This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
AkosBakos
Advisor
Advisor
5 hours ago

GCP Cloudguard GW manual-failover

Hi Mates,

I have some questions about HA failover in cloud.

Is there anybody here who is expert in GCP?

Akos

----------------
\m/_(>_<)_\m/
0 Kudos
9 Replies
Nir_Shamir
Employee Employee
Employee
5 hours ago

Ask away 🙂 .

AkosBakos
Advisor
Advisor
4 hours ago
In response to Nir_Shamir

Thanks, Great!

So I have a basic setup:

Interlnet -> HA cloudguard custer -> client inside.

I initiate a traffic eg. SSH sesion to the internet. If I do a clusterXL_admin down on the active member, the SSH disconnects.

It seems the connection does not sync to the standby member.

Are there any issues around this?

Akos

 

----------------
\m/_(>_<)_\m/
0 Kudos
Nir_Shamir
Employee Employee
Employee
3 hours ago
In response to AkosBakos

Cluster HA in Google Works like a regular Cluster but there are external Google things you need to check before and after the failover.

first, on the Internal VPC the default route should point to the ACTIVE member. I guess that works otherwise you wouldn't have any connection.

When you failover, our GW sends an API call to Google Cloud which tells it to change the default route to the new ACTIVE member. 

So first check if this happens. Also check if on the External VPC subnet the "Private Google API access" is enabled.

AkosBakos
Advisor
Advisor
2 hours ago
In response to Nir_Shamir

Yes, it is set.

----------------
\m/_(>_<)_\m/
0 Kudos
AkosBakos
Advisor
Advisor
2 hours ago
In response to Nir_Shamir

I attach a basic topologyvpc.png

----------------
\m/_(>_<)_\m/
0 Kudos
AkosBakos
Advisor
Advisor
2 hours ago
In response to Nir_Shamir

A small clarification:

"It seems the connection does not sync to the standby member."

In case of manual failver (clusterXL_adn down),  the packet flow is changed. The outgoing packet flow through the Active member, but the reply packets in this session flow through on the stanby member.

It cause assymentric route.

Akos

----------------
\m/_(>_<)_\m/
0 Kudos
Nir_Shamir
Employee Employee
Employee
2 hours ago
In response to AkosBakos

when you failover , check the health check on the LB screen.

does it see the correct member as healthy (should be the ACTIVE member). 

also have you configured the right things in order to use an LB ?

you need to monitor port TCP 8117 and make sure you have this kernel parameter activated on the GWs:

fw ctl get int cloud_balancer

should return 8117

if not add it

fw ctl set -f int cloud_balancer 8117

 

 

0 Kudos
Rivka-Strilitz
Employee
Employee
3 hours ago
In response to AkosBakos

It sounds like you might be using the nic0 external IP for SSH. Could that be the case?
This is the  IP that gets switched between members during failover which is why the SSH connection gets lost.
Try connecting via SSH using NIC1 instead.

If that's not the case, then I think Nir's suggestion is a great place to start the investigation.

Preview file
20 KB
AkosBakos
Advisor
Advisor
2 hours ago
In response to Rivka-Strilitz

It sounds like you might be using the nic0 external IP for SSH. Could that be the case?

No, because I NAT to the external IP of the loadbalancer in VPC

Akos

----------------
\m/_(>_<)_\m/

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
UPCOMING CLOUDMATES EVENTS
    All CloudMates Events