This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
the_rock
MVP Diamond
MVP Diamond
‎2023-01-16 09:01 PM
Jump to solution

Cluster XL question

Hey guys,

I really want to run something by here, as I have my doubts about TAC claiming this is totally normal. So, customer and I added 2 new VLANS of eth1-01 interface and set them up as clustered with VIPand all, but they dont show up when running cphaprob -a if. The existing vlans of that interface (2 of them, vlan 20 and 500) show up, but new ones (vlans 762 and 764) do NOT, though they show up in virtual cluster interface section from cphaprob -a if, just NOT under required interfaces.

To me, this makes no sense, as I had never ever seen this before. Yes, traffic works, so it could be just cosmetic, but TAC guy said sometimes reboot is needed for this to show up properly (in my 15 years dealing with CP, I never had to reboot firewall when doing this for cluster, not once, so I dont believe for a second that reboot is required).

Any idea what we can do to make those 2 new clustered vlans show up in cphaprob -a if? Version is R81.10 jumbo 81.

Btw, failover works fine, no issues.

Cheers and thanks for the help as always!

Best,
Andy
"Have a great day and if its not, change it"
0 Kudos
1 Solution

Accepted Solutions
_Val_
Admin
Admin
‎2023-01-17 12:17 AM
In response to the_rock
Jump to solution

Newly added VLAN interfaces (in case you added a new highest or lowest VLAN) should be added to the ClusterXL kernel module. Those are initialized during reboot or cpstop/cpstart. 

View solution in original post

9 Replies
the_rock
MVP Diamond
MVP Diamond
‎2023-01-16 09:11 PM
Jump to solution

I dont know if this is indeed needed, but TAC sent us below and it appears cpstop and cpstart is needed to fix it. Not sure if someone could confirm this 100%, but if thats the case, customer wont bother, if its only cosmetic.

ClusterXL VLAN monitoring (checkpoint.com)

Best,
Andy
"Have a great day and if its not, change it"
0 Kudos
_Val_
Admin
Admin
‎2023-01-17 12:17 AM
In response to the_rock
Jump to solution

Newly added VLAN interfaces (in case you added a new highest or lowest VLAN) should be added to the ClusterXL kernel module. Those are initialized during reboot or cpstop/cpstart. 

the_rock
MVP Diamond
MVP Diamond
‎2023-01-17 05:51 AM
In response to _Val_
Jump to solution

I tested this in my R81.10 clusterxl lab and did not need reboot, any kernel parameter change, reboot at all. All I did was added vlans 999 and 1000, got interfaces without topology, pushed the policy and both vlans came up as clustered under cphaprob -a if.

Best,
Andy
"Have a great day and if its not, change it"
0 Kudos
_Val_
Admin
Admin
‎2023-01-17 05:55 AM
In response to the_rock
Jump to solution

It is not about how they show in cphaprob. It is about which VLAN is monitored with CCP packets. By default, it is the lowest and highest VLANs, but if you add one with a higher/lower number, you need to reload cluster modules to change probing. 

You did refer to an SK about it yourself.

0 Kudos
the_rock
MVP Diamond
MVP Diamond
‎2023-01-17 06:01 AM
In response to _Val_
Jump to solution

Ok, I think I see what you are saying. So, in customer's scenario, there are 4 vlans, ...20.500, 762 and 764 and ONLY 20 and 764 show up, which makes sense, since those are lowest and highest. Question, so is only cpstop; cpstart needed or any kernel parameter change? Its not 100% clear from the sk.

Best,
Andy
"Have a great day and if its not, change it"
0 Kudos
G_W_Albrecht
MVP Silver
MVP Silver
‎2023-01-17 06:06 AM
In response to the_rock
Jump to solution

Only if you want one kernel parameter from sk92826 to be set differently from its default value !

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
the_rock
MVP Diamond
MVP Diamond
‎2023-01-17 06:13 AM
In response to _Val_
Jump to solution

K, good now thanks! Tested with vlans 999, 1000 and 1500 and when added vlan 1500, vlan 1000 did NOT show up in cphaprob -a if, but after doing cpstop/cpstart, it did.

Thanks a lot @_Val_ abd @G_W_Albrecht , appreciate the clarification.

Best,
Andy
"Have a great day and if its not, change it"
0 Kudos
Petr_Hantak
Advisor
Advisor
‎2023-01-17 12:05 AM
Jump to solution

Hmm really strange. I do not remember for need of reboot or cpstart/cpstop for this during my whole experience with Check Point. Could you please share some output as well?

0 Kudos
the_rock
MVP Diamond
MVP Diamond
‎2023-01-17 05:08 AM
In response to Petr_Hantak
Jump to solution

I will test this today in my R81.10 clusterxl lab and see what happens. Will add say 2 new VLANS, 900 and 950 and see if those interfaces show up when I cluster them via cphaprob -a if.

If they dont, will do cpstop; cpstart without making any kernel parameters changes from sk TAC gave.

Best,
Andy
"Have a great day and if its not, change it"
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events