ACE - Probe suggestion for CheckPoint Firewall ?

ctopaloglu · ‎11-02-2008

Hi to all,

Assume that inbound interface of FW1 side cable unplugged. In this scenario the probes are still up. Probes cannot detect this situation and fail over doesn't take place. As you can see it is impossible to detect cable tear down unless we have an IP address from different vlan. I have an idea about to solve this issue, I need to create a new vlan (for instance vlan 200) on the ACE_INSIDE. We will insert a static route on ACE_OUTSIDE. That static route will try to access vlan 200 via FW1 outside interface. Then we will be sure when the FW1 fails. Of course vice versa will be valid. We can use similar configuration for the FW0 too. According to the configuration that I have attached and my solution, can you give me a configuration example or do you have a better way to accomplish this task. I will be waiting for your suggestion or solution as soon as possible. I have little time to solve this. Thanks in advance.

Best Regards.

Note: Topology and all necessary configs are attached.

cisco24x7 · ‎11-03-2008

I am not sure I am following what you're trying

to do here. Are you running Checkpoint

ClusterXL in Active/Active or Active/Standby

configuration? Either way, ClusterXL is smart

enough to know if the interface is "unplugged",

and that failover is automatically. You should

not even have to worry physical interface.

ClusterXL will take care of the failover.

What do you see when you perform "cphaprob

state" and "cphaprob -a if"?

If your firewall does not failover, then it

is not setup properly. Both the ACE_outside

and ACE_inside only care about ClusterXL

VIP IP and not the physical IP of the

checkpoint firewall.

ctopaloglu · ‎11-05-2008

Thank you for your answer. They are active/active. But the checkpoints we are talking are not using cluster XL for failover. They are using third party (ACE) for the fail over also. So ACE has to know about firewalls with probe. They don't have VIP IPs.

cisco24x7 · ‎11-05-2008

First of all, this is the FIRST time I've heard

someone is running Securreplatform NGx R65

in Active/Active WITHOUT ClusterXL. I could

be wrong, though unlikely, but that is not

possible. Take a look at the pair of Checkpoint

firewall NGx R65 Secureplatform in Active/Active

Unicast mode:

[Expert@NGx-lab2]# cphaprob state

Cluster Mode: Load Sharing (Unicast/SDF)

Number Unique Address Assigned Load State

1 10.0.0.1 30% Active (pivot)

2 (local) 10.0.0.2 70% Active

[Expert@NGx-lab2]# cphaprob -a if

Required interfaces: 4

Required secured interfaces: 1

eth0 UP non sync(non secured), broadcast

eth1 UP non sync(non secured), broadcast

eth7 UP non sync(non secured), broadcast

eth13 UP sync(secured), broadcast

Virtual cluster interfaces: 3

eth0 65.129.75.1

eth1 129.174.1.1

eth7 192.168.128.1

[Expert@NGx-lab2]#

Again, I think it is NOT possible to run

Checkpoint in Active/Active mode without

ClusterXL. You may want to check the

configuration again. You can NOT have

active/active without VIP IPs.