CPUG: The Check Point User Group

Resources for the Check Point Community, by the Check Point Community.


Tim Hall has done it yet again - That's right, the 3rd edition is here!
You can read his announcement post here.
It's a massive upgrade focusing on current versions, and well worth checking out. -E

 

Results 1 to 5 of 5

Thread: Bridge mode cluster - object's IP address is required in SmartConsole

  1. #1
    Join Date
    2006-02-02
    Location
    Czech Republic
    Posts
    42
    Rep Power
    0

    Default Bridge mode cluster - object's IP address is required in SmartConsole

    A bridge mode cluster normally does not have any virtual IP address (cluster IP address). There are only IP addresses of the individual firewall nodes for management and synchronization purposes.

    What is the best practice when you create the cluster object in SmartConsole? The GUI insist on specifying its IP address but there is not any. As far as I know the cluster object's IP address could be used only for handful of functions like VPN address, automatic hide NAT address... I do not want to (and probably cannot) use any of them.

    Is it OK to specify 0.0.0.0 as the cluster object IP address?
    Did you encounter any problems with the bridge mode cluster object IP address?

  2. #2
    Join Date
    2006-03-08
    Location
    Lausanne
    Posts
    1,030
    Rep Power
    15

    Default Re: Bridge mode cluster - object's IP address is required in SmartConsole

    No, that won't do.

    You need to set an actual IP address for the cluster anyway, otherwise CP cannot handle it. Just use an additional address form MGMT network. You do need physical IP addresses on DMI cluster members, otherwise you will not be able to install policy
    -------------

    Valeri Loukine
    CCMA, CCSM, CCSI
    http://checkpoint-master-architect.blogspot.com/

  3. #3
    Join Date
    2006-02-02
    Location
    Czech Republic
    Posts
    42
    Rep Power
    0

    Default Re: Bridge mode cluster - object's IP address is required in SmartConsole

    Thank you for your reply.

    I should state that the gateways are not VSX. I am used to the term DMI (dedicated management interface) only on VSX gateways. ...but as I mentioned the gateways have dedicated interfaces for management.

    The current state is:

    - management R80.10 (not MDM)
    - 2 gateways R80.10 (regular GWs, not VSX)

    on each gateway:
    - bond0 - dedicated for management - each GW has its own IP address, in the cluster topology the interfaces are set as private (no VIP - normal for management interfaces)
    - bond1 - dedicated for cluster synchronization - again each GW has its own IP address, in the cluster topology the interfaces are set as sync
    - bond10 - one side of the bridge
    - bond11 - the other side of the bridge

    - bond10 and bond11 as interfaces for for L2 bridge have no IP addresses and they are not listed in the cluster object topology (as a side note - there will be multiple tagged VLANs going through the bridge)

    For me it seems ridiculous to define a VIP on bond0 (and change the interface to L3 clustered) just to satisfy a single field on the cluster object with no real use. As this is a security device I do not want to clutter it with nonsenses.

    Currently I am using the IP address 0.0.0.0 as the main IP address of the cluster object. I already installed the policy multiple times. So far and as I hoped everything works normally but I would like to know if I could encounter any problems in the future. The bridge mode is covered too little in the Check Point documentation!

  4. #4
    Join Date
    2006-03-08
    Location
    Lausanne
    Posts
    1,030
    Rep Power
    15

    Default Re: Bridge mode cluster - object's IP address is required in SmartConsole

    To be on the safe side, I would recommend using another address from bond0 subnet. 0.0.0.0 is not a host address, it is a network. the rest is up to you.
    -------------

    Valeri Loukine
    CCMA, CCSM, CCSI
    http://checkpoint-master-architect.blogspot.com/

  5. #5
    Join Date
    2007-03-30
    Location
    DFW, TX
    Posts
    320
    Rep Power
    13

    Default Re: Bridge mode cluster - object's IP address is required in SmartConsole

    The "main IP" does not currently need to be owned by any cluster interface on the system. I would not expect that part to change in the future, because bridge-mode clusters are supported, and they frequently do not have interfaces with VIPs.

    0.0.0.0 is weird, though, and I have seen unusual configurations break in updates. I would avoid using 0.0.0.0 for the main IP.

    If you change it to a real address, be aware that a cluster will not pass traffic through to its configured main IP. If the main IP is owned by a clustered interface, traffic can go to or from it, but not through the firewall to it. To avoid this, just don't use the IP you pick for another system.

    Edited to add: Just realized one of my sentences towards the end is unclear. If the main IP is owned by a clustered interface, traffic can go to or from it, including through the firewall. Traffic won't work through the firewall to that address if the cluster does not own it, though. As an example, I have a cluster:

    member1: 10.0.1.81 (non-monitored private)
    member2: 10.0.1.82 (non-monitored private)
    Cluster object main IP: 10.0.1.83

    But the main IP is not owned by a clustered interface. Traffic will not pass through this cluster to 10.0.1.83.
    Last edited by Bob_Zimmerman; 2017-11-08 at 11:56.
    Zimmie

Similar Threads

  1. Cluster + Bridge mode
    By crosspopz in forum Advanced Networking & Clustering Blade
    Replies: 7
    Last Post: 2016-04-16, 13:39
  2. Bridge Mode
    By Paul Douglas in forum R77.30
    Replies: 8
    Last Post: 2016-02-11, 07:41
  3. Bridge Mode
    By Paul Douglas in forum R77.30
    Replies: 0
    Last Post: 2016-01-10, 11:08
  4. Bridge Mode on VPN-1 NGX
    By srirat in forum Provider-1 (Multi-Domain Management)
    Replies: 3
    Last Post: 2006-08-19, 13:00
  5. Determine multicast address for state sync or H.A. mode on a firewall cluster
    By pop_alex in forum Clustering (Security Gateway HA and ClusterXL)
    Replies: 0
    Last Post: 2006-05-13, 02:13

Tags for this Thread

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •