Networking Tips

two clusters sharing the same VLAN

admin — Thu, 27 May 2010 14:44:45 +0000

This assume you using CCP (cluster control protocol) in broadcast mode

Can be verified while running : #cphaprob -a if

On cluster A
# fw ctl set int fwha_mac_magic 250
# fw ctl set int fwha_mac_forward_magic 251

On cluster B:
# fw ctl set int fwha_mac_magic 240
# fw ctl set int fwha_mac_forward_magic 241

not sure the above commands are “reboot persitent” (I did not test it) so the change can be implemented in : $FWDIR/boot/modules/fwkern.conf

example :

[Expert@toto]# cat /opt/CPsuite-R65/fw1/boot/modules/fwkern.conf
fwha_mac_magic=250
fwha_mac_forward_magic=251

Database revision control files

admin — Mon, 17 May 2010 14:01:18 +0000

they are located in $FWDIR/conf/db_versions/repository/<###>

Disable debug flags

admin — Mon, 26 Apr 2010 13:07:12 +0000

#fw ctl debug –x (On both cluster members)

Cluster XL freeze mechanism

admin — Thu, 11 Feb 2010 10:53:50 +0000

Policy installation under heavy load can cause a failover

There is a freeze mechanism, you can implement it as follow :

fw ctl set int fwha_freeze_state_machine_timeout 30 (This command should be run on both cluster members)

To survive a reboot, add the fwha_freeze_state_machine_timeout=30 command in fwkern.conf

Restarting ClusterXL synchronization

admin — Tue, 09 Feb 2010 15:45:03 +0000

To perform a full sync, run
# fw ctl setsync off

then run
#fw ctl setsync start

check logs in $FWDIR/log/fwd.elg

Cluster Control Protocol mode

admin — Tue, 26 Jan 2010 17:07:18 +0000

Switching to broadcast mode : cphaconf set_ccp broadcast

Switching to multicast mode : cphaconf set_ccp multicast

Default settings in $FWDIR/boot/ha_boot.conf are
ha_installed 1
ccp_mode broadcast

When using ClusterXL udp port 8116 is sent on all the interfaces of the gateway cluster members (except those define in $FWDIR/conf/discntd.if). UDP port 8116 is necessary for cluster health check. Checkpoint High-Availability is located between vpn-1/firewall-1 kernel and the network cards. This is the reason why security policy cant block synchronization data. So we dont need to create explicite rule in the dashboard for it. This is also the reason CCP packets should be captured via tcpdump.

Connections tables

admin — Tue, 12 Jan 2010 11:36:15 +0000

viewing the number of active connections : fw tab -s -t connections
viewing the limit of the connections table : fw tab -t connections
clear the host table (licensing) : fw tab -t host_table -x

Sticky Decision Function

admin — Tue, 12 Jan 2010 11:35:36 +0000

The Sticky Decision Function is not supported with Performance Pack or with an Acceleration device

In Load Sharing VPN with Interoprable vpn device requires SDF

We can disable SDF if running High-Availability (active-passive)

Do not turn SDF off if HTTP (or other protocol) is not synchrozed in ClusterXL

Failed to read record number xxxxx

admin — Tue, 12 Jan 2010 11:34:29 +0000

sometime log files get corrupted and we get the following error in the SmartView Tracker : Failed to read record number …

To repare the log file we need to know the log file name and then from the CLI on the CLM/CMA or from the Smartcenter andn then use the following command :

[Expert@mlm]# fw repairlog

Manual failover in clusterXL

admin — Tue, 12 Jan 2010 11:32:30 +0000

use the command :

#clutserXL_admin down