Additional Information
Testing and Troubleshooting
You can use the APIs to retrieve information about the cluster Two or more Security Gateways that work together in a redundant configuration - High Availability, or Load Sharing. resource group.
Use these commands on each Cluster Member to confirm that the cluster operates correctly:
Note - Run these commands in the Expert Mode The name of the elevated command line shell that gives full system root permissions in the Check Point Gaia operating system..
-
cphaprob state
-
cphaprob -a if
Example:
[Expert@HostName:0]# cphaprob state
Cluster Mode: High Availability (Active Up) with IGMP Membership
ID Unique Address Assigned Load State
1 (local) 11.22.33.245 0% Active
2 11.22.33.246 10% Standby
|

-
The configuration is defined in the
$FWDIR/conf/azure-ha.json
file, which is created by the ARMMicrosoft® Azure Resource Manager. Technology to administer assets using Resource Group. template.
-
A Primary DNS server is configured and works.
-
The machine is set up as a Cluster Member
Security Gateway that is part of a cluster..
-
IP forwarding is enabled on all network interfaces of the Cluster Member.
-
It is possible to use the APIs to retrieve information about the cluster's resource group.
-
It is possible to log in to Azure with the Azure credentials in the
$FWDIR/conf/azure-ha.json
file. -
Calibration of ClusterXL configuration for Azure.
If all tests were successful, this message opens: All tests were successful!
Otherwise, an error message is displayed with information about how to troubleshoot the problem.
To get the latest version of the test script:
Note - Do steps 2-8 on each Cluster Member.
-
Download the latest version of the test script http://supportcenter.checkpoint.com/file_download?id=81245.
-
Copy the downloaded TGZ file to a directory.
-
Connect to the command line.
-
Log in to the Expert mode.
-
Unpack the TGZ file:
tar -zxvf /<path to the downloaded script package>/Azure_cluster_ha_testing_sk110194.tgz
-
Back up the current
$FWDIR/scripts/azure_ha_test.py script
:cp -v $FWDIR/scripts/azure_ha_test.py{,_backup}
-
Copy the latest script to the
$FWDIR/scripts/
directory:cp -v /<path to the downloaded script package>/azure_ha_test.py $FWDIR/scripts/
-
Assign the required permissions:
chmod -v 755 $FWDIR/scripts/azure_ha_test.py
Common configuration errors:
Message | Recommendation |
---|---|
|
-- |
|
The Cluster Member is not configured with a DNS server. |
|
Confirm that DNS resolution on the Cluster Member works. |
|
Make sure that the Cluster Member configuration on the Check Point Security Management Server |
|
Use PowerShell to enable IP forwarding on all the network interfaces of the Cluster Member. |
|
The Azure Stack Hub Cluster Member configuration is not up to date, or written correctly. |
|
Failed to login with the credentials provided. See the exception text to understand why. |
|
Make sure the Azure Stack Hub service principal you created is designated as a Contributor to the cluster resource group. |
Simulate a cluster failover
For example, shut down the internal interface of the Active Cluster Member.
-
On the current Active Cluster Member, run from the Expert Mode:
ip link set dev eth1 down
-
After a few seconds, the second Cluster Member has to report itself as the Active Cluster Member.
Examine the cluster state on each Cluster Member. In Gaia Clish
The name of the default command line shell in Check Point Gaia operating system. This is a restricted shell (role-based administration controls the number of commands available in the shell). or Expert mode, run:
cphaprob state
-
On the former Active Cluster Member, run in Expert mode:
ip link set dev eth1 up
If you experience issues:
Make sure you have a configured Azure Stack Hub Service Principal. The service has to have:
Contributor privileges to the cluster resource group: Using the Azure Stack Hub High Availability Daemon
The cluster solution in Azure Stack Hub uses the daemon to make API calls to Azure Stack Hub when a cluster failover takes place. This daemon uses a configuration file, $FWDIR/conf/azure-ha.json
, on each Cluster Member.
When you deploy the above solution from the supplied template , a configuration file is created automatically.
The configuration file is in JSON format and contains these attributes:
Attribute's Name | Type |
Value |
---|---|---|
|
Boolean |
True or False |
|
String |
Subscription ID |
|
String |
Resource group location |
|
String |
Name of the environment |
|
String |
Resource group name |
|
String |
Indicates using automatic credentials on the Cluster Member Virtual Machine |
|
String |
Name of the Virtual Network |
|
String |
Name of the cluster |
|
String |
Name of the template |
|
String |
ID of the tenant |
Notes:
-
The credentials attribute contains:
-
Your Client-ID
-
Your Client-secret
-
Grant type client-credentials
-
Your Tenant ID
You can confirm that the daemon in charge of communicating with Azure Stack Hub runs on each Cluster Member. In Expert mode, run:
cpwd_admin list | grep -E "PID|AZURE_HA
D"
The output should be similar to this example:
Notes:
-
The script appears in the output:
-
The
STAT
column should show "E" (executing) -
The
#START
column should show "1" (the number of times this script was started by the Check Point WatchDog)
To troubleshoot issues related to this daemon, generate debug. In Expert mode, run:
To enable debug printouts:
azure-ha-conf --debug --force
To disable debug printouts:
azure-ha-conf --no-debug --force
The debug output is written to $FWDIR/log/azure_had.elg*
files.
Changing Template Components
The Check Point cluster's public IP address has to be in the same resource group as the Cluster Members.
These resources can be in any resource group:
-
Virtual Network
-
Network interfaces
-
Route tables
-
Storage account
Note - Make sure the resources Virtual Network and External Network Interfaces use the same automatic service principal with the same permissions.
Naming Constraints
-
Cluster Member in Azure have to match the Cluster Member names with a suffix of '1' and '2'.
-
The IP address of the cluster has to match the configuration file.
-
By default it should match the cluster name.
Creating Objects in SmartConsole
For more information, see the Check Point Security Management Administration Guide for your Management Server Check Point Single-Domain Security Management Server or a Multi-Domain Security Management Server. version.
![]() |
Important - After you create an object, you must publish the session to save the changes in the management database. |
To create a Host object:
-
From the top right Objects Pane, click New > Host.
The New Host window opens.
-
In the Machine field, enter the private IP address of the machine
To create a Network object:
-
From the top right Objects Pane, click New > Network.
The New Network window opens.
-
Enter the Object Name (specifically the subnet name).
-
Enter the Network address and Net mask.
To create a Service (port) object:
-
From the top right Objects Pane, click New > More > Service.
-
Select your TCP/UDP service.
-
Enter the Object name.
-
In the Enter Object Comment field, enter the port name.
-
In the General field, select your Protocol.
-
In the Match By field, select the Port number.
-
Click OK.