Switching to broadcast mode : cphaconf set_ccp broadcast
Switching to multicast mode : cphaconf set_ccp multicast
Default settings in $FWDIR/boot/ha_boot.conf are
ha_installed 1
ccp_mode broadcast
When using ClusterXL udp port 8116 is sent on all the interfaces of the gateway cluster members (except those define in $FWDIR/conf/discntd.if). UDP port 8116 is necessary for cluster health check. Checkpoint High-Availability is located between vpn-1/firewall-1 kernel and the network cards. This is the reason why security policy cant block synchronization data. So we dont need to create explicite rule in the dashboard for it. This is also the reason CCP packets should be captured via tcpdump.
- viewing the number of active connections : fw tab -s -t connections
- viewing the limit of the connections table : fw tab -t connections
The Sticky Decision Function is not supported with Performance Pack or with an Acceleration device
In Load Sharing VPN with Interoprable vpn device requires SDF
We can disable SDF if running High-Availability (active-passive)
Do not turn SDF off if HTTP (or other protocol) is not synchrozed in ClusterXL
sometime log files get corrupted and we get the following error in the SmartView Tracker : Failed to read record number …
To repare the log file we need to know the log file name and then from the CLI on the CLM/CMA or from the Smartcenter andn then use the following command :
[Expert@mlm]# fw repairlog <log file name>
By default NGX R65 comes with a very limited max active connections number (was 25 000 in my case).
Thats very weak especially for big website hosting.
To increase that limit :
- Double clic on the gateway object
- go in the Capacity Optimization section
- then you can tune Maximum concurrent connections counter
For NGX :
In $FWDIR/conf
Edit user.def.NGX_R60 on the SmartCenter or on the relevant CMA on the Provider-1
#define NON_VPN_TRAFFIC_RULES (src=1.1.1.1 or src=2.2.2.2 ,dst=1.1.1.1 or dst=2.2.2.2)
Install the policy
Clear SAs
Enjoy
On the MDS / Smartcenter Server
# mdsenv CMAXXX (if you have provider-1)
#vpn overlap_encdom
it wont show firewalls Interfaces IP addresses that are part of the vpn domain implicitely
LB_FAILED is triggered when LTM is ready to send the request to a pool member and one hasn’t been chosen (the system failed to select a pool or a pool member), is unreachable (when no route to the target exists), or is non-responsive (fails to respond to a connection request).
when LB_FAILED {
LB::reselect pool ANOTHER_POOL
}
If you use this rule in Pool_1 and all Pool_1 members are off or unreachable or the connectil limit has been reached you can redirect the client to Pool_2 (ANOTHER_POOL in the above example)
| success | The number of successful queries made to the server or zone. A successful query is defined as query which returns a NOERROR response with at least one answer RR. |
| referral | The number of queries which resulted in referral responses. |
| nxrrset | The number of queries which resulted in NOERROR responses with no data. |
| nxdomain | The number of queries which resulted in NXDOMAIN responses. |
| failure | The number of queries which resulted in a failure response other than those above. |
| recursion | The number of queries which caused the server to perform recursion in order to find the final answer. |
Each query received by the server will cause exactly one of success, referral, nxrrset, nxdomain, or failure to be incremented, and may additionally cause the recursion counter to be incremented.