Configuring Services to Synchronize After a Delay

Some TCP services (for example, HTTP) are characterized by connections with a very short duration. There is no point to synchronize these connections, because every synchronized connection consumes resources on the Security GroupClosed A logical group of Security Appliances that provides Active/Active cluster functionality. A Security Group can contain one or more Security Appliances. Security Groups work separately and independently from each other. To the production networks, a Security Group appears a single Security Gateway. Every Security Group contains: (A) Applicable Uplink ports, to which your production networks are connected; (B) Security Appliances (the Quantum Maestro Orchestrator determines the applicable Downlink ports automatically); (C) Applicable management port, to which the Check Point Management Server is connected., and the connection is likely to have finished by the time an internal failover occurs.

For short-lived services, you can use the Delayed Notifications feature to delay telling the Security Group about a connection, so that the connection is only synchronized, if it still exists X seconds (by default, 3 seconds) after the connection was initiated. The Delayed Notifications feature requires SecureXL to be enabled on the Security Group (this is the default).

Notes:

  • By default, a connection is synchronized to backup Security Group Members only if it exists for more than 3 seconds.

  • Asymmetric connections are synchronized to backup Security Group Members on the Active Site, if according to the DXL calculation, the Client-to-Server connection and the Server-to-Client connection are passing through different Security Group Members.

To control the "Delayed Notifications" feature:

  • To enable this feature (this is the default):

    1. Connect to the command line on the Security Group.

    2. Log in to the Expert mode.

    3. Run:

      • To enable temporarily in the current session, if you disabled it earlier (does not survive reboot):

        g_fw ctl set int fw_cluster_use_delay_sync 1

      • To enable permanently, if you disabled it earlier (survives reboot):

        g_update_conf_file fwkern.conf fw_cluster_use_delay_sync=1

  • To disable this feature (this increases the CPU load):

    1. Connect to the command line on the Security Group.

    2. Log in to the Expert mode.

    3. Run:

      • To disable temporarily in the current session (does not survive reboot):

        g_fw ctl set int fw_cluster_use_delay_sync 0

      • To disable permanently (survives reboot):

        g_update_conf_file fw_cluster_use_delay_sync=0

To configure an applicable delay:

  1. In SmartConsole, click Objects > Object Explorer.

  2. In the left tree, click the small arrow on the left of the Services to expand this category.

  3. In the left tree, select TCP.

  4. Search for the applicable TCP service.

  5. Double-click the applicable TCP service.

  6. In the TCP service properties window, click Advanced page.

  7. At the top, select Override default settings.

    On Domain Management Server, select Override global domain settings.

  8. At the bottom, in the Cluster and synchronization section:

    1. Select Synchronize connections on cluster if State Synchronization is enabled on the cluster.

    2. Select Start synchronizing.

    3. Enter the applicable value.

    Important - This change applies to all policies that use this service.

  9. Click OK.

  10. Close the Object Explorer.

  11. Publish the SmartConsole session.

  12. Install the Access Control Policy on the Scalable Platform Security Gateway object.

Note - The Delayed Notifications setting in the service object is ignored, if Connection Templates are not offloaded by the Firewall to SecureXL. For additional information about the Connection Templates, see the R81.20 Performance Tuning Administration Guide.