https://community.checkpoint.com/t5/Cloud-Firewall/Cloudguard-Azure-HA-Failover/m-p/239897#M5221 <P>The problem has been fixed. FYI, I did the following</P><P>1.&nbsp;<SPAN>"</SPAN><STRONG>$FWDIR/scripts/azure_ha_cli.py reconf</STRONG><SPAN>" - no change<BR />2. Moved the PIP from the old resource group to the new one - no change<BR />3. Changed to the "new" way in&nbsp;$FWDIR/conf/azure-ha.json - no change<BR />4. Ran $FWDIR/scripts/azure_ha_cli.py restart - fixed</SPAN></P><P>It might have been a combination of the above but 'reconf' didn't appear to do anything, 'restart' had a pause as if it was doing something before giving me the cursor back..</P><P>In the upgrade guide it talks about "image build number". I'm not sure which build number it is referring to. There seem to be at least a couple. Can anyone clarify?</P><P>Thanks for all your help.&nbsp;</P> Tue, 28 Jan 2025 21:27:42 GMT wanartisan 2025-01-28T21:27:42Z https://community.checkpoint.com/t5/Cloud-Firewall/Cloudguard-Azure-HA-Failover/m-p/239777#M5213 <P>Hi Mates,</P><P>I inherited an old cluster running R80.40. At some point it developed a problem with HA. Long story, but I needed to rebuild it anyway, so did so. A new build side-by-side on R81.20 but found it too had a problem with HA (the secondary device doesn't pass traffic so you need to failback).&nbsp;</P><P>I <SPAN>ran the&nbsp;</SPAN><SPAN>azure_ha_test.py and&nbsp;</SPAN>found our error message in the&nbsp;<SPAN>sk175023 ATRG: [Forbidden] Error: HTTP/1.1 403 Forbidden" error</SPAN></P><P>We got the permissions update using the gateway managed identities and the test script now runs clean. Yay!&nbsp;Now the actual problem.</P><P>The HA template in Azure Marketplace creates 3 public IPs (PIPs), one of which is the "cluster-vip" which gets attached to the active gateway in Azure. As part of the rebuild and migration, I changed this is Azure to our established egress PIP in Azure, which is whitelisted by many external services.</P><P>Now when failover occurs, the cluster-vip is changing back to the PIP that was created by the template, and removing the one I selected in Azure and I don't know why.&nbsp;</P><P>I found a reference to the old PIP in&nbsp;$FWDIR/conf/azure-ha.json (caps below replace actual IPs)</P><P>"name": "cluster-vip"&nbsp;<BR />"addr": "PRIVATE IP"<BR />"pub": "TEMPLATE_PIP"</P><P>So I changed this to</P><P>&nbsp;"name": "cluster-vip"&nbsp;<BR />"addr": "PRIVATE IP"<BR />"pub": "ESTABLISHED_EGRESS_PIP"</P><P>I tested the failover again but the same thing is happening. Does anyone know where the command to use the template cluster-vip is coming from?</P><P>Thanks in advance.&nbsp;</P><P>&nbsp;</P> Tue, 28 Jan 2025 06:20:13 GMT https://community.checkpoint.com/t5/Cloud-Firewall/Cloudguard-Azure-HA-Failover/m-p/239777#M5213 wanartisan 2025-01-28T06:20:13Z https://community.checkpoint.com/t5/Cloud-Firewall/Cloudguard-Azure-HA-Failover/m-p/239789#M5214 <P>Follow the steps in the UPGRADE section of the Azure HA admin guide:</P> <P><A href="https://sc1.checkpoint.com/documents/IaaS/WebAdminGuides/EN/CP_CloudGuard_Network_for_Azure_HA_Cluster/Content/Topics-Azure-HA/Upgrade.htm?TocPath=Upgrade%7C_____0#Upgrading_a_Check_Point_CloudGuard_Network_Security_High_Availability_Solution" target="_blank">https://sc1.checkpoint.com/documents/IaaS/WebAdminGuides/EN/CP_CloudGuard_Network_for_Azure_HA_Cluster/Content/Topics-Azure-HA/Upgrade.htm?TocPath=Upgrade%7C_____0#Upgrading_a_Check_Point_CloudGuard_Network_Security_High_Availability_Solution</A></P> <P>&nbsp;</P> Tue, 28 Jan 2025 09:17:14 GMT https://community.checkpoint.com/t5/Cloud-Firewall/Cloudguard-Azure-HA-Failover/m-p/239789#M5214 Nir_Shamir 2025-01-28T09:17:14Z https://community.checkpoint.com/t5/Cloud-Firewall/Cloudguard-Azure-HA-Failover/m-p/239790#M5215 <P>This makes me think of the HCP tool and if enhancements in that, specifically for CloudGuard, could help resolve issues like this in the complex web that is the public cloud.</P> <P><a href="https://community.checkpoint.com/t5/user/viewprofilepage/user-id/585">@Tal_Paz-Fridman</a>&nbsp;</P> <P><A href="https://community.checkpoint.com/t5/General-Topics/HCP-roadmap-question/m-p/229324#M38304" target="_blank">https://community.checkpoint.com/t5/General-Topics/HCP-roadmap-question/m-p/229324#M38304</A></P> <P>&nbsp;</P> Tue, 28 Jan 2025 09:25:04 GMT https://community.checkpoint.com/t5/Cloud-Firewall/Cloudguard-Azure-HA-Failover/m-p/239790#M5215 Don_Paterson 2025-01-28T09:25:04Z https://community.checkpoint.com/t5/Cloud-Firewall/Cloudguard-Azure-HA-Failover/m-p/239792#M5216 <P>That looks perfect. I hadn't seen that. I'll try again the "new" way and report back.</P> Tue, 28 Jan 2025 09:29:49 GMT https://community.checkpoint.com/t5/Cloud-Firewall/Cloudguard-Azure-HA-Failover/m-p/239792#M5216 wanartisan 2025-01-28T09:29:49Z https://community.checkpoint.com/t5/Cloud-Firewall/Cloudguard-Azure-HA-Failover/m-p/239798#M5217 <P>Hi&nbsp;<a href="https://community.checkpoint.com/t5/user/viewprofilepage/user-id/110029">@wanartisan</a>&nbsp;<BR />The admin guide's upgrade section explains how to use the old cluster-vip, and you are trying to use a different public IP as VIP,&nbsp;<BR /><BR />In this case, here’s what you need to do:</P> <OL> <LI>Go to the active member’s ETH-0 NIC resource in the Azure portal.</LI> <LI>Navigate to <STRONG>Settings &gt; IP configurations</STRONG> and replace the Public IP address of the cluster-vip with the new address (see attached screenshot).</LI> <LI>Edit the azure_ha.json file on <STRONG>both</STRONG> members (as you’ve done with <SPAN>"pub": "ESTABLISHED_EGRESS_PIP"</SPAN>).</LI> <LI>Run the following command on <STRONG>both</STRONG> members to apply the updated configuration from azure_ha.json: "$FWDIR/scripts/azure_ha_cli.py restart"</LI> </OL> <P>That's it, failover should work with the new Public IP</P> Tue, 28 Jan 2025 09:55:55 GMT https://community.checkpoint.com/t5/Cloud-Firewall/Cloudguard-Azure-HA-Failover/m-p/239798#M5217 yairra 2025-01-28T09:55:55Z https://community.checkpoint.com/t5/Cloud-Firewall/Cloudguard-Azure-HA-Failover/m-p/239824#M5219 <P>sk175023 ATRG suggests</P><P>"<STRONG>$FWDIR/scripts/azure_ha_cli.py reconf</STRONG>"</P><P>Is this correct? I will be testing later.&nbsp;</P> Tue, 28 Jan 2025 14:01:23 GMT https://community.checkpoint.com/t5/Cloud-Firewall/Cloudguard-Azure-HA-Failover/m-p/239824#M5219 wanartisan 2025-01-28T14:01:23Z https://community.checkpoint.com/t5/Cloud-Firewall/Cloudguard-Azure-HA-Failover/m-p/239828#M5220 <P>yes, do that.</P> Tue, 28 Jan 2025 14:04:15 GMT https://community.checkpoint.com/t5/Cloud-Firewall/Cloudguard-Azure-HA-Failover/m-p/239828#M5220 Nir_Shamir 2025-01-28T14:04:15Z https://community.checkpoint.com/t5/Cloud-Firewall/Cloudguard-Azure-HA-Failover/m-p/239897#M5221 <P>The problem has been fixed. FYI, I did the following</P><P>1.&nbsp;<SPAN>"</SPAN><STRONG>$FWDIR/scripts/azure_ha_cli.py reconf</STRONG><SPAN>" - no change<BR />2. Moved the PIP from the old resource group to the new one - no change<BR />3. Changed to the "new" way in&nbsp;$FWDIR/conf/azure-ha.json - no change<BR />4. Ran $FWDIR/scripts/azure_ha_cli.py restart - fixed</SPAN></P><P>It might have been a combination of the above but 'reconf' didn't appear to do anything, 'restart' had a pause as if it was doing something before giving me the cursor back..</P><P>In the upgrade guide it talks about "image build number". I'm not sure which build number it is referring to. There seem to be at least a couple. Can anyone clarify?</P><P>Thanks for all your help.&nbsp;</P> Tue, 28 Jan 2025 21:27:42 GMT https://community.checkpoint.com/t5/Cloud-Firewall/Cloudguard-Azure-HA-Failover/m-p/239897#M5221 wanartisan 2025-01-28T21:27:42Z https://community.checkpoint.com/t5/Cloud-Firewall/Cloudguard-Azure-HA-Failover/m-p/239959#M5222 <P>CC&nbsp;<a href="https://community.checkpoint.com/t5/user/viewprofilepage/user-id/37178">@Amir_Senn</a>&nbsp;</P> Wed, 29 Jan 2025 12:41:49 GMT https://community.checkpoint.com/t5/Cloud-Firewall/Cloudguard-Azure-HA-Failover/m-p/239959#M5222 Tal_Paz-Fridman 2025-01-29T12:41:49Z