How State Synchronization Works

State Synchronization Technology that synchronizes the relevant information about the current connections (stored in various kernel tables on Check Point Security Gateways) among all Cluster Members over Synchronization Network. Due to State Synchronization, the current connections are not cut off during cluster failover. works in two modes:

• The Full Sync transfers all Security Gateway Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources. kernel table information from one Cluster Member Security Gateway that is part of a cluster. to another.

  The Full Sync Process of full synchronization of applicable kernel tables by a Cluster Member from the working Cluster Member(s) when it tries to join the existing cluster. This process is meant to fetch a ‎"snapshot" of the applicable kernel tables of already Active Cluster Member(s). Full Sync is performed during the initialization of Check Point software (during boot process, the first time the Cluster Member runs policy installation, during 'cpstart', during 'cphastart'). Until the Full Sync process completes successfully, this Cluster Member remains in the Down state, because until it is fully synchronized with other Cluster Members, it cannot function as a Cluster Member. Meanwhile, the Delta Sync packets continue to arrive, and the Cluster Member that tries to join the existing cluster, stores them in the kernel memory until the Full Sync completes. The whole Full Sync process is performed by fwd daemons on TCP port 256 over the Sync network (if it fails over the Sync network, it tries the other cluster interfaces). The information is sent by fwd daemons in chunks, while making sure they confirm getting the information before sending the next chunk. Also see "Delta Sync". is used for initial transfers of state information, when a Cluster Two or more Security Gateways that work together in a redundant configuration - High Availability, or Load Sharing. Member joins the cluster. If a Cluster Member is brought up after being down State of a Cluster Member during a failure when one of the Critical Devices reports its state as "problem": In ClusterXL, applies to the state of the Security Gateway component; in 3rd-party / OPSEC cluster, applies to the state of the State Synchronization mechanism. A Cluster Member in this state does not process any traffic passing through cluster., it performs the Full Sync with the Active State of a Cluster Member that is fully operational: (1) In ClusterXL, this applies to the state of the Security Gateway component (2) In 3rd-party / OPSEC cluster, this applies to the state of the cluster State Synchronization mechanism. peer Cluster Member(s). After all Cluster Members are synchronized, only updates are transferred using the Delta Sync Synchronization of kernel tables between all working Cluster Members - exchange of CCP packets that carry pieces of information about different connections and operations that should be performed on these connections in relevant kernel tables. This Delta Sync process is performed directly by Check Point kernel. While performing Full Sync, the Delta Sync updates are not processed and saved in kernel memory. After Full Sync is complete, the Delta Sync packets stored during the Full Sync phase are applied by order of arrival., because the Delta Sync is quicker than the Full Sync.

  1. To perform a Full Sync with a peer Cluster Member, the cxld daemon on a Cluster Member connects to the TCP port 263 on the peer Cluster Member.

  2. If this connection fails, then the Cluster Member falls back to the previous mechanism (as it worked in versions R80.40 and lower) - the fwd daemon connects to the TCP port 256 on the peer Cluster Member.

• The Delta Sync transfers the changes in the kernel tables between Cluster Members.

  After all Cluster Members complete a Full Sync, the Delta Sync is used for transfers of changes in state information of the connections.

  The Security Gateway kernel handles the Delta Sync using UDP connections on port 8116.

State Synchronization traffic typically makes up around 90% of all Cluster Control Protocol Proprietary Check Point protocol that runs between Cluster Members on UDP port 8116, and has the following roles: (1) State Synchronization (Delta Sync), (2) Health checks (state of Cluster Members and of cluster interfaces): Health-status Reports, Cluster-member Probing, State-change Commands, Querying for cluster membership. Note: CCP is located between the Check Point Firewall kernel and the network interface (therefore, only TCPdump should be used for capturing this traffic). Acronym: CCP. (CCP) traffic.

Cluster Members distinguish the State Synchronization packets from the rest of CCP traffic based on the opcode in the UDP data header.