Additional Information

Testing and Troubleshooting

You can use the APIs to retrieve information about the cluster resource group.

Use these commands on each Cluster Member to confirm that the cluster operates correctly:

Note - Run these commands in the Expert Mode.

  • cphaprob state

  • cphaprob -a if

Example: 

[Expert@HostName:0]# cphaprob state

Cluster Mode:   High Availability (Active Up) with IGMP Membership

ID         Unique Address  Assigned Load   State
 
1 (local)  11.22.33.245    0%              Active
2          11.22.33.246    10%             Standby

  • The configuration is defined in the $FWDIR/conf/azure-ha.json file, which is created by the ARM template.

  • A Primary DNS server is configured and works.

  • The machine is set up as a Cluster Member.

  • IP forwarding is enabled on all network interfaces of the Cluster Member.

  • It is possible to use the APIs to retrieve information about the cluster's resource group.

  • It is possible to log in to Azure with the Azure credentials in the $FWDIR/conf/azure-ha.json file.

  • Calibration of ClusterXL configuration for Azure.

If all tests were successful, this message opens: All tests were successful!

Otherwise, an error message is displayed with information about how to troubleshoot the problem.

To get the latest version of the test script:

Note - Do steps 2-8 on each Cluster Member.

  1. Download the latest version of the test script http://supportcenter.checkpoint.com/file_download?id=81245.

  2. Copy the downloaded TGZ file to a directory.

  3. Connect to the command line.

  4. Log in to the Expert mode.

  5. Unpack the TGZ file:

    tar -zxvf /<path to the downloaded script package>/Azure_cluster_ha_testing_sk110194.tgz

  6. Back up the current $FWDIR/scripts/azure_ha_test.py script:

    cp -v $FWDIR/scripts/azure_ha_test.py{,_backup}

  7. Copy the latest script to the $FWDIR/scripts/ directory:

    cp -v /<path to the downloaded script package>/azure_ha_test.py $FWDIR/scripts/

  8. Assign the required permissions:

    chmod -v 755 $FWDIR/scripts/azure_ha_test.py

Common configuration errors:

Message Recommendation

The attribute (ATTRIBUTE) is missing in the configuration

--

Primary DNS server is not configured Failed to resolve (host)

The Cluster Member is not configured with a DNS server.

Failed in DNS resolving test

Confirm that DNS resolution on the Cluster Member works.

You do not seem to have a valid cluster configuration

Make sure that the Cluster Member configuration on the Check Point Security Management Server is complete, and that the Security Policyis installed

IP forwarding is not enabled on Interface (Interface-name)

Use PowerShell to enable IP forwarding on all the network interfaces of the Cluster Member.

failed to read configuration file: $FWDIR/conf/azure-ha.json

The Azure Stack Cluster Member configuration is not up to date, or written correctly.

Testing credentials

Failed to login with the credentials provided. See the exception text to understand why.

Testing authorization

(Exception)

Make sure the Azure Stack service principal you created is designated as a Contributor to the cluster resource group.

Simulate a cluster failover

For example, shut down the internal interface of the Active Cluster Member.

  • On the current Active Cluster Member, run from the Expert Mode:

    ip link set dev eth1 down

  • After a few seconds, the second Cluster Member has to report itself as the Active Cluster Member.

    Examine the cluster state on each Cluster Member. In Gaia Clish or Expert mode, run:

    cphaprob state

  • On the former Active Cluster Member, run in Expert mode:

    ip link set dev eth1 up

If you experience issues:

Make sure you have a configured Azure Stack Service Principal. The service has to have:

Contributor privileges to the cluster resource group: Using the Azure Stack High Availability Daemon

The cluster solution in Azure Stack uses the daemon to make API calls to Azure Stack when a cluster failover takes place. This daemon uses a configuration file, $FWDIR/conf/azure-ha.json, on each Cluster Member.

When you deploy the above solution from the supplied template , a configuration file is created automatically.

The configuration file is in JSON format and contains these attributes:

Attribute's Name Type

Value

debug

Boolean

True or False

subscriptionId

String

Subscription ID

Location

String

Resource group location

Environment

String

Name of the environment

resourceGroup

String

Resource group name

credentials

String

Indicates using automatic credentials on the Cluster Member Virtual Machine

virtualNetwork

String

Name of the Virtual Network

clusterName

String

Name of the cluster

templateName

String

Name of the template

tenantId

String

ID of the tenant

Notes:

  • The credentials attribute contains:

  • Your Client-ID

  • Your Client-secret

  • Grant type client-credentials

  • Your Tenant ID

You can confirm that the daemon in charge of communicating with Azure Stack runs on each Cluster Member. In Expert mode, run:

cpwd_admin list | grep -E "PID|AZURE_HAD"

The output should be similar to this example:

Notes:

  • The script appears in the output:

  • The STAT column should show "E" (executing)

  • The #START column should show "1" (the number of times this script was started by the Check Point WatchDog)

To troubleshoot issues related to this daemon, generate debug. In Expert mode, run:

To enable debug printouts:

azure-ha-conf --debug --force

To disable debug printouts:

azure-ha-conf --no-debug --force

The debug output is written to $FWDIR/log/azure_had.elg* files.

Changing Template Components

The Check Point cluster's public IP address has to be in the same resource group as the Cluster Members.

These resources can be in any resource group:

  • Virtual Network

  • Network interfaces

  • Route tables

  • Storage account

Note - Make sure the resources Virtual Network and External Network Interfaces use the same automatic service principal with the same permissions.

Naming Constraints

  • Cluster Member in Azure have to match the Cluster Member names with a suffix of '1' and '2'.

  • The IP address of the cluster has to match the configuration file.

  • By default it should match the cluster name.

Creating Objects in SmartConsole

For more information, see the Check Point Security Management Administration Guide for your Management Server version.

Important - After you create an object, you must publish the session to save the changes in the management database.

To create a Host object:

  1. From the top right Objects Pane, click New > Host.

    The New Host window opens.

  2. In the Machine field, enter the private IP address of the machine

To create a Network object:

  1. From the top right Objects Pane, click New > Network.

    The New Network window opens.

  2. Enter the Object Name (specifically the subnet name).

  3. Enter the Network address and Net mask.

To create a Service (port) object:

  1. From the top right Objects Pane, click New > More > Service.

  2. Select your TCP/UDP service.

  3. Enter the Object name.

  4. In the Enter Object Comment field, enter the port name.

  5. In the General field, select your Protocol.

  6. In the Match By field, select the Port number.

  7. Click OK.