asg_sync_manager
Description
The asg_sync_manager enables the user to define its required synchronization level. The synchronization level is a combination of system synchronization settings (e.g. backup connections to standby Chassis) and specific rules (e.g. do not sync HTTP connections). Specific rules are referred to as sync exception table. Connections are serially matched against this table.
In addition to the synchronization settings, this utility also controls SecureXL delayed synchronization parameters: when connection is created within SecureXL (from SecureXL template), asg_sync_manager can set the period until it will be synchronized to firewall.
By default, specific sync exception table consists of a single rule, which is not to synchronize DNS traffic.
Key synchronization properties are also displayed in asg stat -v
Usage The utility is interactive. The following options are available:
Option
|
Description
|
1) Print sync exceptions table
|
This view displays the sync exception table. Each entry in this table consists of:
- <5-tuple, including wild cards>
- synchronization mode (none, within Chassis only, between Chassis only, both within ,between Chassis and to all SGMs)
- SecureXL delayed synchronization value
In addition, global synchronization values are displayed
|
2) Add new sync exceptions rule
|
Add new rule to the sync exceptions table. The user can hit enter at any stage to apply the default value. Specific rules allow the use of wildcards within 5-tuple. New rule will apply for new connections
|
3) Delete old sync exception rule
|
Delete rule from the sync exceptions table
|
4) Set sync between Chassis flag on / off
|
Global system setting: whether to synchronize connections to backup Chassis
|
5) Set sync within local Chassis flag on / off
|
Global system setting: whether to synchronize connections within active Chassis
|
6) Configure sync between Chassis SGMs ratio
|
Minimal SGMs ratio between active and backup Chassis for synchronization to occur. If the number of UP SGMs in standby Chassis is significantly low, compared to active Chassis, synchronization might overload them. Default ratio for synchronization is 70% and it can be re-configured here. After configuration, user can also choose to restore default settings
|
7) Set default delay notifications
|
Default delayed synchronization setting are divided to HTTP related services (30) and all other services (5). User can reconfigure these settings here. Note that when configuring service delayed synchronization in SmartDashboard it overrides these settings
|
8) Enable / Disable unicast sync
|
The user can enable / disable unicast sync (correction layer will be enabled / disabled accordingly) and return to legacy synchronization scheme (synchronize connections to all SGMs). Changing this setting requires reboot of all SGMs
|
Example 1 asg_sync_manager
Output
Please choose one of the following:
-----------------------------------
1) Print sync exceptions table
2) Add new sync exceptions rule
3) Delete old sync exception rule
4) Set sync between Chassis flag on / off
5) Set sync within local Chassis on / off
6) Configure sync between Chassis blades ratio
7) Set default delay notifications
8) Enable / Disable unicast sync
e) Exit
Tip : you can always press e to return to main menu
Example 2 The following example shows how to add rule for all Virtual Systems which limits the synchronization of HTTP traffic, initiated from network 3.3.3.0/24 to network 4.4.4.0/24 to active Chassis only:
Enter vs range: [default: 0]
>all
Enter source IP [0.0.0.0]:
>3.3.3.0
Enter source IP mask length [0]:
>24
Enter destination IP [0.0.0.0]:
>4.4.4.0
Enter destination IP mask length [0]:
>24
Enter destination port [0]:
>80
Enter IP protocol number (for example: tcp = 6, udp = 17):
>6
Enter the sync exception rule [3 - sync to all chassis]:
0 = no sync
1 = sync only to local chassis
2 = sync only to other chassis
3 = sync to all chassis
4 = sync to all SGMs
>1
Enter delay notification [30 - http, 5 - other]:
>
to insert new exception to vs 0-1,2: <3.3.3.0/24, 4.4.4.0/24, 80, 6> sync rule: 1, delay: 5 ? (y/n)
>y
After adding this rule, sync exception table will be displayed as follows:
+----------------------------------------------------------------------------+
|Sync exceptions table |
+-----+-------+---------------+-----------+-----+------+----+-----+----------+
|Idx |VS |Source |Mask |Destination|Mask |DPort |Ipp |Sync |Delay |
+-----+-------+---------------+-----------+-----+------+----+-----+----------+
|1 |0-1,2 |0.0.0.0 |0 |0.0.0.0 |0 |53 |17 |0 |5 |
|2 |0-1,2 |3.3.3.0 |24 |4.4.4.0 |24 |80 |6 |1 |5 |
+-----+-------+---------------+-----------+-----+------+----+-----+----------+
*Sync: 0=no sync, 1=sync only to local Chassis,2=sync only to other Chassis,3 = sync to all Chassis
**Delay: The time it takes for connections created from templates to synchronize
+---------------------------------------------------------------------------------------+
|Sync chassis |
+----+----------------+----------------+--------------------+--------------------+------+
|VS |Between chassis |Within chassis |Unicast sync |Correction layer |Ratio |
+----+----------------+----------------+--------------------+--------------------+------+
|0 |Enabled |Enabled |Enabled |Enabled |50 |
|1 |Enabled |Enabled |Enabled |Enabled |50 |
|2 |Enabled |Enabled |Enabled |Enabled |50 |
+----+----------------+------*---------+--------------------+--------------------+------+
+---------------------------------------------------------+
|Delay |
+---------------+--------------------+--------------------+
|VS |http |default |
+---------------+--------------------+--------------------+
|0 |30 |5 |
|1 |30 |5 |
|2 |30 |5 |
+---------------+--------------------+--------------------+
Enter vs range: [default: 0-1,2]
|
