Viewing Critical Devices

Table: Built-in Critical Devices

Critical Device

Description

Meaning of the "OK" state

Meaning of the "problem" state

Problem Notification

Monitors all the Critical Devices.

None of the Critical Devices on this Cluster Member report its state as problem.

At least one of the Critical Devices on this Cluster Member reports its state as "problem".

Init

Monitors if "HA module" was initialized successfully. See sk36372.

This Cluster Member receives cluster state information from peer Cluster Members.

 

Interface Active Check

Monitors the state of cluster interfaces.

All cluster interfaces on this Cluster Member are up (CCP packets are sent and received on all cluster interfaces).

At least one of the cluster interfaces on this Cluster Member is downClosed State of a Cluster Member during a failure when one of the Critical Devices reports its state as "problem": In ClusterXL, applies to the state of the Security Gateway component; in 3rd-party / OPSEC cluster, applies to the state of the State Synchronization mechanism. A Cluster Member in this state does not process any traffic passing through cluster. (CCP packets are not sent and/or received on time).

Load Balancing Configuration

Currently is not used (see sk36373).

 

 

Recovery Delay

Monitors the state of a Virtual System (see sk92353).

State of a Virtual System can be changed on this Cluster Member.

State of a Virtual System cannot be changed yet on this Cluster Member.

CoreXL Configuration

Monitors CoreXLClosed Performance-enhancing technology for Security Gateways on multi-core processing platforms. Multiple Check Point Firewall instances are running in parallel on multiple CPU cores. configuration for inconsistencies on all Cluster Members.

Number of configured CoreXL Firewall instances on this Cluster Member is the same as on all peer Cluster Members.

Number of configured CoreXL Firewall instances on this Cluster Member is different from peer Cluster Members.

Important - A Cluster Member with a greater number of CoreXL Firewall instances changes its state to DOWN.

Fullsync

Monitors if Full SyncClosed Process of full synchronization of applicable kernel tables by a Cluster Member from the working Cluster Member(s) when it tries to join the existing cluster. This process is meant to fetch a ‎"snapshot" of the applicable kernel tables of already Active Cluster Member(s). Full Sync is performed during the initialization of Check Point software (during boot process, the first time the Cluster Member runs policy installation, during 'cpstart', during 'cphastart'). Until the Full Sync process completes successfully, this Cluster Member remains in the Down state, because until it is fully synchronized with other Cluster Members, it cannot function as a Cluster Member. Meanwhile, the Delta Sync packets continue to arrive, and the Cluster Member that tries to join the existing cluster, stores them in the kernel memory until the Full Sync completes. The whole Full Sync process is performed by fwd daemons on TCP port 256 over the Sync network (if it fails over the Sync network, it tries the other cluster interfaces). The information is sent by fwd daemons in chunks, while making sure they confirm getting the information before sending the next chunk. Also see "Delta Sync". on this Cluster Member completed successfully.

This Cluster Member completed Full Sync successfully.

This Cluster Member was not able to complete Full Sync.

Policy

Monitors if the Security PolicyClosed Collection of rules that control network traffic and enforce organization guidelines for data protection and access to resources with packet inspection. is installed.

This Cluster Member successfully installed Security Policy.

Security Policy is not currently installed on this Cluster Member.

fwd

Monitors the Security GatewayClosed Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources. process called fwd.

fwd daemon on this Cluster Member reported its state on time.

fwd daemon on this Cluster Member did not report its state on time.

cphad

Monitors the ClusterXLClosed Cluster of Check Point Security Gateways that work together in a redundant configuration. The ClusterXL both handles the traffic and performs State Synchronization. These Check Point Security Gateways are installed on Gaia OS: (1) ClusterXL supports up to 5 Cluster Members, (2) VRRP Cluster supports up to 2 Cluster Members, (3) VSX VSLS cluster supports up to 13 Cluster Members. Note: In ClusterXL Load Sharing mode, configuring more than 4 Cluster Members significantly decreases the cluster performance due to amount of Delta Sync traffic. process called cphamcset.
also see the $FWDIR/log/cphamcset.elg file.

cphamcset daemon on this Cluster Member reported its state on time.

cphamcset daemon on this Cluster Member did not report its state on time.

routed

Monitors the GaiaClosed Check Point security operating system that combines the strengths of both SecurePlatform and IPSO operating systems. process called routed.

routed daemon on this Cluster Member reported its state on time.

routed daemon on this Cluster Member did not report its state on time.

cvpnd

Monitors the Mobile AccessClosed Check Point Software Blade on a Security Gateway that provides a Remote Access VPN access for managed and unmanaged clients. Acronym: MAB. back-end process called cvpnd.
This pnote appears if Mobile Access Software BladeClosed Specific security solution (module): (1) On a Security Gateway, each Software Blade inspects specific characteristics of the traffic (2) On a Management Server, each Software Blade enables different management capabilities. is enabled.

cvpnd daemon on this Cluster Member reported its state on time.

cvpnd daemon on this Cluster Member did not report its state on time.

ted

Monitors the Threat EmulationClosed Check Point Software Blade on a Security Gateway that monitors the behavior of files in a sandbox to determine whether or not they are malicious. Acronym: TE. process called ted.

ted daemon on this Cluster Member reported its state on time.

ted daemon on this Cluster Member did not report its state on time.

VSX

Monitors all Virtual Systems in VSXClosed Virtual System Extension. Check Point virtual networking solution, hosted on a computer or cluster with virtual abstractions of Check Point Security Gateways and other network devices. These Virtual Devices provide the same functionality as their physical counterparts. Cluster.

On VS0, means that states of all Virtual Systems are not Down on this Cluster Member.

On other Virtual Systems, means that VS0 is alive on this Cluster Member.

Minimum of blocking states of all Virtual Systems is not "activeClosed State of a Cluster Member that is fully operational: (1) In ClusterXL, this applies to the state of the Security Gateway component (2) In 3rd-party / OPSEC cluster, this applies to the state of the cluster State Synchronization mechanism." (the VSIDs will be printed on the line Problematic VSIDs:) on this Cluster Member.

Instances

This Critical Device appears in VSX HA mode (not VSLS) cluster.

The number of CoreXL Firewall instances in the received CCP packet matches the number of loaded CoreXL Firewall instances on this VSX Cluster Member or this Virtual System.

There is a mismatch between the number of CoreXL Firewall instances in the received CCP packet and the number of loaded CoreXL Firewall instances on this VSX Cluster Member or this Virtual System (see sk106912).

Hibernating

This pnote appears in VSX VSLS mode cluster with 3 and more Cluster Members. This pnote shows if this Virtual System is in "BackupClosed (1) In VRRP Cluster on Gaia OS - State of a Cluster Member that is ready to be promoted to Master state (if Master member fails). (2) In VSX Cluster configured in Virtual System Load Sharing mode with three or more Cluster Members - State of a Virtual System on a third (and so on) VSX Cluster Member. (3) A Cluster Member or Virtual System in this state does not process any traffic passing through cluster." (hibernated) state. Also see sk114557.

This Virtual System is in "Backup" (hibernated) state on this Cluster Member.

 

admin_down

Monitors the Critical Device "admin_down".

 

User ran the clusterXL_admin down command on this Cluster Member.
See The clusterXL_admin Script.

host_monitor

Monitors the Critical Device "host_monitor".

User executed the $FWDIR/bin/clusterXL_monitor_ips script.
See The clusterXL_monitor_ips Script.

All monitored IP addresses on this Cluster Member replied to pings.

At least one of the monitored IP addresses on this Cluster Member did not reply to at least one ping.

A name of a user space process (except fwd, routed, cvpnd, ted)

Administrator executed the $FWDIR/bin/clusterXL_monitor_process script.
See The clusterXL_monitor_process Script.

All monitored user space processes on this Cluster Member are running.

At least one of the monitored user space on this Cluster Member processes is not running.

Local Probing

Monitors the probingClosed If a Cluster Member fails to receive status for another member (does not receive CCP packets from that member) on a given segment, Cluster Member will probe that segment in an attempt to illicit a response. The purpose of such probes is to detect the nature of possible interface failures, and to determine which module has the problem. The outcome of this probe will determine what action is taken next (change the state of an interface, or of a Cluster Member). mechanism on the cluster interfaces (see the term Probing in the Glossary).

CCP packets are received on all cluster interfaces.

At least one of the cluster interfaces on this Cluster Member does not (or did not) receive CCP packets for 5 seconds.

The probing started for the network connected to the affected interface.

Important:

Where:

Command

Description

show cluster members pnotes all

Shows the list of all Critical Devices

show cluster members pnotes problem

Shows the list of all the "Built-in Devices" and the "Registered Devices" that report their state as "problem"

cphaprob -l

Shows the list of all Critical Devices

cphaprob -i list

When there are no issues on the Cluster Member, shows:
There are no pnotes in problem state

When a Critical Device reports a problem, prints only the Critical Device that reports its state as "problem".

cphaprob -ia list

When there are no issues on the Cluster Member, shows:
There are no pnotes in problem state

When a Critical Device reports a problem, prints the Critical Device "Problem Notification" and the Critical Device that reports its state as "problem"

cphaprob -e list

When there are no issues on the Cluster Member, shows:
There are no pnotes in problem state

When a Critical Device reports a problem, prints only the Critical Device that reports its state as "problem"

Examples