This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
chumicat
Explorer
‎2024-03-01 05:04 PM

Checkpoint Devices with same cores didn't have same default count of FW Instance in CoreXL

I'm sharing a question I encountered and solved recently, in case it's helpful to others.

Scenario

A firewall cluster consisting of two physical devices is planned to be expanded with a third device. While the new device has the same number of cores as the existing ones, it has a different default FW instance count, which could potentially lead to compatibility issues within the cluster.

Potential Issues

Reference: sk93737

  • Cluster members must have the same FW instance count
  • Firewalls within a cluster with differing default FW Instance counts must be explicitly configured to match a consistent FW instance count for proper operation.
  • Cluster members with non-default FW Instance count cannot leverage dynamic balancing functionalities
  • A cluster is at risk of failure if members have mismatched FW Instance counts, even if the non-conforming member is in a down state.
  • While a firewall upgrade is not expected to reset the firewall instance count to the default value, as confirmed by Check Point support, we encountered this issue in our lab environment. However, it is important to note that this situation was not observed in our customer deployments

Cause of Scenario (My case)

One potential factor that can influence the default firewall instance count in CoreXL is the User-Space Firewall (usfw). When usfw is enabled, it consumes one core and reduces the available cores for firewall instances. Consequently, the default firewall instance count might decrease by 1 compared to devices without usfw enabled.

Furthermore, different Check Point device models might have varying default configurations for usfw. This means that even if two devices have the same core count, their default firewall instance counts could differ if one has usfw enabled and the other doesn't.

To determine if your Check Point device has User-Space Firewall (usfw) enabled by default, you can refer to the Check Point Knowledge Base article sk167052. This article provides important information about usfw support and configurations for various Check Point devices.

Useful Commands

Check Current CoreXL FW Instance

cpview > view (Use Arrow Key Change Tab)

Check Default CoreXL FW Instance

cpconfig > Check Point CoreXL > Change the number of firewall instances > (Confirm Number in brackets []) > Ctrl-C to exit

Edit CoreXL FW Instance Count

cpconfig > Check Point CoreXL > Change the number of firewall instances >  > exit > exit

Check Dyanmic Balance

show dynamic-balancing state
dynamic_balancing -p

Edit Dyanmic Balance

set dynamic-balancing state enable
set dynamic-balancing state disable
set dynamic-balancing state start
set dynamic-balancing state stop
set dynamic-balancing state reset
dynamic_balancing -o enable
dynamic_balancing -o disable
dynamic_balancing -o start
dynamic_balancing -o stop
dynamic_balancing -r
0 Kudos
0 Replies

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events