Viewing Cluster Interfaces

Description

This command shows the state of the Cluster Member Security Gateway that is part of a cluster. interfaces and the virtual cluster Two or more Security Gateways that work together in a redundant configuration - High Availability, or Load Sharing. interfaces.

ClusterXL Cluster of Check Point Security Gateways that work together in a redundant configuration. The ClusterXL both handles the traffic and performs State Synchronization. These Check Point Security Gateways are installed on Gaia OS: (1) ClusterXL supports up to 5 Cluster Members, (2) VRRP Cluster supports up to 2 Cluster Members, (3) VSX VSLS cluster supports up to 13 Cluster Members. Note: In ClusterXL Load Sharing mode, configuring more than 4 Cluster Members significantly decreases the cluster performance due to amount of Delta Sync traffic. treats the interfaces as Critical Devices. ClusterXL makes sure that interfaces can send and receive CCP packets.

ClusterXL also sets the required minimal number of functional interfaces to the largest number of functional interfaces ClusterXL detected since the last reboot. If the number of functional interfaces is less than the required number, ClusterXL declares the Cluster Member as failed and starts a failover Transferring of a control over traffic (packet filtering) from a Cluster Member that suffered a failure to another Cluster Member (based on internal cluster algorithms). Synonym: Fail-over.. The same applies to the synchronization interfaces, where only good synchronization interfaces are counted.

When an interface is DOWN State of a Cluster Member during a failure when one of the Critical Devices reports its state as "problem": In ClusterXL, applies to the state of the Security Gateway component; in 3rd-party / OPSEC cluster, applies to the state of the State Synchronization mechanism. A Cluster Member in this state does not process any traffic passing through cluster., it means that the interface cannot receive or send CCP packets, or both. An interface may also be able to receive, but not send CCP packets. The time you see in the command's output is the number of seconds that elapsed since the interface was last able to receive or send a CCP packet.

Syntax

Shell	Command
Gaia Clish The name of the default command line shell in Check Point Gaia operating system. This is a restricted shell (role-based administration controls the number of commands available in the shell).	`set virtual-system <VSID>` `show cluster members interfaces {all \| secured \| virtual \| vlans}`
Expert mode	`cphaprob [-vs all] [-a] [-m] if`

Where:

Command	Description
`show cluster members interfaces all`	Shows full list of all cluster interfaces: including the number of required interfaces including Network Objective Defines how the cluster will configure and monitor an interface - Cluster, Sync, Cluster+Sync, Monitored Private, Non-Monitored Private. Configured in SmartConsole > cluster object > 'Topology' pane > 'Network Objective'. including VLAN monitoring mode, or list of monitored VLAN interfaces
`show cluster members interfaces secured`	Shows only cluster interfaces (Cluster and Sync) and their states: without Network Objective without VLAN monitoring mode without monitored VLAN interfaces
`show cluster members interfaces virtual`	Shows full list of cluster virtual interfaces and their states: including the number of required interfaces including Network Objective without VLAN monitoring mode without monitored VLAN interfaces
`show cluster members interfaces vlans`	Shows only monitored VLAN interfaces
`cphaprob if`	Shows only cluster interfaces (Cluster and Sync) and their states: without Network Objective without VLAN monitoring mode without monitored VLAN interfaces
`cphaprob -a if`	Shows full list of cluster interfaces and their states: including the number of required interfaces including Network Objective without VLAN monitoring mode without monitored VLAN interfaces
`cphaprob -a -m if`	Shows full list of all cluster interfaces and their states: including the number of required interfaces including Network Objective including VLAN monitoring mode, or list of monitored VLAN interfaces

Output

The output of these commands must be identical to the configuration in the cluster object's Network Management page in SmartConsole Check Point GUI application used to manage a Check Point environment - configure Security Policies, configure devices, monitor products and events, install updates, and so on..

Example

[Expert@Member1:0]# cphaprob -a -m if

CCP mode: Manual (Unicast)

Required interfaces: 4

Required secured interfaces: 1

Interface Name:      Status:

eth0                 UP

eth1 (S)             UP

eth2 (LM)            UP

bond1 (LS)           UP

S - sync, LM - link monitor, HA/LS - bond type

Virtual cluster interfaces: 3

eth0            192.168.3.247

eth2            44.55.66.247

bond1           77.88.99.247

No VLANs are monitored on the member

[Expert@Member1:0]#

Description of the "cphaprob -a -m if" command output fields:

Field, or Text

Description

CCP mode

Shows the CCP mode.

The default mode is Unicast.

Important - In R81, the CCP always runs in the unicast mode.

Required interfaces

Shows the total number of monitored cluster interfaces, including the Sync interface An interface on a Cluster Member, whose Network Type was set as Sync or Cluster+Sync in SmartConsole in cluster object. This interface is monitored by cluster, and failure on this interface will cause cluster failover. This interface is used for State Synchronization between Cluster Members. The use of more than one Sync Interfaces for redundancy is not supported because the CPU load will increase significantly due to duplicate tasks performed by all configured Synchronization Networks. Synonyms: Secured Interface, Trusted Interface..

This number is based on the configuration of the cluster object > Network Management page.

Required secured interfaces

Shows the total number of the required Sync interfaces.

This number is based on the configuration of the cluster object > Network Management page.

Non-Monitored

This means that Cluster Member does not monitor the state of this interface.

In SmartConsole, in the cluster object > Network Management page, administrator configured the Network Type Private for this interface.

This means that Cluster Member monitors the state of this interface.

The current cluster state of this interface is UP, which means this interface can send and receive CCP packets.

In SmartConsole, in the cluster object > Network Management page, administrator configured one of these Network Types for this interface: Cluster, Sync, or Cluster + Sync.

DOWN

This means that Cluster Members monitors the state of this interface.

The current cluster state of this interface is DOWN, which means this interface cannot send CCP packets, receive CCP packets, or both.

In SmartConsole, in the cluster object > Network Management page, administrator configured one of these Network Types for this interface: Cluster, Sync, or Cluster + Sync.

(S)

This interface is a Sync interface.

In SmartConsole, in the cluster object > Network Management page, administrator configured one of these Network Types for this interface: Sync, or Cluster + Sync.

(LM)

This interface is configured in the $FWDIR/conf/cpha_link_monitoring.conf file.

Cluster Member monitors only the link on this interface (does not monitor the received or sent CCP packets).

See Configuring Link Monitoring on the Cluster Interfaces.

(HA)

This interface is a Bond interface in High Availability A redundant cluster mode, where only one Cluster Member (Active member) processes all the traffic, while other Cluster Members (Standby members) are ready to be promoted to Active state if the current Active member fails. In the High Availability mode, the Cluster Virtual IP address (that represents the cluster on that network) is associated: (1) With physical MAC Address of Active member (2) With virtual MAC Address. Synonym: Active/Standby. Acronym: HA. mode.

(LS)

This interface is a Bond interface in Load Sharing A redundant cluster mode, where all Cluster Members process all incoming traffic in parallel. For more information, see "Load Sharing Multicast Mode" and "Load Sharing Unicast Mode". Synonyms: Active/Active, Load Balancing mode. Acronym: LS. mode.

Virtual cluster interfaces

Shows the total number of the configured virtual cluster interfaces.

This number is based on the configuration of the cluster object > Network Management page.

No VLANs are monitored on the member

Shows the VLAN monitoring mode - there are no VLAN interfaces configured on the cluster interfaces.

Monitoring mode is Monitor all VLANs: All VLANs are monitored

Shows the VLAN monitoring mode - there are some VLAN interfaces configured on the cluster interfaces, and Cluster Member monitors all VLAN IDs.

Monitoring mode is Monitor specific VLAN: Only specified VLANs are monitored

Shows the VLAN monitoring mode - there are some VLAN interfaces configured on the cluster interfaces, and Cluster Member monitors only specific VLAN IDs.