I have not done this on 4000 appliances, but I have this running on SPLAT on Dell hardware.
The steps are: 1) select private IP range for the interface - use the same network mask as the public range in use. 2) using sysconfig on each machine - set the interface IP address and mask to an IP from that private range. 3) add that new private IP from step 2 for each machine interface while in the "Edit Topology" for the firewall in SmartDashBoard. 3) add the private IP as the cluster IP - in the "Member Network" tab on this "Interface Properties" enter the private IP network chosen. 4) using sysconfig on each machine - add a route to the public network using the interface name. You may be able to do this without an outage by doing steps 2 and 3 one machine at a time - but I would think it would be easier to do during an outage. -- Glenn Crist -----Original Message----- From: Mailing list for discussion of Firewall-1 [mailto:[email protected]] On Behalf Of Sergio Alvarez Sent: Wednesday, May 09, 2012 9:55 AM To: [email protected] Subject: [FW-1] cluster consuming only one public IP Hello. This customer has a cluster made up of two 4000 appliances, as usual, it was configured consuming 3 public IPs (one for each cluster member and one as virtual IP for the cluster), now he ran out of public IPs and asks if something can be done to use a single public IP (virtual one) and use private IPs on the external interfaces of the cluster members. I found documentation stating it CAN be done, but it does not provide any details so I would like to know if anyone here has done it before and can give me the whole picture. Besides changing the IPs on each cluster member from public to private, is there something else that needs to be configured differently? Is there some sort of downtime when this change is done? Besides the obvious fact that, from the Internet, it will only be possible to access via SSH or WebGUI the active cluster member, is there any other implication of doing this change? Any extra piece of info regarding this scenario anyone can provide, will be very appreciated. Regards -- Sergio Alvarez CISSP | CCSE+ ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [email protected] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [email protected] ================================================= Scanned by Check Point Total Security Gateway. ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [email protected] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [email protected] =================================================
