Archive for the ‘Checkpoint’ Category
This assume you using CCP (cluster control protocol) in broadcast mode
Can be verified while running : #cphaprob -a if
On cluster A
# fw ctl set int fwha_mac_magic 250
# fw ctl set int fwha_mac_forward_magic 251
On cluster B:
# fw ctl set int fwha_mac_magic 240
# fw ctl set int fwha_mac_forward_magic 241
not sure the above commands are “reboot persitent” (I did not test it) so the change can be implemented in : $FWDIR/boot/modules/fwkern.conf
example :
[Expert@toto]# cat /opt/CPsuite-R65/fw1/boot/modules/fwkern.conf
fwha_mac_magic=250
fwha_mac_forward_magic=251
Comments Closed
they are located in $FWDIR/conf/db_versions/repository/<###>
Comments Closed
Policy installation under heavy load can cause a failover
There is a freeze mechanism, you can implement it as follow :
fw ctl set int fwha_freeze_state_machine_timeout 30 (This command should be run on both cluster members)
To survive a reboot, add the fwha_freeze_state_machine_timeout=30 command in fwkern.conf
To perform a full sync, run
# fw ctl setsync off
then run
#fw ctl setsync start
check logs in $FWDIR/log/fwd.elg
Switching to broadcast mode : cphaconf set_ccp broadcast
Switching to multicast mode : cphaconf set_ccp multicast
Default settings in $FWDIR/boot/ha_boot.conf are
ha_installed 1
ccp_mode broadcast
When using ClusterXL udp port 8116 is sent on all the interfaces of the gateway cluster members (except those define in $FWDIR/conf/discntd.if). UDP port 8116 is necessary for cluster health check. Checkpoint High-Availability is located between vpn-1/firewall-1 kernel and the network cards. This is the reason why security policy cant block synchronization data. So we dont need to create explicite rule in the dashboard for it. This is also the reason CCP packets should be captured via tcpdump.
- viewing the number of active connections : fw tab -s -t connections
- viewing the limit of the connections table : fw tab -t connections
- clear the host table (licensing) : fw tab -t host_table -x
The Sticky Decision Function is not supported with Performance Pack or with an Acceleration device
In Load Sharing VPN with Interoprable vpn device requires SDF
We can disable SDF if running High-Availability (active-passive)
Do not turn SDF off if HTTP (or other protocol) is not synchrozed in ClusterXL
sometime log files get corrupted and we get the following error in the SmartView Tracker : Failed to read record number …
To repare the log file we need to know the log file name and then from the CLI on the CLM/CMA or from the Smartcenter andn then use the following command :
[Expert@mlm]# fw repairlog <log file name>