Advanced Features

The Interface Link Preemption Mechanism

The Interface Link Preemption Mechanism prevents constant Chassis failover and fallback when the interface link state changes frequently.

When you enable this feature, an interface state that changes from DOWN to UP is included in the Chassis grade only if the link state is UP for at least "N" seconds.

The Interface Link Preemption Mechanism is enabled by default with the preemption time of 5 seconds.

Syntax to show the current configured link preemption time

Shell	Syntax
Gaia Clish The name of the default command line shell in Check Point Gaia operating system. This is a restricted shell (role-based administration controls the number of commands available in the shell).	`fw ctl get int fwha_ch_if_preempt_time`
Expert mode	`g_fw ctl get int fwha_ch_if_preempt_time`

Syntax to configure the link preemption time on-the-fly (does not survive reboot)

Shell	Syntax
Gaia Check Point security operating system that combines the strengths of both SecurePlatform and IPSO operating systems. Clish	`fw ctl set int fwha_ch_if_preempt_time <Preemption Time>`
Expert mode	`g_fw ctl set int fwha_ch_if_preempt_time <Preemption Time>`

Syntax to configure the link preemption time permanently (survives reboot)

Shell	Syntax
Gaia Clish	`update_conf_file fwkern.conf fwha_ch_if_preempt_time=<Preemption Time>`
Expert mode	`g_update_conf_file fwkern.conf fwha_ch_if_preempt_time=<Preemption Time>`

Syntax to disable the link preemption mechanism on-the-fly (does not survive reboot)

Shell	Instructions
Gaia Clish	`fw ctl set int fwha_ch_if_preempt_time 0`
Expert mode	`g_fw ctl set int fwha_ch_if_preempt_time 0`

Syntax to disable the link preemption mechanism permanently (survives reboot)

Shell	Syntax
Gaia Clish	`update_conf_file fwkern.conf fwha_ch_if_preempt_time=0`
Expert mode	`g_update_conf_file fwkern.conf fwha_ch_if_preempt_time=0`

Parameters

Parameter	Description
`<Preemption Time>`	The interface link preemption time. An interface state that changes from DOWN to UP is included in the Chassis grade only if the link state is UP for at least this specified number of seconds. Default: 5 seconds

Parameter

Description

<Preemption Time>

The interface link preemption time.

An interface state that changes from DOWN to UP is included in the Chassis grade only if the link state is UP for at least this specified number of seconds.

Default: 5 seconds

Example

[Expert@MyChassis-ch0x-0x:0]# g_fw ctl set int fwha_ch_if_preempt_time 20

[Expert@MyChassis-ch0x-0x:0]# g_update_conf_file fwkern.conf fwha_ch_if_preempt_time=20

The Sync Lost Mechanism in High Availability

The Chassis uses the Check Point proprietary Cluster Two or more Security Gateways that work together in a redundant configuration - High Availability, or Load Sharing. Control Protocol (CCP) to send control packets between two High Availability Chassis.

When a Sync interface fails on one Chassis, it is necessary to update the other Standby Chassis.

The Sync Lost Mechanism handles the loss of connectivity between the two Chassis on the Sync network.

The Sync Lost Mechanism is enabled by default.

To prevent the two Chassis from changing their states to Active, the Chassis on which the Sync interface failed, sends the CCP packets "sync_lost" over the non-sync interface (the Data Ports and Management interfaces) to the other Chassis. This causes the two Chassis to freeze their current states until connectivity between the two Chassis is restored. During the Sync Loss, the Standby Chassis does not change its state to Active until it stops receiving the CCP packets "sync_lost" from the other Chassis.

The Chassis sends the CCP packets "sync_lost" in this manner:

In a non-VSX Virtual System Extension. Check Point virtual networking solution, hosted on a computer or cluster with virtual abstractions of Check Point Security Gateways and other network devices. These Virtual Devices provide the same functionality as their physical counterparts. environment - All Chassis interfaces send these CCP packets
In a VSX environment - All interfaces of the VS0 context only send these CCP packets

Syntax to show current state of the Sync Lost Mechanism

Shell	Syntax
Gaia Clish	`fw ctl get int fwha_ch_sync_lost_mechanism_enabled`
Expert mode	`g_fw ctl get int fwha_ch_sync_lost_mechanism_enabled`

Explanation for the returned values:

0 - disabled
1 - enabled

Syntax to enable the Sync Lost Mechanism on-the-fly (does not survive reboot)

Shell	Syntax
Gaia Clish	`fw ctl set int fwha_ch_sync_lost_mechanism_enabled 1`
Expert mode	`g_fw ctl set int fwha_ch_sync_lost_mechanism_enabled 1`

Syntax to enable the Sync Lost Mechanism permanently (survives reboot)

Shell	Syntax
Gaia Clish	`update_conf_file fwkern.conf fwha_ch_sync_lost_mechanism_enabled=1`
Expert mode	`g_update_conf_file fwkern.conf fwha_ch_sync_lost_mechanism_enabled=1`

Syntax to disable the Sync Lost Mechanism on-the-fly (does not survive reboot)

Shell	Instructions
Gaia Clish	`fw ctl set int fwha_ch_sync_lost_mechanism_enabled 0`
Expert mode	`g_fw ctl set int fwha_ch_sync_lost_mechanism_enabled 0`

Syntax to disable the Sync Lost Mechanism permanently (survives reboot)

Shell	Syntax
Gaia Clish	`update_conf_file fwkern.conf fwha_ch_sync_lost_mechanism_enabled=0`
Expert mode	`g_update_conf_file fwkern.conf fwha_ch_sync_lost_mechanism_enabled=0`

Managing the Connection Synchronization

You can manage connection synchronization for High Availability.

Syntax to configure the connection synchronization mode on-the-fly (does not survive reboot):

Shell	Syntax
Gaia Clish	`fw ctl set int fwha_sync_excp_mask <Mode>`
Expert mode	`g_fw ctl set int fwha_ch_sync_lost_mechanism_enabled <Mode>`

Syntax to configure the connection synchronization mode permanently (survives reboot):

Shell	Syntax
Gaia Clish	`update_conf_file fwkern.conf fwha_sync_excp_mask=<Mode>` `reboot -b all`
Expert mode	`g_update_conf_file fwkern.conf fwha_sync_excp_mask=<Mode>` `g_reboot -b all`

Shell

Syntax

Gaia Clish

update_conf_file fwkern.conf fwha_sync_excp_mask=<Mode>

reboot -b all

Expert mode

g_update_conf_file fwkern.conf fwha_sync_excp_mask=<Mode>

g_reboot -b all

Syntax to show the configured connection synchronization mode

asg stat -v

Parameters

Parameter	Description
`<Mode>`	Specifies the Connection Synchronization Mode: `0` - Disables the backup synchronization on the Active Chassis and the Standby Chassis `1` - Synchronizes only the backup member on the Active Chassis `2` - Synchronizes only the backup member on the Standby Chassis `3` - Synchronizes the backup member on the Active Chassis and the Standby Chassis

Parameter

Description

<Mode>

Specifies the Connection Synchronization Mode:

0 - Disables the backup synchronization on the Active Chassis and the Standby Chassis
1 - Synchronizes only the backup member on the Active Chassis
2 - Synchronizes only the backup member on the Standby Chassis
3 - Synchronizes the backup member on the Active Chassis and the Standby Chassis