Group of Bonds

Introduction

Group of Bonds, which is a logical group of existing Bond interfaces, provides additional link redundancy.

  1. The Cluster Member GW-A is the Active and the Cluster Member GW-B is the Standby.

  2. On the Cluster Member GW-A, the Bond-1 interface fails.

  3. On the Cluster Member GW-A, the Critical DeviceClosed A special software device on each Cluster Member, through which the critical aspects for cluster operation are monitored. When the critical monitored component on a Cluster Member fails to report its state on time, or when its state is reported as problematic, the state of that member is immediately changed to Down. The complete list of the configured critical devices (pnotes) is printed by the 'cphaprob -ia list' command or 'show cluster members pnotes all' command. Synonyms: Pnote, Problem Notification. Interface Active Check reports its state as "problem".

  4. The Cluster Member GW-A changes its cluster state from Active to DownClosed State of a Cluster Member during a failure when one of the Critical Devices reports its state as "problem": In ClusterXL, applies to the state of the Security Gateway component; in 3rd-party / OPSEC cluster, applies to the state of the State Synchronization mechanism. A Cluster Member in this state does not process any traffic passing through cluster..

  5. The cluster fails over - the Cluster Member GW-B changes its cluster state from Standby to Active.

This is not the desired behavior, because the Cluster Member GW-A connects not only to the switch SW-1, but also to the switch SW-2. In our example topology, there is no actual reason to fail-over from the Cluster Member GW-A to the Cluster Member GW-B.

In order to overcome this problem, Cluster Members use the Group of Bonds consisting of Bond-1 and Bond-2. The Group of Bonds fails only when both Bond interfaces fail on the Cluster Member. Only then the cluster fails over.

  1. The Cluster Member GW-A is the Active and the Cluster Member GW-B is the Standby.

  2. On the Cluster Member GW-A, the Bond-1 interface fails.

  3. On the Cluster Member GW-A, the Critical Device Interface Active Check reports its state as "problem".

  4. The Cluster Member GW-A does not change its cluster state from Active to Down.

  5. On the Cluster Member GW-A, the Bond-2 interface fails as well.

  6. The Cluster Member GW-A changes its cluster state from Active to Down.

  7. The cluster fails over - the Cluster Member GW-B changes its cluster state from Standby to Active.

Creating a new Group of Bonds

This procedure lets you create a new Group of Bonds.

Important - In a Cluster, you must configure all the Cluster Members in the same way.

  1. Connect to the command line on the Cluster Member.

  2. Log in to the Expert mode.

  3. In VSXClosed Virtual System Extension. Check Point virtual networking solution, hosted on a computer or cluster with virtual abstractions of Check Point Security Gateways and other network devices. These Virtual Devices provide the same functionality as their physical counterparts. Cluster, switch to the context of the applicable Virtual System:

    vsenv <VSID>

  4. Modify the current $FWDIR/boot/modules/fwkern.conf file:

    1. BackupClosed (1) In VRRP Cluster on Gaia OS - State of a Cluster Member that is ready to be promoted to Master state (if Master member fails). (2) In VSX Cluster configured in Virtual System Load Sharing mode with three or more Cluster Members - State of a Virtual System on a third (and so on) VSX Cluster Member. (3) A Cluster Member or Virtual System in this state does not process any traffic passing through cluster. the current file:

      cp -v $FWDIR/boot/modules/fwkern.conf{,_BKP}

    2. Edit the current file:

      vi $FWDIR/boot/modules/fwkern.conf

    3. Add these two lines at the bottom of the file (spaces or comments are not allowed):

      fwha_group_of_bonds_str=<Name for Group of Bonds>:<List of all Bonds in this Group separated by comma>

      fwha_arp_probe_method=1

      Example:

      fwha_group_of_bonds_str=GoB0:bond0,bond1;GoB1:bond2,bond3

      fwha_arp_probe_method=1

      Note - The kernel parameter "fwha_arp_probe_method" configures the Cluster Member to use the Virtual IP address as the Source IP address in the ARP Requests during the probingClosed If a Cluster Member fails to receive status for another member (does not receive CCP packets from that member) on a given segment, Cluster Member will probe that segment in an attempt to illicit a response. The purpose of such probes is to detect the nature of possible interface failures, and to determine which module has the problem. The outcome of this probe will determine what action is taken next (change the state of an interface, or of a Cluster Member). of the local network.

    4. Save the changes in the file and exit the editor.

  5. Change the value of the kernel parameter fwha_group_of_bonds_str to add the Group of Bonds on-the-fly:

    fw ctl set str fwha_group_of_bonds_str '<Name for Group of Bonds>:<List of all Bonds in this Group separated by comma>'

    Example:

    fw ctl set str fwha_group_of_bonds_str 'GoB0:bond0,bond1;GoB1:bond2,bond3'

    Notes:

    • The apostrophe characters are mandatory part of the syntax.

    • Spaces are not allowed in the value of the kernel parameter fwha_group_of_bonds_str.

  6. Change the value of the kernel parameter fwha_arp_probe_method on-the-fly:

    fw ctl set int fwha_arp_probe_method 1

  7. Make sure the Cluster Member accepted the new configuration:

    fw ctl get str fwha_group_of_bonds_str

    fw ctl get int fwha_arp_probe_method

  8. In SmartConsoleClosed Check Point GUI application used to manage a Check Point environment - configure Security Policies, configure devices, monitor products and events, install updates, and so on., install the Access Control Policy on the cluster object.

Adding a Bond interface to the existing Group of Bonds

This procedure lets you add an additional bond interface to the existing Group of Bonds.

Important - In a Cluster, you must configure all the Cluster Members in the same way.

  1. Connect to the command line on the Cluster Member.

  2. In VSX Cluster, switch to the context of the applicable Virtual System:

    vsenv <VSID>

  3. Log in to the Expert mode.

  4. Modify the current $FWDIR/boot/modules/fwkern.conf file:

    1. Backup the current file:

      cp -v $FWDIR/boot/modules/fwkern.conf{,_BKP}

    2. Edit the current file:

      vi $FWDIR/boot/modules/fwkern.conf

    3. Edit the value of the kernel parameter fwha_group_of_bonds_str to add the Bond interface to the existing Group of Bonds.

      Example:

      fwha_group_of_bonds_str=GoB0:bond0,bond1;GoB1:bond2,bond3,bond4

    4. Save the changes in the file and exit the editor.

  5. Get the current value of the kernel parameter fwha_group_of_bonds_str and copy it:

    fw ctl get str fwha_group_of_bonds_str

  6. Reset the current value of the kernel parameter fwha_group_of_bonds_str:

    fw ctl set str fwha_group_of_bonds_str ''

  7. Make sure the Cluster Member reset the value of the kernel parameter fwha_group_of_bonds_str:

    fw ctl get str fwha_group_of_bonds_str

  8. Change the value of the kernel parameter fwha_group_of_bonds_str to add the Bond interface to the existing Group of Bonds on-the-fly:

    fw ctl set str fwha_group_of_bonds_str '<Name for Group of Bonds>:<List of all Bonds in this Group separated by comma>'

    Example:

    fw ctl set str fwha_group_of_bonds_str 'GoB0:bond0,bond1;GoB1:bond2,bond3,bond4'

    Notes:

    • The apostrophe characters are mandatory part of the syntax.

    • Spaces are not allowed in the value of the kernel parameter fwha_group_of_bonds_str.

  9. Make sure the Cluster Member accepted the new configuration:

    fw ctl get str fwha_group_of_bonds_str

  10. In SmartConsole, install the Access Control Policy on the cluster object.

Removing a Bond interface from the existing Group of Bonds

This procedure lets you remove a bond interface from an existing Group of Bonds.

Important - In a Cluster, you must configure all the Cluster Members in the same way.

  1. Connect to the command line on the Cluster Member.

  2. Log in to the Expert mode.

  3. In VSX Cluster, switch to the context of the applicable Virtual System:

    vsenv <VSID>

  4. Modify the current $FWDIR/boot/modules/fwkern.conf file:

    1. Backup the current file:

      cp -v $FWDIR/boot/modules/fwkern.conf{,_BKP}

    2. Edit the current file:

      vi $FWDIR/boot/modules/fwkern.conf

    3. Edit the value of the kernel parameter fwha_group_of_bonds_str to remove the Bond interface from the existing Group of Bonds.

      Example:

      fwha_group_of_bonds_str=GoB0:bond0,bond1;GoB1:bond2,bond3

    4. Save the changes in the file and exit the editor.

  5. Get the current value of the kernel parameter fwha_group_of_bonds_str and copy it:

    fw ctl get str fwha_group_of_bonds_str

  6. Reset the current value of the kernel parameter fwha_group_of_bonds_str:

    fw ctl set str fwha_group_of_bonds_str ''

  7. Make sure the Cluster Member reset the value of the kernel parameter fwha_group_of_bonds_str:

    fw ctl get str fwha_group_of_bonds_str

  8. Change the value of the kernel parameter fwha_group_of_bonds_str to remove the Bond interface from the existing Group of Bonds on-the-fly:

    fw ctl set str fwha_group_of_bonds_str '<Name for Group of Bonds>:<List of all Bonds in this Group separated by comma>'

    Example:

    fw ctl set str fwha_group_of_bonds_str 'GoB0:bond0,bond1;GoB1:bond2,bond3

    Notes:

    • The apostrophe characters are mandatory part of the syntax.

    • Spaces are not allowed in the value of the kernel parameter fwha_group_of_bonds_str.

  9. Make sure the Cluster Member accepted the new configuration:

    fw ctl get str fwha_group_of_bonds_str

  10. In SmartConsole, install the Access Control Policy on the cluster object.

Deleting a Group of Bonds

This procedure lets you delete an existing Group of Bonds.

Important - In a Cluster, you must configure all the Cluster Members in the same way.

  1. Connect to the command line on the Cluster Member.

  2. Log in to the Expert mode.

  3. In VSX Cluster, switch to the context of the applicable Virtual System:

    vsenv <VSID>

  4. Modify the current $FWDIR/boot/modules/fwkern.conf file:

    1. Backup the current file:

      cp -v $FWDIR/boot/modules/fwkern.conf{,_BKP}

    2. Edit the current file:

      vi $FWDIR/boot/modules/fwkern.conf

    3. Delete these two lines in the file:

      fwha_group_of_bonds_str=<Name for Group of Bonds>:<List of all Bonds in this Group separated by comma>

      fwha_arp_probe_method=1

    4. Save the changes in the file and exit the editor.

  5. Reset the current value of the kernel parameter fwha_group_of_bonds_str:

    fw ctl set str fwha_group_of_bonds_str ''

  6. Make sure the Cluster Member reset the value of the kernel parameter fwha_group_of_bonds_str:

    fw ctl get str fwha_group_of_bonds_str

  7. In SmartConsole, install the Access Control Policy on the cluster object.

Monitoring

To see the configured Groups of Bonds, run the "cphaprob show_bond_groups" command. See Viewing Bond Interfaces.

Logs

Cluster Members generate some applicable logs.

  1. User Space logs:

    • In non-VSX Cluster:

      In the /var/log/messages files.

      Output of the dmesg command.

    • In VSX Cluster:

      In the $FWDIR/log/fwk.elg file in the context of the applicable Virtual System.

  2. Kernel Space logs:

    • In the kernel module fw, enable the debug flags error and ioctl

    • Kernel module cluster, enable the debug flag if

    See the R80.40 Quantum Security Gateway Guide - Chapter Kernel Debug on Security Gateway.

    The kernel debug shows:

    • A physical subordinate interface goes down/up.

    • A Bond interface goes down/up (regardless of a change in the Cluster Member's state).

    • A Group of Bonds goes down/up.

    Note - These logs are generated only once per event.

Limitations

Specific limitations apply to a Group of Bonds.

  • The maximal length on the text string "<Name for Group of Bonds>" is 16 characters.

  • The maximal length on this text string is 1024 characters:

    <Name for Group of Bonds>:<List of all Bonds in this Group separated by comma>

  • You can configure the maximum of five Groups of Bonds on a Cluster Member or Virtual System.

  • You can configure the maximum of five Bond interfaces in each Groups of Bonds.

  • Group of Bonds feature does support Virtual Switches and Virtual Routers. Meaning, do not configure Groups of Bonds in the context of these Virtual Devices.

  • Group of Bonds feature supports only Bond interfaces that belong to the same Virtual System.

    You cannot configure bonds that belong to different Virtual Systems into the same Group of Bonds.

    You must perform all configuration in the context of the applicable Virtual System.

  • Group of Bonds feature does support Sync interfaces (an interface on a Cluster Member, whose Network Type was set as Sync or Cluster+Sync in SmartConsole in cluster object).

  • Group of Bonds feature does support Bridge interfaces.

  • If a Bond interface goes down on one Cluster Member, the "cphaprob show_bond_groups" command (see Viewing Bond Interfaces) on the peer Cluster Members also shows the same Bond interface as DOWN.

    This is because the peer Cluster Members stop receiving the CCP packets on that Bond interface and cannot probe the local network to determine that their Bond interface is really working.

  • After you add a Bond interface to the existing Group of Bonds, you must install the Access Control Policy on the cluster object.

  • After you remove a Bond interface from the existing Group of Bonds, you must install the Access Control Policy on the cluster object.