IPS Management During a Cluster Failover

You can configure how IPSClosed Check Point Software Blade on a Security Gateway that inspects and analyzes packets and data for numerous types of risks (Intrusion Prevention System). is managed during a clusterClosed Two or more Security Gateways that work together in a redundant configuration - High Availability, or Load Sharing. failover.

This occurs when one Cluster MemberClosed Security Gateway that is part of a cluster. takes over for a different Cluster Member to provide High Availability.

You must run this command in the Expert mode.

Syntax to configure the IPS behavior during a cluster failover

asg_ips_failover_behavior {connectivity | security}

Parameters

Parameter

Description

connectivity

Prefers connectivity (default).

Keeps connections alive, even if IPS inspection cannot be guaranteed.

security

Prefers security.

Closes connections, for which IPS inspection cannot be guaranteed.

Syntax to view the configured IPS behavior during a cluster failover

fw ctl get int fwha_ips_reject_on_failover

Explanation:

Output

Current Configuration

fwha_ips_reject_on_failover = 0

Prefers connectivity

fwha_ips_reject_on_failover = 1

Prefers security