Additional Information

Testing and Troubleshooting

You can use the APIs to retrieve information about the cluster resource group.

Use the cluster configuration test script on each Cluster Member to confirm that it is configured correctly.

To check the configuration, run the following script on each Cluster Member:

  1. Connect to the command line.

  2. Log in to the Expert mode.
  3. Run the script with this command (do not change the syntax):

    $FWDIR/scripts/google_ha_test.py

    If all tests were successful, this message opnes: All tests were successful! Otherwise, an error message is displayed with information about how to troubleshoot the problem.

Common configuration errors:

Message Recommended Action

The attribute (ATTRIBUTE) is missing in the configuration

Make sure the configuration file is correct.

Primary DNS server is not configuredFailed to resolve (host)

The Cluster Memberhe Cluster Member is not configured with a DNS server.

Failed in DNS resolving test

Confirm that DNS resolution on the Cluster Member works.

You do not seem to have a valid cluster configuration

Make sure the Cluster Member configuration on the Check Point Security Management Server is complete, and that the Security Policy is installed.

IP forwarding is not enabled on Interface (Interface-name)

Use PowerShell to enable IP forwarding on all the network interfaces of the Cluster Member.

Failed to read configuration file: $FWDIR/conf/gcp-ha.json

The GCP Cluster Member configuration is not up-to-date, or is written incorrectly.

Testing credentials

Failed to login with the credentials provided. See the exception text to understand why.

Testing authorization

(Exception)

Make sure the GCP daemon has access to GCP.

Using the GCP High Availability Daemon

The cluster solution in GCP uses the daemon to make API calls to GCP when a cluster failover takes place. This daemon uses a configuration file, $FWDIR/conf/gcp-ha.json, on each Cluster Member.

When you deploy the above solution from the supplied template , a configuration file is automatically created .

The configuration file is in JSON format and contains these attributes:

Attribute's Name Type Value

debug

Boolean

True or False

public ip

String

Name of the cluster's external, primary public IP address

secondary public ip

String

Name of the cluster's external, secondary public IP address

dest ranges

String

IP range for updating

You can confirm that the daemon in charge of communicating with GCP runs on each Cluster Member.

The output should be similar to this example:

The debug output is written to $FWDIR/log/gcp_had.elg* files.

Creating Objects in SmartConsole

For more information, see the Check Point R80.30 Security Management Administration Guide.

Important - After you create an object, you must publish the session to save the changes in the management database.

To create a Host object:

  1. From the top right Objects Pane, click New > Host.

    The New Host window opens.

  2. In the Machine field, enter the private IP address of the machine.

To create a Network object:

  1. From the top right Objects Pane, click New > Network.

    The New Network window opens.

  2. Enter the Object Name (specifically the subnet name).

  3. Enter the Network address and Net mask.

To create a Service (port) object:

  1. From the top right Objects Pane, click New > More > Service.

  2. Select your TCP/UDP service.

  3. Enter the Object name.

  4. In the Enter Object Comment field, enter the port name.

  5. In the General field, select your Protocol.

  6. In the Match By field, select the Port number.

  7. Click OK.

Upgrading a Check Point CloudGuard IaaS High Availability Solution to a Newer Version

Use the following instructions to upgrade a deployed Check Point CloudGuard IaaS High Availability solution to a newer version.

Step-by-step instructions for upgrading to a new version:

  1. Log in to the GCP portal.

  2. Open the source CloudGuard High Availability instances (member-a and member-b):

    1. In the active member page:

      Locate the primary cluster address (nic0 External IP) and copy its name to use later ('XXX-primary-cluster-address').

    2. In the stand-by member page:

      Locate the secondary cluster address (nic0 External IP) and copy its name to use later ('XXX-secondary-cluster-address').

  3. Deploy a new Check Point CloudGuard IaaS High Availability solution (this is the "target solution").

    1. Under High Availability Version, select the version.

    2. Under Instance Configuration, select the same configurations as in the Source solution.

    3. Under Check Point, select the same configurations as in the Source solution.

    4. Under Networking, select the same network configurations as in the Source solution, such as Cluster external subnet, Management external subnet, and internal networks.

  4. Adjust the configuration file of the target solution instances to match the Source solution's external IP addresses. For both instances of the target solution:

    1. Log in to SSH.

    2. From the Expert Mode, run:

      vi $FWDIR/conf/gcp-ha.json

    3. Edit the file to match these lines:

      "public_ip": "<primary cluster address name (copied in 2.a)>", "secondary_public_ip": "<secondary cluster address name (copied in 2.b)>",

      Keep the other lines in the file the same.

      Note - The separating commas at the end of each line.

    4. Save the changes in the file and exit the editor.

    Important - Connectivity loss will occur during the next steps.

  5. Stop the source cluster’s instances.

  6. Delete routes from the source cluster's internal networks manually:

    Go to the Navigation menu > NETWORKING > VPC network > VPC networks.

    Do the following for each internal network in the solution:

    1. Select the internal network.

    2. Select Routes.

    3. Delete these routes:

      • Start with "x-chkp" and ends with "to-member-a" (if exists, this depends on the identity of the current active member).

      • Start with "x-chkp" and ends with "to-member-b".

  7. Release the primary and secondary IP addresses of the source cluster.

    From the Navigation menu > NETWORKING > VPC network > External IP addresses.

    1. Locate the primary cluster address name (see 2.a above) and the secondary cluster address name (see 2.b above).

    2. For both IP addresses:

      1. Select Change. The Attach IP address window opens.

      2. Under Attach to, choose None, and then clear the Assign a new ephemeral IP address box.

  8. Configure in SmartConsole

    In Gateways & Servers, click twice on the cluster object and edit these:

    1. Under General Properties, select the new version (the version of the Target solution created in step 3).

    2. Under Cluster Members, update members to match the members of the Target solution:
      For each member update the IPv4 Address (management - the network's external IP).

    3. Under Network management, modify the interfaces to match the Target solution members.

    4. Reinitialize SIC between the target cluster and the management server.

    5. Install policy on the cluster.

    Note - At this point, and after the all new routes and IP addresses configurations are finished, the Target CloudGuard IaaS High Availability handles all the traffic in the environment (such as inbound, outbound, E-W, and VPN tunneling). Make sure that all the traffic flows work as expected (you can also check for failover) before proceeding.

  9. Delete your source CloudGuard IaaS High Availability instances and release redundant IP addresses.

    Important - Do not delete the entire deployment of the source solution since the Target solution uses the primary and secondary IP addresses.

Related Solutions