A Check Point security gateway cluster running under ClusterXL uses certain devices that must be running on the cluster member for the member to be considered active.
The devices can be displayed using cphaprob -ia list. A normal ouput will look like this:
[Expert@firewall]# cphaprob -ia list
Built-in Devices:
Device Name: Problem Notification
Current state: OK
Device Name: Interface Active Check
Current state: OK
Device Name: HA Initialization
Current state: OK
Device Name: Load Balancing Configuration
Current state: OK
Registered Devices:
Device Name: Synchronization
Registration number: 0
Timeout: none
Current state: OK
Time since last report: 13212.1 sec
Device Name: Filter
Registration number: 1
Timeout: none
Current state: OK
Time since last report: 13201.4 sec
Device Name: cphad
Registration number: 2
Timeout: 2 sec
Current state: OK
Time since last report: 0.1 sec
Device Name: fwd
Registration number: 3
Timeout: 2 sec
Current state: OK
Time since last report: 0.1 sec
If one or more of the devices have a problem, ClusterXL will do a failover from the active member to the standby member. This is only true as long as the second member has no problem itself. If this is happening, the cluster mechanism decides by its own which is the more suitable machine to handle the traffic and will or will not do a failover.
Failover will also occur if the issue cpstop or cphastop on the active member, stopping all Check Point services or just the ClusterXL related service.
For the purpose of maintenance it can be necessary to move away all the traffic from the active member to the secondary member through initiating a failover, leaving the security policy and services active on the machine.
This can be done by registering a new device and adding it to the list of the processes that must be running for the cluster member to be considered active and putting the new device in the problem state.
Use this command line: cphaprob -d STOP -s problem -t 0 register
If you want to unregister the problematic device and make the cluster member available and active again, just use this: cphaprob -d STOP unregister.
Learn more about the usage of cphaprob from the CLI manual.
Post a Comment