topic Re: CloudGuard HA IAAS Deployment in Firewall and Security Management

CloudGuard HA IAAS Deployment

Simon_Macpherso — Wed, 10 Nov 2021 04:29:33 GMT

Hello all,

I've deployed a CloudGuard IaaS HA cluster to Azure public cloud using Terraform.

I’ve based my Terraform code on the latest HA configuration templates available on the CheckpointSW repo.

https://github.com/CheckPointSW/CloudGuardIaaS/tree/master/terraform/azure/high-availability-new-vnet

I notice after deployment that the azure-ha.json file has not been updated with the required keys values.

Running azure_ha_test.py reports missing attributes.

The cloud-init.sh script exists in the root module and custom_data in os_profile is references the correct path i.e. custom_data = templatefile("${path.module}/cloud-init.sh"

Should the azure-ha.json file contain the relevant values immediately after deployment or are these values added to the file once the gateways have been added and configured on the management server and received policy? I haven't added the gateways to a new cluster on the management server yet.

Regards,

Simon

Re: CloudGuard HA IAAS Deployment

PhoneBoy — Wed, 10 Nov 2021 05:45:15 GMT

You're not officially in HA mode until you add the gateways and push policy, so I would presume these get added once that's happened.

Re: CloudGuard HA IAAS Deployment

Simon_Macpherso — Tue, 16 Nov 2021 04:15:09 GMT

I've added the cluster to smart console and pushed a policy to the gateways.

The gateways are now in HA mode.

However, the azure-ha.json remains unpopulated.

Also HA is not working correctly.

On the cli, when the primary is active I can SSH to it via the cluster IP. If I reboot the primary (active) and try to SSH in to the secondary using the the cluster IP I cannot connect, even though the cluster has successfully failed over to the standby (now active). Once the primary has are booted and reenters the cluster in standby mode, I still cannot connect using the cluster IP. If I reboot the secondary (active), the cluster fails over and I can connect to the primary (now active) using the cluster IP. So I can only connect to the cluster using the cluster VIP when the primary is active.