Monitoring and Troubleshooting Gateway Clusters

Monitoring and Troubleshooting Gateway Clusters

Verifying that a Cluster is Working Properly:

The cphaprob Command

Use the cphaprob command to verify that the cluster and the cluster members are working properly, and to define critical devices.

There are a number of built-in critical devices, and the administrator can define additional critical devices. The default critical devices are:
  • The cluster interfaces on the cluster members.
  • Synchronization — full synchronization completed successfully.
  • Filter — the Security Policy, and whether it is loaded.
  • cphad — which follows the ClusterXL process called cphamcset.
  • fwd — the Security Gateway daemon.
These commands can be run automatically by including them in scripts.

cphaprob state

Cluster mode: Load sharing (Multicast)

Number Unique Address State

1 (local) active
2 active
Cluster mode can be
  • Load Sharing (Multicast).
  • Load Sharing (Unicast).
  • High Availability New Mode (Primary Up or Active Up).
  • High Availability Legacy Mode (Primary Up or Active Up).

Cluster States
Is this state a Problem?
Everything is OK.
Active attention
A problem has been detected, but the cluster member is still forwarding packets because it is the only machine in the cluster or there are no other active machines in the cluster. In any other situation the state of the machine would be down.
One of the critical devices is down.
State Ready means that the machine recognizes itself as a part of the cluster and is literally ready to go into action, but, by design, something prevents the machine from taking action. Possible reasons that the machine is not yet Active include:
  1. Not all required software components were loaded and initialized yet and/or not all configuration steps finished successfully yet. Before a cluster member becomes Active, it sends a message to the rest of the cluster members, checking whether it can become Active. In High-Availability mode it will check if there is already an Active member and in Load Sharing Unicast mode it will check if there is a Pivot member already. The member remains in the Ready state until it receives the response from the rest of the cluster members and decides which state to choose next (Active, Standby, Pivot, or non-Pivot).
  2. Software installed on this member has a higher version than the rest of the members in this cluster. For example, when a cluster is upgraded from one version of Check Point Security Gateway to another, and the cluster members have different versions of Check Point Security Gateway, the members with a new version have the Ready state and the members with the previous version have the Active / Active Attention state.
  3. If the software installed on all cluster members includes CoreXL, which is installed by default in versions R70 and higher, a member in Ready state may have a higher number of CoreXL instances than other members. 
Applies only to a High Availability configuration, and means the member is waiting for an active machine to fail in order to start packet forwarding.
An initial and transient state of the cluster member. The cluster member is booting up, and ClusterXL product is already running, but the Security Gateway is not yet ready.
ClusterXL inactive or machine is down
Local machine cannot hear anything coming from this cluster member.

Monitoring Cluster Interfaces:

To see the state of the cluster member interfaces and the virtual cluster interfaces:
  • Run the following command on the cluster members:
cphaprob [-a] if

For example:
cphaprob -a if

Required interfaces: 4
Required secured interfaces: 1

qfe4      UP                       (secured, unique, multicast)
qfe5      UP                       (non secured, unique, multicast)
qfe6      DOWN (4810.2 secs)       (non secured, unique, multicast)
qfe7      UP                       (non secured, unique, multicast)

Virtual cluster interfaces: 2
The interfaces are ClusterXL critical devices. ClusterXL checks the number of good interfaces and sets a value of Required interfaces to the maximum number of good interfaces seen since the last reboot. If the number of good interfaces is less than the Required number, ClusterXL initiates failover. The same applies for secured interfaces, where only the good synchronization interfaces are counted.

**********Subscribe Our YouTube Channel for Videos on Firewalls and other security devices***********


Popular posts from this blog

Download IOS Image for Router

tcpdumps in Checkpoint Firewall