Configuring Link Monitoring on the Cluster Interfaces

Important - In a ClusterClosed Two or more Security Gateways that work together in a redundant configuration - High Availability, or Load Sharing., you must configure all the Cluster Members in the same way.

Description

This procedure configures the Cluster MemberClosed Security Gateway that is part of a cluster. to monitor only the physical link on the cluster interfaces (instead of monitoring the Cluster Control ProtocolClosed Proprietary Check Point protocol that runs between Cluster Members on UDP port 8116, and has the following roles: (1) State Synchronization (Delta Sync), (2) Health checks (state of Cluster Members and of cluster interfaces): Health-status Reports, Cluster-member Probing, State-change Commands, Querying for cluster membership. Note: CCP is located between the Check Point Firewall kernel and the network interface (therefore, only TCPdump should be used for capturing this traffic). Acronym: CCP. (CCP) packets):

  • If a link disappears on the configured interface, the Cluster Member changes the interface's state to DOWN.

    This causes the Cluster Member to change its state to DOWN.

  • If a link appears again on the configured interface, the Cluster Member changes the interface's state back to UP.

    This causes the Cluster Member to change its state back to ACTIVE or STANDBY.

See Viewing Cluster State.

Procedure

Step

Instructions

1

Connect to the command line on the Cluster Member.

2

Log in to the Expert mode.

3

See if the $FWDIR/conf/cpha_link_monitoring.conf file already exists:

stat $FWDIR/conf/cpha_link_monitoring.conf

4

If the $FWDIR/conf/cpha_link_monitoring.conf file already exists, create a backupClosed (1) In VRRP Cluster on Gaia OS - State of a Cluster Member that is ready to be promoted to Master state (if Master member fails). (2) In VSX Cluster configured in Virtual System Load Sharing mode with three or more Cluster Members - State of a Virtual System on a third (and so on) VSX Cluster Member. (3) A Cluster Member or Virtual System in this state does not process any traffic passing through cluster. copy:

cp -v $FWDIR/conf/cpha_link_monitoring.conf{,_BKP}

If the $FWDIR/conf/cpha_link_monitoring.conf file does not exist, create it:

touch $FWDIR/conf/cpha_link_monitoring.conf

5

Edit the $FWDIR/conf/cpha_link_monitoring.conf file:

vi $FWDIR/conf/cpha_link_monitoring.conf

6

  • To monitor the link only on specific interfaces:

    Enter the names of the applicable interfaces - each name on a new separate line.

    Example:

    eth2

    eth4

  • To monitor the link on all interfaces:

    Enter only this word:

    all

7

Save the changes in the file and exit the editor.

8

Reboot the Cluster Member.

Important - This can cause a failoverClosed Transferring of a control over traffic (packet filtering) from a Cluster Member that suffered a failure to another Cluster Member (based on internal cluster algorithms). Synonym: Fail-over..

Best Practices:

    1. Perform the configuration steps on all Cluster Members

    2. Reboot all the Standby Cluster Members

    3. Initiate a manual failover on the Active Cluster Member

    4. Reboot the former Active Cluster Member

    1. Perform the configuration steps on all Cluster Members

    2. Reboot all the non-Pivot Cluster Members

    3. Initiate a manual failover on the Pivot Cluster Member

    4. Reboot the former Pivot Cluster Member

    1. Perform the configuration steps on all Cluster Members

    2. Reboot all Cluster Members except one

    3. Initiate a manual failover on the remaining Cluster Member

    4. Reboot the remaining Cluster Member

Note - See Initiating Manual Cluster Failover.