Single license vrrp - Management interface

[Wainer19]

Hey all,

Beginning in IPSO 4.2 Nokia has implemented single license VRRP. As some may know only the master member has CP policy installed on it and not the backup, hence only the one CP lic is being used at a time. In this configuration only the master member of the pair has all interfaces as up and on the backup only the management interface is up.

Now, lets say that I wanted to use the internet facing side of the pair so that I could remotely manage them, this would mean that the backup member with no policy installed is remotely accessable by network access.

This of course is by design, as your only paying for the one lic. But does anyone know a good way to lock down the management interface to all traffic expect that concerned with vrrp management and failover??

I'm fairly certain I could configure some IPSO ACL's for this purpose but was wondering if anyone has had any EXP with doing this? Otherwise I'm sure I can open up a ticket with Nokia and ask for a RFE.

Thanks

[mcnallym]

Presumably the box will be running the default Check Point policy as opposed to a completely open or no policy as such.

Could you not modify the default policy file to do what you want.