Troubleshooting

Issue

Solution

How to enable debugging on each Cluster Member Security Gateway that is part of a cluster.?

From the Cluster Two or more Security Gateways that work together in a redundant configuration - High Availability, or Load Sharing. Member (either one), run in the Expert mode:

python3 $FWDIR/scripts/aws_ha_cli.py stop
python3 $FWDIR/scripts/aws_ha_cli.py --debug reconf

Debug output is written to:

$FWDIR/log/aws_had.elg

To disable debugging, you MUST run the following command on each Cluster Member:

python3 $FWDIR/scripts/aws_ha_cli.py restart

What permissions are required for the CloudGuard Security Cluster Members IAM role?

Copy

Example of a JSON script

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Action": [
        "ec2:DescribeRouteTables",
        "ec2:ReplaceRoute",
        "ec2:AssignPrivateIpAddresses",
        "ec2:DescribeNetworkInterfaces",
        "ec2:CreateRoute"
        ],
      "Resource": "*",
      "Effect": "Allow"
    }
  ]
}

IAM roles, not properly configured, will prevent the Cluster Members from communicating with AWS Amazon® Web Services. Public cloud platform that offers global compute, storage, database, application and other cloud services. to make networking changes if a Cluster Member failure occurs.

Experiencing issues with Cluster

Verify that the script in charge of communicating with AWS is running on each Cluster Member.

On the Cluster Member (either one), run in the Expert mode:

cpwd_admin list | grep -E "PID|AWS_HAD"

The output should have a line like this:

Notes -

The script must appear in the output.
The "STAT" column must show "E" ("Executing").
The "#START" column must show "1" - this is how many times this script was started by the Check Point WatchDog.

Testing the environment

For testing the Cluster environment, run in the Expert mode:

python3 $FWDIR/scripts/aws_ha_test.py

This will run tests that verifies:

A Primary DNS server is configured.
DNS resolution works.
Access from the Cluster Member to the AWS metadata service (HTTP to 169.254.169.254) is available.
The instance set up includes an IAM role.
IAM credentials are available.
Access from the Cluster Member to the AWS web service endpoint (over TCP port 443) is available.
The IAM credentials allow the instance to make API calls into AWS.
The cluster is configured with at least one internal interface.
For each Cluster Member interface, there exists a corresponding AWS ENI (Elastic Network Interface) sharing the same primary private address.
All Cluster Member interfaces have the source and, or destination check disabled.
Compares the system clock to the time reported by AWS.

Routing tables (RTB) do not fail over with AWS cluster members when more than one RTB is configured

Refer to sk121598.

During failover, the AWS route tables do not change their route from the failed member to standby active member

Confirm the Security Policy Collection of rules that control network traffic and enforce organization guidelines for data protection and access to resources with packet inspection. is not blocking the traffic to AWS.
Make sure the Cluster Members IAM rule Set of traffic parameters and other conditions in a Rule Base (Security Policy) that cause specified actions to be taken for a communication session. is with all required permissions.
Confirm that the system clock on the Cluster Members is set properly. You should set up the Cluster Members to use NTP.
Make sure that the Security Policy on the gateways allows the Cluster Members to initiate outbound NTP traffic (UDP/123) to your NTP servers.