Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Michael_Thompso
Participant

Control which azure cloudguard instance receives traffic

Hello all,

I have r80.30 cloudguard in azure scaleset fronted by standard lb. How can I control which instance in the scaleset receives traffic from the lb? Is the best way to block the health probes on port 8117 on the specific instance? If yes, what is the best way to do that?

thanks

0 Kudos
4 Replies
HeikoAnkenbrand
Champion Champion
Champion

Why do you want to control traffic to a gateway?

Solutions:

1) You can change the order in the ClusterXL object like in a real ClusterXl. So you can control the direction. <<< Best way:-)

2) For maintenance work you can also start a "clusterXL_admin down" on a gateway.

3) The monitoring of port 8117 is included in the implied rules. So you may have to change the implied rules in the global properties and add a drop rule. I don't think that's a good idea!

 

➜ CCSM Elite, CCME, CCTE ➜ www.checkpoint.tips
0 Kudos
Michael_Thompso
Participant

thanks for your reply.

To answer your question, I want to be able perform maintenance on the instances in the scaleset. In this case apply the latest hotfix. Reading the Microsoft documentation on standard load balancers, if the health probe fails for a particular instance it will redirect new traffic to another instance. It will also let the current sessions terminate on their own. This is what I want so that there is no disruption of traffic. AWS makes this easy by just deregistering the instance from the target group. 

My azure cloudguard is in a scaleset so it is not configured to use clusterXL. there isn’t a cluster object defined in smart console. The cme service creates only gateway objects. In this case I don’t think option 1 or 2 will work. Unless I am missing something

0 Kudos
Matthias_Haas
Advisor

the Health Check Port is controlled by the kernel parameter  "cloud_balancer_port":

[Expert@gw]# fw ctl get int cloud_balancer_port

cloud_balancer_port = 8117

 

this is also defined in /var/opt/fw.boot/modules/fwkern.conf

so you could try to modify the parameter on the fly like

fw ctl set int cloud_balancer_port 8119

 

at least on my instance, the healt check was answered by a "RST" after the modification but not sure what the LB is doing

0 Kudos
Michael_Thompso
Participant

I will test this in my lab. Thanks!

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.