Builtin alias for CARP address in f/w rules?
-
Hello,
I might have overlooked something, but if I have an HA configuration and I want e.g. to block access to a certain port on both firewalls,
in the f/w rules I can use as destination address "This firewall (self)" or "<interface_name> address" to point to the f/w own IP address,
but is there a similar builtin alias to point to the CARP IP for that interface?
Or the only way is to explicitly add a rule with the numerical CARP IP address listed (or at most via a custom alias)?Thanks
-
@minimos
As far as I know, the CARP VIP, as well as other virtual IPs assigned to interfaces of the firewall, are all covered by "This firewall".
However, it doesn't cover interface IPs assigned to the secondary node.Remember that "<interface_name> address" is only the primary IP of the concerned interface, while "This firewall" are all IPs of any interfaces.
-
@minimos We created an alias for “WAN IPs” with the three public IPs in it. (And LAN)
In essence I think you’re asking whether This Firewall will update to include the shared IP when it moves, and I don’t know the answer to that. Maybe, but I would not assume it does.