Forum Discussion
TMcGov_92811
Nimbostratus
NimbostratusiRule to Disable Autolasthop for Checkpoint VRRP
My LTM running 9.43 code is acting as a router and shares a segment with a Checkpoint SPLAT firewall cluster running VRRP. Whenever we have a active/standby state change on the Checkpoints we have issues routing traffic through the LTMs. All evidence points to the auto last hop feature which is enabled by default. I have read the SOL9487 that details how to write and irule and apply it to your IP Forwarding VS. The issue is that Checkpoint does not use a separate VRRP MAC address - which is required for the iRule. The Checkpoint OS simply associates the physical MAC of the active NIC to the VRRP IP address. Is there a workaround for this ?
3 Replies
- The_BhattmanHi TMcGov,
SOL9487 gives you a pretty solid solution. Howeve, A client also had the same issue, but they were hooked into a L2/L3 switch before they made it to the firewall. So what we did instead was created a HSRP address and introduced an extra hop before it landed on the Checkpoint FW.
I hope this helps
Bhattman 
TMcGov_92811I see what you mean.. but I'm quite surprised that there is not a simpler solution as this has to be a common design with regards to IP Forwarding through a Checkpoint firewall cluster. I will pursue the matter further with F5.- The_BhattmanThat's the thing. My clients said the same thing about Checkpoint FW. ;-P
Bhattman
