Controlling ISP Redundancy from CLI
You can control the ISP Redundancy behavior from CLI.
Force ISP Link State
Use the "fw isp_link" command to force the ISP link state to Up or Down.
Use this to test installation and deployment, or to force the Security Group
A logical group of Security Appliances that provides Active/Active cluster functionality. A Security Group can contain one or more Security Appliances. Security Groups work separately and independently from each other. To the production networks, a Security Group appears a single Security Gateway. Every Security Group contains: (A) Applicable Uplink ports, to which your production networks are connected; (B) Security Appliances (the Quantum Maestro Orchestrator determines the applicable Downlink ports automatically); (C) Applicable management port, to which the Check Point Management Server is connected. to recognize the true link state if it cannot (the ISP link is down, but the Security Group detects it as up).
-
You can run this command on the Security Group in the Expert mode:
g_fw isp_link <Name of ISP Link in SmartConsole> {up | down} -
You can run this command on the Security Management Server
Dedicated Check Point server that runs Check Point software to manage the objects and policies in a Check Point environment within a single management Domain. Synonym: Single-Domain Security Management Server.:fw isp_link <Name of Security Gateway Object> <Name of ISP Link in SmartConsole> {up | down}
For more information, see the R80.20 CLI Reference Guide > Chapter Security Gateway Commands > Section fw > Section fw isp_link.
The ISP Redundancy Script
When the Security Group starts, or an ISP link state changes, the $FWDIR/bin/cpisp_update script runs on the Security Group.
This script changes the default route of the Security Group.
For example, you can force the Security Group to change the state of an interface to match that state of its ISP link.