ClusterXL Monitoring Commands

Description

Use the monitoring commands to make sure that the clusterClosed Two or more Security Gateways that work together in a redundant configuration - High Availability, or Load Sharing. and the Cluster Members work properly, and to define Critical Devices. A Critical DeviceClosed A special software device on each Cluster Member, through which the critical aspects for cluster operation are monitored. When the critical monitored component on a Cluster Member fails to report its state on time, or when its state is reported as problematic, the state of that member is immediately changed to Down. The complete list of the configured critical devices (pnotes) is printed by the 'cphaprob -ia list' command or 'show cluster members pnotes all' command. Synonyms: Pnote, Problem Notification. (also known as a Problem Notification, or pnote) is a special software device on each Cluster MemberClosed Security Gateway that is part of a cluster., through which the critical aspects for cluster operation are monitored. When the critical monitored component on a Cluster Member fails to report its state on time, or when its state is reported as problematic, the state of that member is immediately changed to 'DownClosed State of a Cluster Member during a failure when one of the Critical Devices reports its state as "problem": In ClusterXL, applies to the state of the Security Gateway component; in 3rd-party / OPSEC cluster, applies to the state of the State Synchronization mechanism. A Cluster Member in this state does not process any traffic passing through cluster.'.

Syntax

Notes:

Table: ClusterXL Monitoring Commands

Description
of Command

Command in
Gaia Clish

Command in
Expert Mode

Show states of Cluster Members and their names (see Viewing Cluster State)

show cluster state

cphaprob [-vs <VSID>] state

Show Critical Devices (Pnotes) and their states on the Cluster Member (see Viewing Critical Devices)

show cluster members pnotes {all | problem}

cphaprob [-l] [-ia] [-e] list

Show cluster interfaces on the cluster member (see Viewing Cluster Interfaces)

show cluster members interfaces {all | secured | virtual | vlans}

cphaprob [-vs all] [-a] [-m] if

Show cluster bond configuration on the Cluster Member (see Viewing Bond Interfaces)

show cluster bond {all | name <bond_name>}

cphaprob show_bond [<bond_name>]

Show groups of bonds on the Cluster Member (see Viewing Bond Interfaces)

N / A

cphaprob show_bond_groups

Show (and reset) cluster failoverClosed Transferring of a control over traffic (packet filtering) from a Cluster Member that suffered a failure to another Cluster Member (based on internal cluster algorithms). Synonym: Fail-over. statistics on the Cluster Member (see Viewing Cluster Failover Statistics)

show cluster failover [reset {count | history}]

cphaprob [-reset {-c | -h}] [-l <count>] show_failover

Show information about the software version (including hotfixes) on the local Cluster Member and its matches/mismatches with other Cluster Members (see Viewing Software Versions on Cluster Members)

show cluster release

cphaprob release

Show Delta SyncClosed Synchronization of kernel tables between all working Cluster Members - exchange of CCP packets that carry pieces of information about different connections and operations that should be performed on these connections in relevant kernel tables. This Delta Sync process is performed directly by Check Point kernel. While performing Full Sync, the Delta Sync updates are not processed and saved in kernel memory. After Full Sync is complete, the Delta Sync packets stored during the Full Sync phase are applied by order of arrival. statistics on the Cluster Member (see Viewing Delta Synchronization)

show cluster statistics sync [reset]

cphaprob [-reset] syncstat

Show Delta Sync statistics for the Connections table on the Cluster Member (see Viewing Cluster Delta Sync Statistics for Connections Table)

show cluster statistics transport [reset]

cphaprob [-reset] ldstat

Show the Cluster Control ProtocolClosed Proprietary Check Point protocol that runs between Cluster Members on UDP port 8116, and has the following roles: (1) State Synchronization (Delta Sync), (2) Health checks (state of Cluster Members and of cluster interfaces): Health-status Reports, Cluster-member Probing, State-change Commands, Querying for cluster membership. Note: CCP is located between the Check Point Firewall kernel and the network interface (therefore, only TCPdump should be used for capturing this traffic). Acronym: CCP. (CCP) mode on the Cluster Member (see Viewing Cluster Interfaces)

show cluster members interfaces virtual

cphaprob [-vs all] -a if

Show the IGMP membership of the Cluster Member (see Viewing IGMP Status)

show cluster members igmp

cphaprob igmp

Show cluster unique IP's table on the Cluster Member (see Viewing Cluster IP Addresses)

show cluster members ips

show cluster members monitored

cphaprob tablestat

cphaprob -m tablestat

Show the Cluster Member ID Mode in local logs - by Member ID (default) or Member Name (see Viewing the Cluster Member ID Mode in Local Logs)

show cluster members idmode

cphaprob names

Show interfaces, which the RouteD monitors on the Cluster Member when you configure OSPF (see Viewing Interfaces Monitored by RouteD)

show ospf interfaces [detailed]

cphaprob routedifcs

Show roles of RouteD daemon on Cluster Members (see Viewing Roles of RouteD Daemon on Cluster Members)

show cluster roles

cphaprob roles

Show Cluster Correction Statistics (see Viewing Cluster Correction Statistics)

N / A

cphaprob [{-d | -f | -s}] corr

Show the Cluster Control Protocol (CCP) mode (see Viewing the Cluster Control Protocol (CCP) Settings)

show cluster members interfaces virtual

cphaprob -a if

Show the Cluster Control Protocol (CCP) Encryption settings (see Viewing the Cluster Control Protocol (CCP) Settings)

show cluster members ccpenc

cphaprob ccp_encrypt

Shows the state of the Multi-Version ClusterClosed The Multi-Version Cluster mechanism lets you synchronize connections between cluster members that run different versions. This lets you upgrade to a newer version without a loss in connectivity and lets you test the new version on some of the cluster members before you decide to upgrade the rest of the cluster members. Acronym: MVC. (see Viewing the State of the Multi-Version Cluster Mechanism)

show cluster members mvc

N / A

Show Full Connectivity Upgrade statistics (see Viewing Full Connectivity Upgrade Statistics)

N / A

cphaprob fcustat

List of the Gaia Clish "show cluster" commands

show cluster

      bond

            all

            name <Name of Bond>

      failover

      members

            ccpenc

            idmode

            igmp

            interfaces

                  all

                  secured

                  virtual

                  vlans

            ips

            monitored

            mvc

            pnotes

                  all

                  problem

      release

      roles

      state

      statistics

            sync [reset]

            transport [reset]

List of the Expert mode "cphaprob" commands

Note - Some commands are not applicable to 3rd party clusters.

cphaprob [-vs <VSID>] state

cphaprob [-reset {-c | -h}] [-l <count>] show_failover

cphaprob names

cphaprob [-reset] [-a] syncstat

cphaprob [-reset] ldstat

cphaprob [-l] [-i[a]] [-e] list

cphaprob [-vs all] [-a] [-m] if

cphaprob show_bond [<bond_name>]

cphaprob show_bond_groups

cphaprob igmp

cphaprob fcustat

cphaprob [-m] tablestat

cphaprob routedifcs

cphaprob roles

cphaprob release

cphaprob ccp_encrypt

cphaprob [{-d | -f | -s}] corr