This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
AkosBakos
Advisor
Advisor
3 hours ago

GCP Cloudguard GW manual-failover

Hi Mates,

I have some questions about HA failover in cloud.

Is there anybody here who is expert in GCP?

Akos

----------------
\m/_(>_<)_\m/
0 Kudos
7 Replies
Nir_Shamir
Employee Employee
Employee
2 hours ago

Ask away 🙂 .

AkosBakos
Advisor
Advisor
2 hours ago
In response to Nir_Shamir

Thanks, Great!

So I have a basic setup:

Interlnet -> HA cloudguard custer -> client inside.

I initiate a traffic eg. SSH sesion to the internet. If I do a clusterXL_admin down on the active member, the SSH disconnects.

It seems the connection does not sync to the standby member.

Are there any issues around this?

Akos

 

----------------
\m/_(>_<)_\m/
0 Kudos
Nir_Shamir
Employee Employee
Employee
an hour ago
In response to AkosBakos

Cluster HA in Google Works like a regular Cluster but there are external Google things you need to check before and after the failover.

first, on the Internal VPC the default route should point to the ACTIVE member. I guess that works otherwise you wouldn't have any connection.

When you failover, our GW sends an API call to Google Cloud which tells it to change the default route to the new ACTIVE member. 

So first check if this happens. Also check if on the External VPC subnet the "Private Google API access" is enabled.

AkosBakos
Advisor
Advisor
21m ago
In response to Nir_Shamir

Yes, it is set.

----------------
\m/_(>_<)_\m/
0 Kudos
AkosBakos
Advisor
Advisor
3m ago
In response to Nir_Shamir

I attach a basic topologyvpc.png

----------------
\m/_(>_<)_\m/
0 Kudos
Rivka-Strilitz
Employee
Employee
39m ago
In response to AkosBakos

It sounds like you might be using the nic0 external IP for SSH. Could that be the case?
This is the  IP that gets switched between members during failover which is why the SSH connection gets lost.
Try connecting via SSH using NIC1 instead.

If that's not the case, then I think Nir's suggestion is a great place to start the investigation.

Preview file
20 KB
AkosBakos
Advisor
Advisor
19m ago
In response to Rivka-Strilitz

It sounds like you might be using the nic0 external IP for SSH. Could that be the case?

No, because I NAT to the external IP of the loadbalancer in VPC

Akos

----------------
\m/_(>_<)_\m/
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
UPCOMING CLOUDMATES EVENTS
    All CloudMates Events