Checkpoint NGX R65 Anti-spoofing issues

[rickrude11]

Hey guys, I have a 2 node cluster, just upgraded from R60 to R65. Only 1 firewall is active at the moment because when I bring the other one up, both fw become active.

I found that I cannot even ping ANY internal interface of the active firewall from the other firewall box. In the tracker it reports 'cluster member ip is spoofed' or words to that effect. This i guess is why the cluster is not happening. this policy is taken directly from the R60 management server.

my topology is correct, i am sure of that. The sync network is a dedicated interface (eth1) on the same segment (vlan99)

these are fresh installs.

any input really appreciated. Any direction to look even.

 

[tjbradford]

find the policy object that is that firewall under manage ,network objects , highlight the object, fw, edit

look at the topology option , in there it should list all your interfaces if you edit these there is an option to enable antispoofing , it shouldn't be ticked if you have designed your network without taking into account the antispoofing setup , in the ideal world they should all be ticked, the antispoofing works by knowing about all the networks that pass through it and knowing what interface to expect the requests on , it means declaring all internal subnets etc.

for testing tho just untick

 

[rickrude11]

ok i am now running without antispoofing enabled and it works. i can ping all checkpoint interfaces from each node.

i feel vulnerable now