asg_dxl

Warning - Do not use this command to change the configuration, unless Check Point Support explicitly asked you to do so.

Best Practice - Follow the instructions in Working with the Distribution Mode.

This command is supported only on these:

  • ElasticXL Cluster

  • Maestro Security Group

  • Scalable Chassis Security Group

Note - You can run this command in Gaia gClish or in the Expert mode.

Description

Shows and configures the distribution mode (DXL) options.

The distribution mode are (for more information, see Working with the Distribution Mode.):

Mode Number

Mode Name

Packet Assignment to a Security Group Member

0

General

The ElasticXL Cluster / Quantum Maestro Orchestrators / Scalable ChassisSSMs assign packets to a Security Group Member based only on the packet's Source IP address and the Destination IP address.

If Layer 4 distribution is enabled, the ElasticXL Cluster / Quantum Maestro Orchestrators / SSMs assign packets to a Security Group Member based on the packet's Source IP address, Source Port, Destination IP address, and Destination Port.

On Scalable Chassis, this mode applies to all SSMs in the Scalable Chassis.

1

User

(Internal)

Packets are assigned to a Security Group Member based only on the packet's Destination IP address.

If Layer 4 distribution is enabled, the ElasticXL Cluster / Quantum Maestro Orchestrator / Scalable Chassis SSM assigns packets to a Security Group Member based on the packet's Source Port and the Destination IP address.

On Scalable Chassis, this mode applies to one SSM.

2

Network

(External)

Packets are assigned to a Security Group Member based only on the packet's Source IP address.

If Layer 4 distribution is enabled, the ElasticXL Cluster / Quantum Maestro Orchestrator / Scalable ChassisSSM assigns packets to a Security Group Member based on the packet's Source IP address and Destination Port.

On Scalable Chassis, this mode applies to one SSM.

Syntax

Run the "asg_dxl" command or the "asg dxl" command.

asg_dxl

      help [-v]

      bmac

      calc <Source IP Address> <Destination IP Address> <Distribution Mode or Name of Interface>

      dist [<Name of File>] [-j]

      export <Name of File>

      general_mode

      import <Name of File>

      init

      l4_mode

      load_analyzer

            -f <Name of CSV File>

            [-b <1-12>]

            [-d {0 | 1 | 2}]

            [-m <16-32>]

            [-s {0 | 1}]

            [-t <Test Mask>]

            [-6 {0 | 1}]

            [-v]

      md5sum

      query <Source IP Address> <Source Port> <Destination IP Address> <Destination Port> <Protocol>

      size

      stat [-v]

      static

            get <Name of File>

            set <Name of File>

            stop

      update

      verify [SSM ID]

Parameters

Parameter

Description

No Parameters

Shows the built-in help.

help

Shows the built-in help.

help -v

Shows the verbose built-in help (shows more sub-commands).

bmac

  • On ElasticXL Cluster and Maestro:

    Shows the Base MAC Address for each Site

  • On Scalable Chassis:

    Shows the Base MAC Address for each SSM.

calc <Parameters>

Calculates the DXL decision based on these parameters:

  • Source IP Address

  • Destination IP Address

  • Distribution Mode, or Name of Interface

    The Distribution Mode is one of these values:

    • 0 - "General" mode.

    • 1 - "User" mode.

    • 2 - "Network" mode.

dist [<Name of File>] [-j]

Show or configures the distribution mode.

The parameter "-j" specify to use the JSON format.

export <Name of File>

Exports the DXL configuration to the specified file.

general_mode

Shows the status of the DXL "General" mode (enabled or disabled).

import <Name of File>

Imports the DXL configuration from the specified file.

init

Initializes the DXL configuration.

l4_mode

Shows the status of the DXL "Layer 4" mode (enabled or disabled).

load_analyzer <Parameters>

Analyzes the load of the Security Group.

  • -f <Name of CSV File>

    Specifies the path and the name of the CSV file that contains records in this format:

    <Source IP Address>,<Destination IP Address>,[{internal | external}],<Percent of Load>

    Example:

    69.78.32.247,173.209.194.151,internal,6.89%

  • -b <1-12>

    Specifies the number of Security Group Members, on which to run the command.

    Default: The current number of Security Group Members.

  • -d {0 | 1 | 2}

    Specifies the Distribution Mode, for which to run the command:

    • 0 - "General" mode.

    • 1 - "User-Network" mode.

    • 2 - "Per-Port" mode.

    Default: The current Distribution Mode.

  • -m <16-32>

    Specifies the Mask Range, the number of bits to calculate the optimal mask.

    Default: 16.

  • -s {0 | 1}

    Specifies whether the VPN SPI mode is enabled for this command:

    • 0 - VPN SPI mode is disabled.

    • 1 - VPN SPI mode is enabled.

    Default: The current VPN SPI mode.

  • -t <Test Bit Mask>

    Specifies the Distribution Bit Mask, for which to run the command.

  • -6 {0 | 1}

    Specifies whether the IPv6 mode is enabled for this command:

    • 0 - IPv6 mode is disabled.

    • 1 - IPv6 mode is enabled.

    Default: The current IPv6 mode.

  • -v

    Specifies the verbose output.

md5sum

Calculate the MD5 sum of the DXL configuration.

query <Parameters>

Shows the DXL decision for the specified 5-tuple that currently exists in the "Connections" kernel table.

size

Shows the size of the DXL table.

stat [-v]

Shows the DXL status - summarized or verbose.

static <Parameters>

Controls the manual assignment of the distribution list:

  • get <Name of File>

    Shows the current distribution list from the specified file..

  • set <Name of File>

    Configures the distribution based on the specified file.

  • stop

    Returns to the dynamic distribution method.

update

Forces the DXL update.

verify [<SSM ID>]

Applies only to Scalable Chassis.

Compare the configuration signatures between the SSMs and the DXL distribution.