Monday, June 18, 2012

ClusterXL: Sync on VLAN interfaces

We all know Sync network in cluster configuration should be isolated from the rest of production networks, or, as Check Point calls it in the documentation, "secured". Reason for that is that sync interfaces have no security policy enforced and can be used to penetrate your FW cluster.

Nevertheless sometimes you have to do Sync over VLAN interface instead of a physical NIC.

If you do so, you might bare in mind sk34574. As described there, ClusterXL requires to use the lowerst VLAN tag for Sync interface.

For example, if you are using eth.1.10, eth1.20 and eth.30, you can only configure eth1.10 for cluster synchronization.

In case you did it wrong, cphaprob -a if will report you the following:
Warning: Sync will not function since there aren't any sync(secured) interfaces 

 In this case it is not enough to re-configure VLANs and re-push policy. If you picked the wrong interface first, you will have to re-initialize ClusterXL on your physical machines. To do that, go to cponfig and remove clustering, then start it again from there. Reboots are required.

No comments:

Post a Comment