Additional Information

Testing and Troubleshooting

You can use the APIs to retrieve information about the cluster Two or more Security Gateways that work together in a redundant configuration - High Availability, or Load Sharing. resource group.

Use these commands on each Cluster Member to confirm that the cluster operates correctly:

Note - Run these commands in the Expert Mode The name of the elevated command line shell that gives full system root permissions in the Check Point Gaia operating system..

cphaprob state
cphaprob -a if

Example:

[Expert@HostName:0]# cphaprob state

Cluster Mode:   High Availability (Active Up) with IGMP Membership

ID         Unique Address  Assigned Load   State
 
1 (local)  11.22.33.245    0%              Active
2          11.22.33.246    10%             Standby

If all tests were successful, this message opens: All tests were successful!

Otherwise, an error message is displayed with information about how to troubleshoot the problem.

To get the latest version of the test script:

Note - Do steps 2-8 on each Cluster Member.

Download the latest version of the test script http://supportcenter.checkpoint.com/file_download?id=81245.
Copy the downloaded TGZ file to a directory.
Connect to the command line.
Log in to the Expert mode.
Unpack the TGZ file:

tar -zxvf /<path to the downloaded script package>/Azure_cluster_ha_testing_sk110194.tgz
Back up the current $FWDIR/scripts/azure_ha_test.py script:

cp -v $FWDIR/scripts/azure_ha_test.py{,_backup}
Copy the latest script to the $FWDIR/scripts/ directory:

cp -v /<path to the downloaded script package>/azure_ha_test.py $FWDIR/scripts/
Assign the required permissions:

chmod -v 755 $FWDIR/scripts/azure_ha_test.py

Common configuration errors:

Message	Recommendation
`The attribute (ATTRIBUTE) is missing in the configuration`	--
`Primary DNS server is not configured Failed to resolve (host)`	The Cluster Member is not configured with a DNS server.
`Failed in DNS resolving test`	Confirm that DNS resolution on the Cluster Member works.
`You do not seem to have a valid cluster configuration`	Make sure that the Cluster Member configuration on the Check Point Security Management Server Dedicated Check Point server that runs Check Point software to manage the objects and policies in a Check Point environment within a single management Domain. Synonym: Single-Domain Security Management Server. is complete, and that the Security Policy Collection of rules that control network traffic and enforce organization guidelines for data protection and access to resources with packet inspection.is installed
`IP forwarding is not enabled on Interface (Interface-name)`	Use PowerShell to enable IP forwarding on all the network interfaces of the Cluster Member.
`failed to read configuration file: $FWDIR/conf/azure-ha.json`	The Azure Stack Hub Cluster Member configuration is not up to date, or written correctly.
`Testing credentials`	Failed to login with the credentials provided. See the exception text to understand why.
`Testing authorization` `(Exception)`	Make sure the Azure Stack Hub service principal you created is designated as a Contributor to the cluster resource group.

Simulate a cluster failover

For example, shut down the internal interface of the Active Cluster Member.

On the current Active Cluster Member, run from the Expert Mode:

ip link set dev eth1 down
After a few seconds, the second Cluster Member has to report itself as the Active Cluster Member.

Examine the cluster state on each Cluster Member. In Gaia Clish The name of the default command line shell in Check Point Gaia operating system. This is a restricted shell (role-based administration controls the number of commands available in the shell). or Expert mode, run:

cphaprob state
On the former Active Cluster Member, run in Expert mode:

ip link set dev eth1 up

If you experience issues:

Make sure you have a configured Azure Stack Hub Service Principal. The service has to have:

Contributor privileges to the cluster resource group: Using the Azure Stack Hub High Availability Daemon

The cluster solution in Azure Stack Hub uses the daemon to make API calls to Azure Stack Hub when a cluster failover takes place. This daemon uses a configuration file, $FWDIR/conf/azure-ha.json, on each Cluster Member.

When you deploy the above solution from the supplied template , a configuration file is created automatically.

The configuration file is in JSON format and contains these attributes:

Attribute's Name	Type	Value
`debug`	Boolean	True or False
`subscriptionId`	String	Subscription ID
`Location`	String	Resource group location
`Environment`	String	Name of the environment
`resourceGroup`	String	Resource group name
`credentials`	String	Indicates using automatic credentials on the Cluster Member Virtual Machine
`virtualNetwork`	String	Name of the Virtual Network Environment of logically connected Virtual Machines.
`clusterName`	String	Name of the cluster
`templateName`	String	Name of the template
`tenantId`	String	ID of the tenant

Notes:

The credentials attribute contains:
Your Client-ID
Your Client-secret
Grant type client-credentials
Your Tenant ID

You can confirm that the daemon in charge of communicating with Azure Stack Hub runs on each Cluster Member. In Expert mode, run:

cpwd_admin list | grep -E "PID|AZURE_HAD"

The output should be similar to this example:

Notes:

The script appears in the output:
The STAT column should show "E" (executing)
The #START column should show "1" (the number of times this script was started by the Check Point WatchDog)

To troubleshoot issues related to this daemon, generate debug. In Expert mode, run:

To enable debug printouts:

azure-ha-conf --debug --force

To disable debug printouts:

azure-ha-conf --no-debug --force

The debug output is written to $FWDIR/log/azure_had.elg* files.

Changing Template Components

The Check Point cluster's public IP address has to be in the same resource group as the Cluster Members.

These resources can be in any resource group:

Virtual Network
Network interfaces
Route tables
Storage account

Note - Make sure the resources Virtual Network and External Network Interfaces use the same automatic service principal with the same permissions.

Naming Constraints

Cluster Member in Azure have to match the Cluster Member names with a suffix of '1' and '2'.
The IP address of the cluster has to match the configuration file.
By default it should match the cluster name.

Creating Objects in SmartConsole

For more information, see the Check Point Security Management Administration Guide for your Management Server Check Point Single-Domain Security Management Server or a Multi-Domain Security Management Server. version.

Important - After you create an object, you must publish the session to save the changes in the management database.

To create a Host object:

From the top right Objects Pane, click New > Host.

The New Host window opens.
In the Machine field, enter the private IP address of the machine

To create a Network object:

From the top right Objects Pane, click New > Network.

The New Network window opens.
Enter the Object Name (specifically the subnet name).
Enter the Network address and Net mask.

To create a Service (port) object:

From the top right Objects Pane, click New > More > Service.
Select your TCP/UDP service.
Enter the Object name.
In the Enter Object Comment field, enter the port name.
In the General field, select your Protocol.
In the Match By field, select the Port number.
Click OK.