Working with the Distribution Mode

Background

The SSMs use the Distribution Mode to assign incoming traffic to Security Group A logical group of Security Gateway Modules that provides Active/Active cluster functionality. A Security Group can contain one or more Security Gateway Modules. Security Groups work separately and independently from each other. To the production networks, a Security Group appears a single Security Gateway. Members in each Security Group.

By default, the SSMs automatically configure the Distribution Mode.

Supported Distribution Modes

Mode	Instructions	Applies To
User (Internal)	Packets are assigned to a Security Group Member based on the packet's Destination IP address. If Layer 4 distribution is enabled, SSM assigns packets to a Security Group Member based on the packet's Source Port and the Destination IP address.	One SSM
Network (External)	Packets are assigned to a Security Group Member based on the packet's Source IP address. If Layer 4 distribution is enabled, SSM assigns packets to a Security Group Member based on the packet's Source IP address and Destination Port.	One SSM
General	SSMs assign packets to a Security Group Member based on the packet's Source IP address and the Destination IP address. If Layer 4 distribution is enabled, SSMs assign packets to a Security Group Member based on the packet's Source IP address, Source Port, Destination IP address, and Destination Port.	All SSMs in the Chassis
Auto-Topology (Per-Port)	Each port for a Security Group Member is configured separately in the User Mode or Network Mode.	SSM data interface

Notes:

The default mode is Auto-Topology ((Per-Port)) and the Layer 4 distribution is disabled.
The User ((Internal)) Mode and Network ((External)) Mode can work together.

The supported combinations are:
- User Mode and User Mode
- User Mode and Network Mode
- Network Mode and Network Mode
In many scenarios, it is possible to optimize the combination of the User Mode and Network Mode to pass traffic through same Security Group Member from the two sides.

Automatic Distribution Configuration (Auto-Topology)

By default, Security Groups work in the General Mode.

By default, Security Groups work in the Auto-Topology (Per Port) Mode.

The best Distribution Mode is selected based on the Security Group topology as defined in SmartConsole in the Security Gateway object.

The Distribution Mode is automatically based on these interface types:

Physical interfaces, except for management and synchronization interfaces
VLAN
Bond
VLAN on top of Bond

The examples below show how the Distribution Mode can be configured automatically for each interface.

Example 1 - All ports on each SSM are Internal or External

The Distribution Mode for the two SSMs is automatically configured as the User (Internal) Mode or the Network (External)Mode.

Physical Interface	Topology	SSM	Distribution Mode
`eth1-01`	Internal	1	User (Internal)
`eth1-02`	Internal
`eth2-01`	External	2	Network (External)
`eth2-02`	External

Example 2 - On at least one of the SSMs, some ports are Internal and others are External

The Distribution Mode for the SSMs is automatically configured as Auto-Topology (Per Port).

Interface	Topology	SSM	Port	Distribution Mode
`eth1-01`	Internal	1	1	User (Internal)
`eth1-02`	External	1	2	Network (External)
`eth2-01`	External	2	1	Network (External)
`eth2-02`	External	2	2	Network (External)

Example 3 - Physical and VLAN Interfaces

Three VLANs are defined on one SSM port.

On at least one of the SSMs, some VLANs are Internal and others are External.

Therefore, the SSM Distribution Mode is automatically configured as Auto-Topology (Per Port).

Interface	Topology	SSM	Port	VLAN ID	Distribution Mode
`eth1-01`	External	1	1	NA	Network (External)
`eth1-01.100`	Internal	1	1	100	User (Internal)
`eth1-01.200`	External	1	1	200	Network (External)
`eth1-01.300`	Internal	1	1	300	User (Internal)

Example 4 - VSX Virtual Systems

A Virtual Switch does not have topology.

Therefore, the Distribution Mode is calculated based on the topologies of the wrp interfaces that belong to Virtual Systems, as shown.

In this example, the Distribution Mode is calculated as Network (External).

Interface	Topology	Distribution Mode
`eth1-01`	External	Not Available
`wrp64`	Internal	Network (External)
`wrp128`	Internal	Network (External)
`wrp192`	Internal	User (Internal)

Example 5 - Bond Interfaces

In this example, the interfaces on each Bond are configured with the same Distribution Mode.

The two Bond interfaces are configured with one port for SSM #1 and one port for SSM #2.

On the two SSMs, one port is Internal and the other is External.

The SSM Distribution Mode is automatically configured as Auto-Topology (Per Port).

Interface	Topology	Slaves	SSM	Port	VLAN ID
`bond1`	Internal	`eth1-01`	1	1	User (Internal)
`eth2-01`	2	1	User
`bond2`	External	`eth1-02`	1	2	Network (External)
`eth2-02`	2	2	Network

Example 6 - VLAN Over Bond Interfaces

The automatic Distribution Mode configuration is based on the VLAN topology.

In this example, the interfaces on each VLAN are configured with the same Distribution Mode.

The two Bond interfaces are configured on port 1 for each SSM.

The SSM Distribution Mode is automatically configured as Auto-Topology (Per Port).

Interface	Topology	Slaves	SSM	Port	VLAN ID	Distribution Mode
`bond1.100`	Internal	`eth1-01`	1	1	100	User (Internal)
`eth2-01`	2	1	100	User
`bond1.200`	External	`eth1-01`	1	1	200	Network (External)
`eth2-01`	2	1	200	Network

Manual Distribution Configuration (Manual-General)

In some deployments, you must manually configure a Distribution Mode to the General.

In other cases, it may be necessary to force the system to work in the General Mode.

When the Distribution Mode is manually configured (Manual-General Mode), the Distribution Mode of each SSM is General.

In this configuration, the topology of the interfaces is irrelevant.

Best Practice - Do not manually change the Distribution Mode of a Virtual System. This can cause performance degradation.

Setting and Showing the Distribution Configuration (set distribution configuration)

Use these Gaia gClish The name of the global command line shell in Check Point Gaia operating system for Security Gateway Modules. Commands you run in this shell apply to all Security Gateway Module in the Security Group. commands on a Security Group to set and show the distribution configuration.

Important - If the Security Group runs in a VSX mode, run the commands in the context of VS0 only. The commands apply immediately across all Virtual Systems.

Syntax to show the Distribution Configuration

show distribution configuration

Syntax to set the Distribution Configuration

set distribution configuration {auto-topology | manual-general} ip-version {ipv4 | ipv6 | all} ip-mask <Mask>

Parameters

Parameter

Notes

auto-topology

Configures the distribution mode to Auto-Topology (Per-Port).

manual-general

Configures the distribution mode to Manual General.

ipv4

Configures the distribution mode for IPv4 traffic only.

ipv6

Configures the distribution mode for IPv6 traffic only.

all

Configures the distribution mode for IPv4 and IPv6 traffic.

ip-mask <Mask>

Must be the same as the distribution matrix size.

Must be specified in the Hex format.

Follow these steps:

Examine the distribution matrix size:

show distribution verification verbose

Examine the Matrix Size line.

Example:

...
Matrix Size 512
...

Exit from the Gaia gClish to the Expert mode.

Convert the matrix size from the decimal to the hexadecimal format:

printf '%x\n' <Matrix Size>

Example:

[Expert@HostName-ch0x-0x:0]# printf '%x\n' 512
200
[Expert@HostName-ch0x-0x:0]#

Go to the Gaia gClish:

gclish

Configure the distribution mode with the required mask:

set distribution ... ip-mask <Matrix Size in HEX>

Example:

set distribution ... ip-mask 200

Configuring the Interface Distribution Mode (set distribution interface)

Description

Use these Gaia gClish commands on a Security Group to:

Set the interface Distribution Mode - For an interface when the system is not working in the General Mode
Show the interface Distribution Mode - If it is assigned by Auto-Topology, or is manually configured

Note - In VSX mode, you must go to the context of the applicable Virtual System before you can change the interface Distribution Mode.

Run the "set virtual-system <VS ID>" command.

Syntax to set the interface Distribution Mode

set distribution interface <Name of Interface> configuration {user | network | policy}

Syntax to show the interface Distribution Mode

show distribution interface <Name of Interface> configuration

Parameters

Parameter	Description
`<Name of Interface>`	Interface name as assigned by the operating system.
`user`	Manually assign the User (Internal) Distribution Mode - based on the Destination IP address.
`network`	Manually assign the Network (External) Distribution Mode - based on the Source IP address.
`policy`	Use Auto-Topology to automatically assign the Distribution Mode according to the policy.

Examples

Showing Distribution Status (show distribution status)

Description

Use this Gaia gClish command on a Security Group to show the status report of the Distribution Mode.

Syntax

show distribution status [verbose]

Examples

Example 2 - Verbose output

[Expert@HostName-ch0x-0x:0]# gclish

[Global] HostName-ch01-01 > show distribution status verbose

Topic:                                    Configuration:

distribution mode                         per-port

policy mode                               on

ssm 1 mode                                per-port

ssm 2 mode                                per-port

ipv6 mode                                 off

L4 mode                                   off

40g mode                                  off

matrix size                               1024

interface bond1.300 mode                  policy-internal

interface bond2.33 mode                   policy-external

interface bond1 slaves                    eth1-01,eth2-01

interface bond2 slaves                    eth1-02,eth2-02

mask ipv4 general destination             0000001f

mask ipv4 general source                  0000001f

mask ipv4 l4 ip                           000003ff

mask ipv4 l4 port                         00000000

mask ipv4 user-network destination        000003ff

mask ipv4 user-network source             000003ff

mask ipv6 general destination             0000000000000000000000000000001f

mask ipv6 general source                  0000000000000000000000000000001f

mask ipv6 user-network destination        000000000000000000000000000003ff

mask ipv6 user-network source             000000000000000000000000000003ff

Total GW topology interfaces              2

Total GW topology VLANs                   2

Total SSM 1 interfaces                    17

Total SSM 2 interfaces                    17

Per interface distribution legend:

         Internal (User)        - Destination IP based

         External (Network)     - Source IP based

         General                - Source and Destination IP based

[Global] HostName-ch01-01 >

Explanation about the output

Field	Instructions
`distribution mode`	Shows the currently configured Distribution Mode: `per-port` - Auto-Topology `user` - User (Internal) `network` - Network (External) `general` - General
`policy mode`	Auto-Topology assignment: `on` - Auto-topology, or Manual override `off` - Manual-General
`ssm 1 mode` `ssm 2 mode`	Distribution Mode assignment for SSM.
`ipv6 mode`	Shows the IPv6 status: `on` - enabled `off` - disabled
`l4_mode`	Shows the Layer 4 distribution status: `on` - enabled `off` - disabled
`40g mode`	Shows the QSFP port speed: `on` - 1 x 40GbE `off` - 4 x 10GbE
`matrix size`	Shows the size of the distribution matrix. The distribution matrix is a table that contains SGM IDs for traffic assignment.
`interface`	Shows the Distribution Mode assignment for each interface.

Running a Verification Test (show distribution verification)

Description

Use this Gaia gClish command on a Security Group to run a verification test of the Distribution Mode configuration.

This test compares the Security Group configuration with the actual results.

This test compares the SGM and SSM configurations with the actual results.

You can see a summary or a verbose report of the test results.

Verbose mode shows detailed reports for all SGMs and SSMs.

Syntax

show distribution verification [verbose]

Examples

Example 3 - Verbose output of successful tests

[Expert@HostName-ch0x-0x:0]# gclish

[Global] HostName-ch01-01 > show distribution verification verbose

Test:                                               Configuration:                    Verification:                     Result:

chassis 1 blade 1 dxl-general-mode                  off                               off                               Passed

chassis 1 blade 1 dxl-md5sum                        a5a0317b8cc0de2a8518396e61593d2b  a5a0317b8cc0de2a8518396e61593d2b  Passed

chassis 1 blade 1 dxl-size                          1024                              1024                              Passed

chassis 1 blade 2 dxl-general-mode                  off                               off                               Passed

chassis 1 blade 2 dxl-md5sum                        a5a0317b8cc0de2a8518396e61593d2b  a5a0317b8cc0de2a8518396e61593d2b  Passed

chassis 1 blade 2 dxl-size                          1024                              1024                              Passed

chassis 1 blade 3 dxl-general-mode                  off                               off                               Passed

chassis 1 blade 3 dxl-md5sum                        a5a0317b8cc0de2a8518396e61593d2b  a5a0317b8cc0de2a8518396e61593d2b  Passed

chassis 1 blade 3 dxl-size                          1024                              1024                              Passed

chassis 1 blade 4 dxl-general-mode                  off                               off                               Passed

chassis 1 blade 4 dxl-md5sum                        a5a0317b8cc0de2a8518396e61593d2b  a5a0317b8cc0de2a8518396e61593d2b  Passed

chassis 1 blade 4 dxl-size                          1024                              1024                              Passed

chassis 1 blade 5 dxl-general-mode                  off                               off                               Passed

chassis 1 blade 5 dxl-md5sum                        a5a0317b8cc0de2a8518396e61593d2b  a5a0317b8cc0de2a8518396e61593d2b  Passed

chassis 1 blade 5 dxl-size                          1024                              1024                              Passed

chassis 1 ssm 1 ipv6-mode                           on                                on                                Passed

chassis 1 ssm 1 l4-mode                             off                               off                               Passed

chassis 1 ssm 1 mask ipv4 general destination       0000001f                          0000001f                          Passed

chassis 1 ssm 1 mask ipv4 general source            0000001f                          0000001f                          Passed

chassis 1 ssm 1 mask ipv4 l4 ip                     000000ff                          000000ff                          Passed

chassis 1 ssm 1 mask ipv4 l4 port                   00000003                          00000003                          Passed

chassis 1 ssm 1 mask ipv4 user-network destination  000003ff                          000003ff                          Passed

chassis 1 ssm 1 mask ipv4 user-network source       000003ff                          000003ff                          Passed

chassis 1 ssm 1 mask ipv6 general destination       0000000000000000000000000000001f  0000000000000000000000000000001f  Passed

chassis 1 ssm 1 mask ipv6 general source            0000000000000000000000000000001f  0000000000000000000000000000001f  Passed

chassis 1 ssm 1 mask ipv6 user-network destination  000000000000000000000000000003ff  000000000000000000000000000003ff  Passed

chassis 1 ssm 1 mask ipv6 user-network source       000000000000000000000000000003ff  000000000000000000000000000003ff  Passed

chassis 1 ssm 1 matrix-max_size                     2k                                2k                                Passed

chassis 1 ssm 1 matrix-size                         1024                              1024                              Passed

chassis 1 ssm 1 mode                                user                              user                              Passed

chassis 1 ssm 1 signature                           d9195da1c6de046ab3581836c911f98f  d9195da1c6de046ab3581836c911f98f  Passed

chassis 1 ssm 2 ipv6-mode                           on                                on                                Passed

chassis 1 ssm 2 l4-mode                             off                               off                               Passed

chassis 1 ssm 2 mask ipv4 general destination       0000001f                          0000001f                          Passed

chassis 1 ssm 2 mask ipv4 general source            0000001f                          0000001f                          Passed

chassis 1 ssm 2 mask ipv4 l4 ip                     000000ff                          000000ff                          Passed

chassis 1 ssm 2 mask ipv4 l4 port                   00000003                          00000003                          Passed

chassis 1 ssm 2 mask ipv4 user-network destination  000003ff                          000003ff                          Passed

chassis 1 ssm 2 mask ipv4 user-network source       000003ff                          000003ff                          Passed

chassis 1 ssm 2 mask ipv6 general destination       0000000000000000000000000000001f  0000000000000000000000000000001f  Passed

chassis 1 ssm 2 mask ipv6 general source            0000000000000000000000000000001f  0000000000000000000000000000001f  Passed

chassis 1 ssm 2 mask ipv6 user-network destination  000000000000000000000000000003ff  000000000000000000000000000003ff  Passed

chassis 1 ssm 2 mask ipv6 user-network source       000000000000000000000000000003ff  000000000000000000000000000003ff  Passed

chassis 1 ssm 2 matrix-max_size                     2k                                2k                                Passed

chassis 1 ssm 2 matrix-size                         1024                              1024                              Passed

chassis 1 ssm 2 mode                                user                              user                              Passed

chassis 1 ssm 2 signature                           d9195da1c6de046ab3581836c911f98f  d9195da1c6de046ab3581836c911f98f  Passed

chassis 2 blade 1 dxl-general-mode                  off                               off                               Passed

chassis 2 blade 1 dxl-md5sum                        a5a0317b8cc0de2a8518396e61593d2b  a5a0317b8cc0de2a8518396e61593d2b  Passed

chassis 2 blade 1 dxl-size                          1024                              1024                              Passed

chassis 2 blade 2 dxl-general-mode                  off                               off                               Passed

chassis 2 blade 2 dxl-md5sum                        a5a0317b8cc0de2a8518396e61593d2b  a5a0317b8cc0de2a8518396e61593d2b  Passed

chassis 2 blade 2 dxl-size                          1024                              1024                              Passed

chassis 2 blade 3 dxl-general-mode                  off                               off                               Passed

chassis 2 blade 3 dxl-md5sum                        a5a0317b8cc0de2a8518396e61593d2b  a5a0317b8cc0de2a8518396e61593d2b  Passed

chassis 2 blade 3 dxl-size                          1024                              1024                              Passed

chassis 2 blade 4 dxl-general-mode                  off                               off                               Passed

chassis 2 blade 4 dxl-md5sum                        a5a0317b8cc0de2a8518396e61593d2b  a5a0317b8cc0de2a8518396e61593d2b  Passed

chassis 2 blade 4 dxl-size                          1024                              1024                              Passed

chassis 2 blade 5 dxl-general-mode                  off                               off                               Passed

chassis 2 blade 5 dxl-md5sum                        a5a0317b8cc0de2a8518396e61593d2b  a5a0317b8cc0de2a8518396e61593d2b  Passed

chassis 2 blade 5 dxl-size                          1024                              1024                              Passed

chassis 2 ssm 1 ipv6-mode                           on                                on                                Passed

chassis 2 ssm 1 l4-mode                             off                               off                               Passed

chassis 2 ssm 1 mask ipv4 general destination       0000001f                          0000001f                          Passed

chassis 2 ssm 1 mask ipv4 general source            0000001f                          0000001f                          Passed

chassis 2 ssm 1 mask ipv4 l4 ip                     000000ff                          000000ff                          Passed

chassis 2 ssm 1 mask ipv4 l4 port                   00000003                          00000003                          Passed

chassis 2 ssm 1 mask ipv4 user-network destination  000003ff                          000003ff                          Passed

chassis 2 ssm 1 mask ipv4 user-network source       000003ff                          000003ff                          Passed

chassis 2 ssm 1 mask ipv6 general destination       0000000000000000000000000000001f  0000000000000000000000000000001f  Passed

chassis 2 ssm 1 mask ipv6 general source            0000000000000000000000000000001f  0000000000000000000000000000001f  Passed

chassis 2 ssm 1 mask ipv6 user-network destination  000000000000000000000000000003ff  000000000000000000000000000003ff  Passed

chassis 2 ssm 1 mask ipv6 user-network source       000000000000000000000000000003ff  000000000000000000000000000003ff  Passed

chassis 2 ssm 1 matrix-max_size                     2k                                2k                                Passed

chassis 2 ssm 1 matrix-size                         1024                              1024                              Passed

chassis 2 ssm 1 mode                                user                              user                              Passed

chassis 2 ssm 1 signature                           d9195da1c6de046ab3581836c911f98f  d9195da1c6de046ab3581836c911f98f  Passed

chassis 2 ssm 2 ipv6-mode                           on                                on                                Passed

chassis 2 ssm 2 l4-mode                             off                               off                               Passed

chassis 2 ssm 2 mask ipv4 general destination       0000001f                          0000001f                          Passed

chassis 2 ssm 2 mask ipv4 general source            0000001f                          0000001f                          Passed

chassis 2 ssm 2 mask ipv4 l4 ip                     000000ff                          000000ff                          Passed

chassis 2 ssm 2 mask ipv4 l4 port                   00000003                          00000003                          Passed

chassis 2 ssm 2 mask ipv4 user-network destination  000003ff                          000003ff                          Passed

chassis 2 ssm 2 mask ipv4 user-network source       000003ff                          000003ff                          Passed

chassis 2 ssm 2 mask ipv6 general destination       0000000000000000000000000000001f  0000000000000000000000000000001f  Passed

chassis 2 ssm 2 mask ipv6 general source            0000000000000000000000000000001f  0000000000000000000000000000001f  Passed

chassis 2 ssm 2 mask ipv6 user-network destination  000000000000000000000000000003ff  000000000000000000000000000003ff  Passed

chassis 2 ssm 2 mask ipv6 user-network source       000000000000000000000000000003ff  000000000000000000000000000003ff  Passed

chassis 2 ssm 2 matrix-max_size                     2k                                2k                                Passed

chassis 2 ssm 2 matrix-size                         1024                              1024                              Passed

chassis 2 ssm 2 mode                                user                              user                              Passed

chassis 2 ssm 2 signature                           d9195da1c6de046ab3581836c911f98f  d9195da1c6de046ab3581836c911f98f  Passed

Summary:

all active SSMs are configured as: user

all active SSMs are configured as: user

[Global] HostName-ch01-01 >

Configuring the Layer 4 Distribution Mode and Masks (set distribution l4-mode)

Description

Use these commands in Gaia gClish on a Security Group to:

Enable Layer 4 distribution and set new masks for the IP address and the port
Disable Layer 4 distribution
Show Layer 4 Distribution Mode and masks

Syntax

set distribution l4-mode enabled

set distribution l4-mode enabled [ip-mask <IP Mask> [port-mask <Port Mask>]]

set distribution l4-mode disabled

show distribution l4-mode

Note - The "ip-mask" and "port-mask" configuration applies to SSM160.

Examples