Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Kumar
Participant

What is Magic MAC?

Could you please explain me what is a magic MAC and how it was used in clustering and also explain clustering in detailed (MAC exchange)

7 Replies
Kaspars_Zibarts
Employee Employee
Employee

Try this https://community.checkpoint.com/message/12542-re-why-is-the-cluster-id-field-missing-in-r8010-ftw there is a reference to SK to read up about magic MAC

ED
Advisor

You can enjoy the reading of ClusterXL administration guide where everything is explained http://dl3.checkpoint.com/paid/63/6357d81e3b75b5a09a422d715c3b3d79/CP_R80.10_ClusterXL_AdminGuide.pd...

MartijnElzenaar
Employee
Employee

Mac Magic is a sort of identification mechanism of the clusterID's in CCP (a very generic answer). 

It is best to read sk25977 in order to get some understanding about it. All answers regarding your question are given there. It's a very good read to understand the underlying technology.

The whole ClusterXL mechanism is explained in the ATRG for ClusterXL which also covers Mac Magic a bit. 

Enjoy and I think this will really give you a very good overview of how things relate to each other. 

/Martijn

Timothy_Hall
Legend Legend
Legend

Although not directly related to gateway performance, I've run into issues with this so many times that it did merit a mention in the second edition of my book:

The Magic MAC/Global Cluster ID


There is one situation you might see in a misconfigured cluster that is worth mentioning here however, as it can be so perplexing. When running the cphaprob stat command on all cluster members, both cluster members report they are the only cluster member present (i.e. the cluster members cannot “see” each other at all) and both of them also report they are “active”! How the heck can such a “split-brain” situation occur when setting up a new ClusterXL cluster?


This problem is related to the so-called “Magic MAC address” (yes that was its original name!), but it is now referred to as the “Cluster Global ID”. On an R77.30 firewall, this value is set during the Gaia web interface First Time Configuration Wizard dialog in the Cluster Global ID field:

The command cphaconf cluster_id set (Cluster ID Value) can also be used to set this value. For an R77.30 firewall, the Cluster Global ID should be manually set to an identical value on all members of the same cluster, but be a unique value for different clusters. Failure to configure a matching Global Cluster ID value on the two R77.30 cluster members will cause the split-brain situation mentioned above. On R77.30 and earlier firewalls the Global Cluster ID value can be checked on each of the cluster members with the cphaconf cluster_id get command.

There is good news about this situation though for R80.10+ gateway: a matching Global Cluster ID is now automatically calculated for all cluster members through a process called “Automatic MAC Magic”. This new feature is also designed to prevent conflicts with other existing firewall clusters on the same network. The status of this new feature (including the automatically calculated Global Cluster ID value) can be verified on an R80.10+ gateway with the cphaprob mmagic command. It can also be checked from a new ClusterXL-based screen of the cpview tool on an R80.10 gateway under “Advanced...ClusterXL”. This new “Automatic MAC Magic” feature is also backwards compatible with R77.30 gateways that had their Global Cluster IDs configured manually in earlier versions.

--
Second Edition of my "Max Power" Firewall Book
Now Available at http://www.maxpowerfirewalls.com

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com
(1)
JozkoMrkvicka
Authority
Authority

Can we somehow bypass that "automatic MAC magic" for R80.10 ? To use "old style" global ID.

Anyway, I would like to know how this new feature on R80.10 works... I will install 4 new members at the same time in the same VLAN and I want to say that member A and D will be members of Cluster1 and members B and C members of Cluster2 ... how will this new feature know that I need such a configuration ? Based on first policy installation ?

Kind regards,
Jozko Mrkvicka
0 Kudos
Kaspars_Zibarts
Employee Employee
Employee

0 Kudos
Alsnator_C
Explorer

good explanation Tim as always!

 

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events