There is no need for the interfaces to be in vrrp for you to be able to ssh or ssl to the device. On your topo for your cluster object define these as non-monitored private interfaces.
________________________________ From: Peter Addy <[email protected]> To: [email protected] Sent: Mon, October 18, 2010 2:46:12 PM Subject: Re: [FW-1] IP addressing of firewalls and cluster topology Thanks Gary I think i may have not not explained myself correctly the cluster members are on seperate networks and will have no vrrp on this address, these are the managed ip addresses, however i think i will simply use the other internal addresssing for the cluster members which is on the same network and does have a vrrp address, and have the other two networks for management only for the firewalls, as i think your saying it is right to have the cluster members defined with a vrrp and must be on the same network so my SIC will be made to to these internal addreses of the cluster and, and simply have the two do you see any issues with this, does the management of both firewalls, over ssh and https have to have a vrrp, the firewalls are located in different locations on different networks --- On Mon, 18/10/10, Gary Scott <[email protected]> wrote: From: Gary Scott <[email protected]> Subject: Re: [FW-1] IP addressing of firewalls and cluster topology To: [email protected] Date: Monday, 18 October, 2010, 18:09 sets of interfaces participating in vrrp must be on the same network, vrrp can have no hops between these interfaces, ________________________________ From: Peter Addy <[email protected]> To: [email protected] Sent: Mon, October 18, 2010 12:49:21 PM Subject: Re: [FW-1] IP addressing of firewalls and cluster topology Hi, Does anyone of any thoughts on this, any help is appreciated Thanks On Sun Oct 17th, 2010 8:25 PM BST Peter Addy wrote: >i was thinking would it be easier to assign the cluster memebers the same >network and this will have a vrrp address, sp change the hostname ip to the >new >addresss, keeping the hostname as it is. >the ip i mentioned will still rbe the management ip's therefoe can simply >manage > >the firewalls on those ip's ssh, https etc, so in dns have the hostnames >resolve > >to the 172.22.28.29 an 172.21.28.29 > >Hope this makes sense > >--- On Sun, 17/10/10, Peter Addy <[email protected]> wrote: > >From: Peter Addy <[email protected]> >Subject: [FW-1] IP addressing of firewalls and cluster topology >To: [email protected] >Date: Sunday, 17 October, 2010, 20:05 > >Hi, > >Does anyone know of any issues where two firewall modules(cluster >members)which >have differnt iP's that are in a Checkpint Nokia VRRP cluster? > >Scenario, one module is assigned for example 172.22.28.29, the other module is >172.21.28.29, these modules are also managed IP's, that is we will conect to >these models on ssh and https etc, and the hostname are those IP's, the >cluster > >IP is a 147.x.x.x > >There is no cluster for the modules as they are not on the same network. >The toplogy looks strange in the fact that it does not run contiguous, so >looking at the topo of the checkpoint cluster we have one interface on each >module, no vrrp, same interface though, eth1c0 > >i know there will no vrrp for this and cpha status should be fine as long as >we >have the synch, so active/active should be seen, or will this cause an issue? > >Can anyone see an issue with this config, or should the cluster members have >to >be on the same network? > > >Thanks > > > > > > >================================================= >To set vacation, Out-Of-Office, or away messages, >send an email to [email protected] >in the BODY of the email add: >set fw-1-mailinglist nomail >================================================= >To unsubscribe from this mailing list, >please see the instructions at >http://www.checkpoint.com/services/mailing.html >================================================= >If you have any questions on how to change your >subscription options, email >[email protected] >================================================= > > > > Scanned by Check Point Total Security Gateway. ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [email protected] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [email protected] ================================================= Scanned by Check Point Total Security Gateway. ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [email protected] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [email protected] ================================================= ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [email protected] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [email protected] ================================================= ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [email protected] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [email protected] ================================================= Scanned by Check Point Total Security Gateway.
