a problem? Check Point's documentation leaves this open and refers to each vendor's documentation while Crossbeam doesn't cover this at all, at least not in their KB and available documentation.

PS: I consider myself "fluent" on Nokia and, to some extent Crossbeam, and that's what I encounter most at customers. Don't know how things look with e.g. 3rd party solutions on SPLAT or Solaris, as I know these platforms for management purposes (SmartCenter/MDS etc.) only.
Last edited by Dominik Zanolari; 2008-11-18 at 08:04.
Reply With Quote
  #2 (permalink)  
Old 2008-11-23
Junior Member
  
Join Date: 2007-01-21
Posts: 20
Rep Power: 0
dfwboiler has an average reputation (10+)
Default Re: Virtual interface config (VRRP) in Check Point object
I've setup Crossbeams C series as option B.

We did have an issue with VPN when using option B, but I cannot remember what the exact issue was with this option.
When we added in the cluster addresses in the topology it resolved the issue.
Reply With Quote
Reply

« Previous Thread | Next Thread »
Thread Tools
Display Modes
Linear Mode Linear Mode

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are Off
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are On


All times are GMT -7. The time now is 01:35.

Contact Us - CPUG Home Page - Archive - Top

Powered by vBulletin® Version 3.7.4
Copyright ©2000 - 2009, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO 3.2.0