Configuring the Minimal Number of Required Subordinate Interfaces for Bond Load Sharing

Important - In a ClusterClosed Two or more Security Gateways that work together in a redundant configuration - High Availability, or Load Sharing., you must configure all the Cluster Members in the same way.

Description

ClusterXLClosed Cluster of Check Point Security Gateways that work together in a redundant configuration. The ClusterXL both handles the traffic and performs State Synchronization. These Check Point Security Gateways are installed on Gaia OS: (1) ClusterXL supports up to 5 Cluster Members, (2) VRRP Cluster supports up to 2 Cluster Members, (3) VSX VSLS cluster supports up to 13 Cluster Members. Note: In ClusterXL Load Sharing mode, configuring more than 4 Cluster Members significantly decreases the cluster performance due to amount of Delta Sync traffic. considers a bond in Load SharingClosed A redundant cluster mode, where all Cluster Members process all incoming traffic in parallel. For more information, see "Load Sharing Multicast Mode" and "Load Sharing Unicast Mode". Synonyms: Active/Active, Load Balancing mode. Acronym: LS. mode to be in the "downClosed State of a Cluster Member during a failure when one of the Critical Devices reports its state as "problem": In ClusterXL, applies to the state of the Security Gateway component; in 3rd party / OPSEC cluster, applies to the state of the State Synchronization mechanism. A Cluster Member in this state does not process any traffic passing through cluster." state when fewer than a minimal number of required subordinate interfaces stay in the "up" state.

By default, the minimal number of required subordinate interfaces, which must stay in the "up" state in a bond of n subordinate interfaces is n-1.

If one more subordinate interface fails (when n-2 subordinate interfaces stay in the "up" state), ClusterXL considers the bond interface to be in the "down" state, even if the bond contains more than two subordinate interfaces.

If a smaller number of subordinate interfaces can pass the expected traffic, you can configure explicitly the minimal number of required subordinate interfaces.

Divide your maximal expected traffic speed by the speed of your subordinate interfaces and round up the result to find an applicable minimal number of required subordinate interfaces.

Notes:

  • Cluster Members save the configuration in the $FWDIR/conf/cpha_bond_ls_config.conf file.

  • The commands below save the changes in this file.

  • Each line in the file has this syntax:

    <Name of Bond Interface> <Minimal Number of Required Subordinate Interfaces>

In addition, see Viewing Bond Interfaces.

Syntax to add the minimal number of required subordinate interfaces for a specific Bond interface

Shell

Command

Gaia ClishClosed The name of the default command line shell in Check Point Gaia operating system. This is a restricted shell (role-based administration controls the number of commands available in the shell).

N / A

Expert mode

cphaconf bond_ls set <Name of Bond Interface> <Minimal Number of Required Subordinate Interfaces>

Syntax to remove the configured minimal number of required subordinate interfaces for a specific Bond interface

Shell

Command

GaiaClosed Check Point security operating system that combines the strengths of both SecurePlatform and IPSO operating systems. Clish

N / A

Expert mode

cphaconf bond_ls remove <Name of Bond Interface>

Syntax to see the current configuration of the minimal number of required subordinate interfaces

Shell

Command

Gaia Clish

N / A

Expert mode

cat $FWDIR/conf/cpha_bond_ls_config.conf

Procedure

Step

Instructions

1

Connect to the command line on each Cluster MemberClosed Security Gateway that is part of a cluster..

2

Log in to the Expert mode.

3

Add or remove the minimal number of required subordinate interfaces for a specific Bond interface:

cphaconf bond_ls set <Bond> <Minimal Number of Subordinate Interfaces>

cphaconf bond_ls remove <Bond>

4

Examine the configuration:

cat $FWDIR/conf/cpha_bond_ls_config.conf

5

In SmartConsoleClosed Check Point GUI application used to manage a Check Point environment - configure Security Policies, configure devices, monitor products and events, install updates, and so on., install the Access Control policy on this cluster object.

Example

[Expert@Member1:0]# cat $FWDIR/conf/cpha_bond_ls_config.conf
# ... (truncated for brevity) ...
# Example:
# bond0 2
 
[Expert@Member1:0]#
 
[Expert@Member1:0]# cphaconf bond_ls set bond1 2
Set operation succeeded
 
[Expert@Member1:0]# cat $FWDIR/conf/cpha_bond_ls_config.conf
# ... (truncated for brevity) ...
# Example:
# bond0 2
 
bond1 2
[Expert@Member1:0]#
 
[Expert@Member1:0]# cphaconf bond_ls remove bond1
Remove operation succeeded
 
[Expert@Member1:0]#
 
[Expert@Member1:0]# cat $FWDIR/conf/cpha_bond_ls_config.conf
# ... (truncated for brevity) ...
# Example:
# bond0 2
 
[Expert@Member1:0]#