topic Re: GCP Cloudguard GW manual-failover in Cloud Firewall

GCP Cloudguard GW manual-failover

AkosBakos — Mon, 25 Nov 2024 09:56:02 GMT

Hi Mates,

I have some questions about HA failover in cloud.

Is there anybody here who is expert in GCP?

Akos

Re: GCP Cloudguard GW manual-failover

Nir_Shamir — Mon, 25 Nov 2024 10:16:21 GMT

Ask away 🙂 .

Re: GCP Cloudguard GW manual-failover

AkosBakos — Mon, 25 Nov 2024 10:59:55 GMT

Thanks, Great!

So I have a basic setup:

Interlnet -> HA cloudguard custer -> client inside.

I initiate a traffic eg. SSH sesion to the internet. If I do a clusterXL_admin down on the active member, the SSH disconnects.

It seems the connection does not sync to the standby member.

Are there any issues around this?

Akos

Re: GCP Cloudguard GW manual-failover

Nir_Shamir — Mon, 25 Nov 2024 11:22:32 GMT

Cluster HA in Google Works like a regular Cluster but there are external Google things you need to check before and after the failover.

first, on the Internal VPC the default route should point to the ACTIVE member. I guess that works otherwise you wouldn't have any connection.

When you failover, our GW sends an API call to Google Cloud which tells it to change the default route to the new ACTIVE member.

So first check if this happens. Also check if on the External VPC subnet the "Private Google API access" is enabled.

Re: GCP Cloudguard GW manual-failover

Rivka-Strilitz — Mon, 25 Nov 2024 12:06:55 GMT

It sounds like you might be using the nic0 external IP for SSH. Could that be the case?
This is the IP that gets switched between members during failover which is why the SSH connection gets lost.
Try connecting via SSH using NIC1 instead.

If that's not the case, then I think Nir's suggestion is a great place to start the investigation.

Re: GCP Cloudguard GW manual-failover

AkosBakos — Mon, 25 Nov 2024 12:25:38 GMT

Yes, it is set.

Re: GCP Cloudguard GW manual-failover

AkosBakos — Mon, 25 Nov 2024 12:29:15 GMT

It sounds like you might be using the nic0 external IP for SSH. Could that be the case?

No, because I NAT to the external IP of the loadbalancer in VPC

Akos

Re: GCP Cloudguard GW manual-failover

AkosBakos — Mon, 25 Nov 2024 12:43:01 GMT

I attach a basic topology

Re: GCP Cloudguard GW manual-failover

AkosBakos — Mon, 25 Nov 2024 12:50:29 GMT

A small clarification:

"It seems the connection does not sync to the standby member."

In case of manual failver (clusterXL_adn down), the packet flow is changed. The outgoing packet flow through the Active member, but the reply packets in this session flow through on the stanby member.

It cause assymentric route.

Akos

Re: GCP Cloudguard GW manual-failover

Nir_Shamir — Mon, 25 Nov 2024 13:10:45 GMT

when you failover , check the health check on the LB screen.

does it see the correct member as healthy (should be the ACTIVE member).

also have you configured the right things in order to use an LB ?

you need to monitor port TCP 8117 and make sure you have this kernel parameter activated on the GWs:

fw ctl get int cloud_balancer

should return 8117

if not add it

fw ctl set -f int cloud_balancer 8117