topic Re: Cloudguard R80.10 gws running on a VMWARE NSX-V Cluster - Is state sync working when VMs are mov in Firewall and Security Management https://community.checkpoint.com/t5/Firewall-and-Security-Management/Cloudguard-R80-10-gws-running-on-a-VMWARE-NSX-V-Cluster-Is-state/m-p/117608#M16618 <P>yes and yes</P> Tue, 04 May 2021 07:59:59 GMT _Val_ 2021-05-04T07:59:59Z Cloudguard R80.10 gws running on a VMWARE NSX-V Cluster - Is state sync working when VMs are moved? https://community.checkpoint.com/t5/Firewall-and-Security-Management/Cloudguard-R80-10-gws-running-on-a-VMWARE-NSX-V-Cluster-Is-state/m-p/117396#M16590 <P>We have Cloudguard R80.10 gws [48 of them] running on a VMWARE NSX-V Cluster 's hosts.</P><P>These Cloud guard gws are managed by R80.40 manager.</P><P>When VMs are moved between hosts in the VMWARE cluster, all connections drop, and we were of the understanding that all individual Cloudguard gateways are in sync, so that when VMs are moved, traffic will flow without drops [ie... without seeing First packet is no syn].</P><P>When I looked at fw tab -t connections -s in individual gateways, I can see the numbers are very different, meaning, Cloud guard gateways are not in sync so it is obvious that when VMs move between hosts in the VMWARE cluster, Is there any fix or workaround that we can apply? This must be a common issue for many out there.</P><P>I dont see there is any mechanism that runs among these Cloud guard gateways to do tcp/ udp state synchronisation like Cluster XL, so I can guess the answer. I am bit confused because at the time of selling the product, we questioned the same feature and the answer was it does keep "in sync" the statetable among Cloud gurads, not sure whether we tried that indeed in a lab and took the word on its own merit.</P><P>So your expert reply is very much appreciated with any tips and tricks.</P><P>Thank you and Kind regards,</P><P>Kanishka</P> Sat, 01 May 2021 10:58:05 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Cloudguard-R80-10-gws-running-on-a-VMWARE-NSX-V-Cluster-Is-state/m-p/117396#M16590 kanishkaw 2021-05-01T10:58:05Z Re: Cloudguard R80.10 gws running on a VMWARE NSX-V Cluster - Is state sync working when VMs are mov https://community.checkpoint.com/t5/Firewall-and-Security-Management/Cloudguard-R80-10-gws-running-on-a-VMWARE-NSX-V-Cluster-Is-state/m-p/117539#M16605 <P>Did you configure your group of CloudGuard gateways as a cluster object (CloudGuard NSX Admin Guide, page 34 and below)?&nbsp;</P> Mon, 03 May 2021 11:21:24 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Cloudguard-R80-10-gws-running-on-a-VMWARE-NSX-V-Cluster-Is-state/m-p/117539#M16605 _Val_ 2021-05-03T11:21:24Z Re: Cloudguard R80.10 gws running on a VMWARE NSX-V Cluster - Is state sync working when VMs are mov https://community.checkpoint.com/t5/Firewall-and-Security-Management/Cloudguard-R80-10-gws-running-on-a-VMWARE-NSX-V-Cluster-Is-state/m-p/117542#M16607 <P>Thank you _Val_.</P><P>Please see below. Yes we have a cluster defined and the same policy is applied to all members.</P><P>How do I verify state sync is happening and all the members have the same tcp state info, (and udp state info as well if applicable for udp).</P><P>Appreciate your reply with thanks.</P><P>Kanishka</P> Mon, 03 May 2021 11:34:26 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Cloudguard-R80-10-gws-running-on-a-VMWARE-NSX-V-Cluster-Is-state/m-p/117542#M16607 kanishkaw 2021-05-03T11:34:26Z Re: Cloudguard R80.10 gws running on a VMWARE NSX-V Cluster - Is state sync working when VMs are mov https://community.checkpoint.com/t5/Firewall-and-Security-Management/Cloudguard-R80-10-gws-running-on-a-VMWARE-NSX-V-Cluster-Is-state/m-p/117544#M16608 <P>cphaprob stat on any of the cluster members should show you the cluster status.&nbsp;</P> Mon, 03 May 2021 12:02:45 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Cloudguard-R80-10-gws-running-on-a-VMWARE-NSX-V-Cluster-Is-state/m-p/117544#M16608 _Val_ 2021-05-03T12:02:45Z Re: Cloudguard R80.10 gws running on a VMWARE NSX-V Cluster - Is state sync working when VMs are mov https://community.checkpoint.com/t5/Firewall-and-Security-Management/Cloudguard-R80-10-gws-running-on-a-VMWARE-NSX-V-Cluster-Is-state/m-p/117574#M16612 <P>Hi _Val_</P><P>It says "HA module not started". What steps can I take to enable HA among members?</P><P>Thank you&nbsp;</P><P>&nbsp;</P> Mon, 03 May 2021 17:25:27 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Cloudguard-R80-10-gws-running-on-a-VMWARE-NSX-V-Cluster-Is-state/m-p/117574#M16612 kanishkaw 2021-05-03T17:25:27Z Re: Cloudguard R80.10 gws running on a VMWARE NSX-V Cluster - Is state sync working when VMs are mov https://community.checkpoint.com/t5/Firewall-and-Security-Management/Cloudguard-R80-10-gws-running-on-a-VMWARE-NSX-V-Cluster-Is-state/m-p/117599#M16615 <P>"cpconfig", look for clusterxl settings. Also, policy push is required again.</P> Tue, 04 May 2021 06:14:14 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Cloudguard-R80-10-gws-running-on-a-VMWARE-NSX-V-Cluster-Is-state/m-p/117599#M16615 _Val_ 2021-05-04T06:14:14Z Re: Cloudguard R80.10 gws running on a VMWARE NSX-V Cluster - Is state sync working when VMs are mov https://community.checkpoint.com/t5/Firewall-and-Security-Management/Cloudguard-R80-10-gws-running-on-a-VMWARE-NSX-V-Cluster-Is-state/m-p/117606#M16617 <P>Thank you _Val_.</P><P>Did you mean this option (as attached) in the Cloudguard R80.10 gateway?</P><P>Is this service impacting to enable it? Do I want a maintenance window?</P><P>Many Thanks</P><P>Kanishka</P> Tue, 04 May 2021 07:45:05 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Cloudguard-R80-10-gws-running-on-a-VMWARE-NSX-V-Cluster-Is-state/m-p/117606#M16617 kanishkaw 2021-05-04T07:45:05Z Re: Cloudguard R80.10 gws running on a VMWARE NSX-V Cluster - Is state sync working when VMs are mov https://community.checkpoint.com/t5/Firewall-and-Security-Management/Cloudguard-R80-10-gws-running-on-a-VMWARE-NSX-V-Cluster-Is-state/m-p/117608#M16618 <P>yes and yes</P> Tue, 04 May 2021 07:59:59 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Cloudguard-R80-10-gws-running-on-a-VMWARE-NSX-V-Cluster-Is-state/m-p/117608#M16618 _Val_ 2021-05-04T07:59:59Z Re: Cloudguard R80.10 gws running on a VMWARE NSX-V Cluster - Is state sync working when VMs are mov https://community.checkpoint.com/t5/Firewall-and-Security-Management/Cloudguard-R80-10-gws-running-on-a-VMWARE-NSX-V-Cluster-Is-state/m-p/117610#M16620 <P>Also, the cluster object itself should have dedicated sync network. Considering the nature of your question, I would advise looking for professional services engagement with Check Point or a third party having some experience in this kind of deployment.&nbsp;<BR /><BR />If not, build a lab environment, study the guide and make it work in the lab first, to build up expertise.&nbsp;</P> Tue, 04 May 2021 08:02:20 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Cloudguard-R80-10-gws-running-on-a-VMWARE-NSX-V-Cluster-Is-state/m-p/117610#M16620 _Val_ 2021-05-04T08:02:20Z Re: Cloudguard R80.10 gws running on a VMWARE NSX-V Cluster - Is state sync working when VMs are mov https://community.checkpoint.com/t5/Firewall-and-Security-Management/Cloudguard-R80-10-gws-running-on-a-VMWARE-NSX-V-Cluster-Is-state/m-p/117892#M16681 <P>Thanks _Val_.&nbsp; We are going to enable Sync link and ClusterXL in a maint window. Thanks for the replies which clarified what should be done.</P> Fri, 07 May 2021 07:01:32 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Cloudguard-R80-10-gws-running-on-a-VMWARE-NSX-V-Cluster-Is-state/m-p/117892#M16681 kanishkaw 2021-05-07T07:01:32Z