Monitoring and Troubleshooting Gateway Clusters


Monitoring and Troubleshooting Gateway Clusters


Verifying that a Cluster is Working Properly:

The cphaprob Command

Use the cphaprob command to verify that the cluster and the cluster members are working properly, and to define critical devices.

There are a number of built-in critical devices, and the administrator can define additional critical devices. The default critical devices are:
  • The cluster interfaces on the cluster members.
  • Synchronization — full synchronization completed successfully.
  • Filter — the Security Policy, and whether it is loaded.
  • cphad — which follows the ClusterXL process called cphamcset.
  • fwd — the Security Gateway daemon.
These commands can be run automatically by including them in scripts.

cphaprob state

Cluster mode: Load sharing (Multicast)

Number Unique Address State

1 (local) 30.0.0.1 active
2 30.0.0.2 active
Cluster mode can be
  • Load Sharing (Multicast).
  • Load Sharing (Unicast).
  • High Availability New Mode (Primary Up or Active Up).
  • High Availability Legacy Mode (Primary Up or Active Up).


Cluster States
State
Meaning
Forwardingpackets?
Is this state a Problem?
Active
Everything is OK.
Yes
No
Active attention
A problem has been detected, but the cluster member is still forwarding packets because it is the only machine in the cluster or there are no other active machines in the cluster. In any other situation the state of the machine would be down.
Yes
Yes
Down
One of the critical devices is down.
No
Yes
Ready
State Ready means that the machine recognizes itself as a part of the cluster and is literally ready to go into action, but, by design, something prevents the machine from taking action. Possible reasons that the machine is not yet Active include:
  1. Not all required software components were loaded and initialized yet and/or not all configuration steps finished successfully yet. Before a cluster member becomes Active, it sends a message to the rest of the cluster members, checking whether it can become Active. In High-Availability mode it will check if there is already an Active member and in Load Sharing Unicast mode it will check if there is a Pivot member already. The member remains in the Ready state until it receives the response from the rest of the cluster members and decides which state to choose next (Active, Standby, Pivot, or non-Pivot).
  2. Software installed on this member has a higher version than the rest of the members in this cluster. For example, when a cluster is upgraded from one version of Check Point Security Gateway to another, and the cluster members have different versions of Check Point Security Gateway, the members with a new version have the Ready state and the members with the previous version have the Active / Active Attention state.
  3. If the software installed on all cluster members includes CoreXL, which is installed by default in versions R70 and higher, a member in Ready state may have a higher number of CoreXL instances than other members. 
No
No
Standby
Applies only to a High Availability configuration, and means the member is waiting for an active machine to fail in order to start packet forwarding.
No
No
Initializing
An initial and transient state of the cluster member. The cluster member is booting up, and ClusterXL product is already running, but the Security Gateway is not yet ready.
No
No
ClusterXL inactive or machine is down
Local machine cannot hear anything coming from this cluster member.
Unknown
Yes


Monitoring Cluster Interfaces:


To see the state of the cluster member interfaces and the virtual cluster interfaces:
  • Run the following command on the cluster members:
cphaprob [-a] if

For example:
cphaprob -a if

Required interfaces: 4
Required secured interfaces: 1

qfe4      UP                       (secured, unique, multicast)
qfe5      UP                       (non secured, unique, multicast)
qfe6      DOWN (4810.2 secs)       (non secured, unique, multicast)
qfe7      UP                       (non secured, unique, multicast)

Virtual cluster interfaces: 2
qfe5 30.0.1.130
qfe6 30.0.2.130
The interfaces are ClusterXL critical devices. ClusterXL checks the number of good interfaces and sets a value of Required interfaces to the maximum number of good interfaces seen since the last reboot. If the number of good interfaces is less than the Required number, ClusterXL initiates failover. The same applies for secured interfaces, where only the good synchronization interfaces are counted.


**********Subscribe Our YouTube Channel for Videos on Firewalls and other security devices***********









Comments

Popular posts from this blog

Download IOS Image for Router

tcpdumps in Checkpoint Firewall