The title
is pretty self-explanatory, and it's behaviour I'm seeing on every recent
cluster build that I do (R80.10 and up).
A fair question will be "Why are you concerned with Internet access
on your standby member?". Well, my
biggest reason is cosmetic, as occasionally the gateway might throw up alerts
in SmartConsole due to it being unable to to entitlement checks and such.
More
importantly, your cluster might also be configured to have the gateways pull
IPS / AV / etc. updates (as opposed to having your SMS distribute it) and this
means that if your cluster fails over, there might be a small window where you
are running outdated protections.
Having
said all that, how do we fix this? Well
Check Point has 4 steps listed in sk43807, namely:
- Verify that routing tables are identical on all nodes
- Synchronise HTTP, HTTPS, DNS between cluster members
- Set the 'fwha_forw_packet_to_not_active' kernel parameter to 1
- Edit your 'table.def' file on the SMS
Of those,
the only one that has ever worked for me is the 'table.def' edit, issue with
that is that it will get overwritten after every upgrade you do, so in my
view not a long-term solution.
Because
this issue is caused by the gateway's traffic being hidden behind the cluster
IP, we can fix it with a NAT rule. This
also has the advantage of being a permanent fix. You'll have to create a rule for each gateway
in your cluster which states that for any traffic originating from the gateway
(create objects with your external IP's) to any, use original. It needs to look something like this:
Once
done, push policy and you should immediately restore access.
Hi, i have question, if standby member has 2 External IP (2 ISP) should i create object both external IP ? Thank you in advance
ReplyDeleteSure. You can also use the LocalMachine object, which I believe only resolves to the external IPs.
DeleteIf you want all interface IPs, then use LocalMachine_All_Interfaces