Policy installation under heavy load can cause a failover
There is a freeze mechanism, you can implement it as follow :
fw ctl set int fwha_freeze_state_machine_timeout 30 (This command should be run on both cluster members)
To survive a reboot, add the fwha_freeze_state_machine_timeout=30 command in fwkern.conf
To perform a full sync, run
# fw ctl setsync off
then run
#fw ctl setsync start
check logs in $FWDIR/log/fwd.elg
Switching to broadcast mode : cphaconf set_ccp broadcast
Switching to multicast mode : cphaconf set_ccp multicast
Default settings in $FWDIR/boot/ha_boot.conf are
ha_installed 1
ccp_mode broadcast
When using ClusterXL udp port 8116 is sent on all the interfaces of the gateway cluster members (except those define in $FWDIR/conf/discntd.if). UDP port 8116 is necessary for cluster health check. Checkpoint High-Availability is located between vpn-1/firewall-1 kernel and the network cards. This is the reason why security policy cant block synchronization data. So we dont need to create explicite rule in the dashboard for it. This is also the reason CCP packets should be captured via tcpdump.
- viewing the number of active connections : fw tab -s -t connections
- viewing the limit of the connections table : fw tab -t connections
The Sticky Decision Function is not supported with Performance Pack or with an Acceleration device
In Load Sharing VPN with Interoprable vpn device requires SDF
We can disable SDF if running High-Availability (active-passive)
Do not turn SDF off if HTTP (or other protocol) is not synchrozed in ClusterXL
sometime log files get corrupted and we get the following error in the SmartView Tracker : Failed to read record number …
To repare the log file we need to know the log file name and then from the CLI on the CLM/CMA or from the Smartcenter andn then use the following command :
[Expert@mlm]# fw repairlog <log file name>
By default NGX R65 comes with a very limited max active connections number (was 25 000 in my case).
Thats very weak especially for big website hosting.
To increase that limit :
- Double clic on the gateway object
- go in the Capacity Optimization section
- then you can tune Maximum concurrent connections counter
For NGX :
In $FWDIR/conf
Edit user.def.NGX_R60 on the SmartCenter or on the relevant CMA on the Provider-1
#define NON_VPN_TRAFFIC_RULES (src=1.1.1.1 or src=2.2.2.2 ,dst=1.1.1.1 or dst=2.2.2.2)
Install the policy
Clear SAs
Enjoy
On the MDS / Smartcenter Server
# mdsenv CMAXXX (if you have provider-1)
#vpn overlap_encdom
it wont show firewalls Interfaces IP addresses that are part of the vpn domain implicitely