topic Re: Sync Redundancy in Firewall and Security Management

Sync Redundancy

lol2 — Thu, 27 Jul 2023 02:23:58 GMT

hi,

I have two Gaia fw in one Cluster （HA model），one cable between the two firewalls for synchronization。

Now I need to redundant the sync network，so i added one more cable to make a bond interface，When doing bond, I need to delete the IP address of the interface that i was using to sync.i think that will occurs cluster failover .

so my question is the configuring a bond Interface will cause problems ?cluster failover or access .....

After deleting the IP address, it seems that the policy installation button turns gray and cannot be used

Re: Sync Redundancy

PhoneBoy — Thu, 27 Jul 2023 12:21:04 GMT

Any changes to interfaces in a ClusterXL cluster should be made in a maintenance window since it can affect production traffic.
I believe you should make the underlying changes in the OS before attempting changes in SmartConsole.
Also, there’s a note here about adding the slave interfaces for the bond in the same order on both members: https://support.checkpoint.com/results/sk/sk92804

Re: Sync Redundancy

Timothy_Hall — Thu, 27 Jul 2023 13:01:49 GMT

If you are adding/removing interfaces in ClusterXL, the way to avoid a spurious failover due to interface "failure" is to cphastop the standby, complete all your changes on both cluster members and the SmartConsole, install policy to both members, then cphastart the standby. See this rather old SK for the detailed failover-free procedure:

sk57100: Adding or removing an interface in ClusterXL High Availability topology might cause fail-over

Since you will be modifying the sync interface, as an additional precaution you may want to uncheck "drop of out state TCP" in the Global Properties ahead of time and reinstall policy, on the off-chance an unexpected failover occurs when state sync is not working. Having this box unchecked will blunt the unwanted effects of a non-stateful failover; just don't forget to recheck it when the work is complete and tested!

Re: Sync Redundancy

Bob_Zimmerman — Thu, 27 Jul 2023 15:00:07 GMT

Create the bond at the OS level with only the second interface in it. Use a different network from your current sync network.
Change the cluster object's configuration on the management server to use the bond for sync. Remove the old sync interface from the cluster object's topology table.
Push policy.
Remove the IP from your old sync interface at the OS level.
Add the old sync interface to the bond.

This process should not cause a failover, as you have working sync at all times. Still, assume there will be an outage at some point.

Re: Sync Redundancy

the_rock — Thu, 27 Jul 2023 18:11:24 GMT

https://sc1.checkpoint.com/documents/R81.10/WebAdminGuides/EN/CP_R81.10_ClusterXL_AdminGuide/Topics-CXLG/Sync-Redundancy.htm