Re: Check HA MDS status by CLI

Matlu · ‎2025-03-22

Hello, Mates.

I have an HA MDS environment.

Can I query by CLI, entering any of the 2 members, what is the current status of the HA?

Knowing by CLI, ‘who’ is the Active/Passive?

In MDS the command ‘cpstat mg’ should be enough for this, as if it were a simple MGMT HA, or is there another way?

From the CLI, having detected who is the active member, can a ‘manual switch’ be done?

Thanks for the comments.

the_rock · ‎2025-03-22

mdsstat?

Andy

Best,
Andy

Matlu · ‎2025-03-22

Hello,

This command does not “show” anything related to the MDS HA, I only see local information of the machine where I am standing right now.

I would like to see information related to the MDS HA, to know if where I am “stopped” is the active or passive member of the HA.

Once I can recognize if I am in the active one, I would like to do a manual failover through the CLI to change the order of the MDS HA.

Cheers.

the_rock · ‎2025-03-22

See if below helps.

Andy

https://community.checkpoint.com/t5/API-CLI-Discussion/query-mds-to-determine-if-cma-is-active-or-st...

Best,
Andy

Chris_Atkinson · ‎2025-03-22

Some previous threads:

https://community.checkpoint.com/t5/API-CLI-Discussion/query-mds-to-determine-if-cma-is-active-or-st...

https://community.checkpoint.com/t5/Management/MDS-active-standby-status-on-CLI/td-p/97748

https://community.checkpoint.com/t5/Management/Forcing-Primary-Standby-Management-Server-to-become-A...

CCSM R77/R80/ELITE

Matlu · ‎2025-03-22

Hi,

In 1 of the Links I found reference to change the HA order but in a SMS HA environment (maybe I'm wrong)

The commands I see you recommend are:

Try:

# cpstop
# cpprod_util FwSetActiveManagement 1
# cpstart

These commands should be replicated to change the order but of a MDS HA by the CLI?

Greetings.

Obs:
The commands you recommend is applied on the active member of the MDS HA?

the_rock · ‎2025-03-22

Hey bro,

See below from AI copilot, it alligns with what @Chris_Atkinson gave.

Andy

**************************

To check the HA status of a Multi-Domain Server, you can use themdsstatcommand. This command shows the status of specific processes on the Multi-Domain Server and Domain Management Servers.

Here is the syntax for themdsstatcommand:

mdsstat [-h] [-m] [<Name or IP Address of Domain Management Server>]

Parameters:

-h: Displays help message.
-m: Test status for Multi-Domain Server only.
: Specifies the Domain Management Server by its name or IPv4 address.

Example:

To check the status of the Multi-Domain Server, you can run the following command:

mdsstat -m

This will display the status of the processes on the Multi-Domain Server.

Possible Statuses of Processes:

up: The process is up.
down: The process is down.
pnd: The process is pending.

If you need to check the HA status specifically, you can use thecpprod_utilcommand to find out the current status and set the Management station to Active or Standby status.

Check Current HA Status:

cpprod_util FwIsActiveManagement

0: Standby
1: Active

Set Management Station to Standby:

cpprod_util FwSetActiveManagement 0

Set Management Station to Active:

cpprod_util FwSetActiveManagement 1

Restart Management Station:

After changing the status, you should restart the Management station:

cpstop
cpstart

Note: On Multi-Domain Security Management Server, use the appropriate commands (mdsenv <Domain Name>and thenmdsstop_customer <Domain Name>).

Please make sure to follow the below mandatory guidelines, to minimize the potential impact of this plan as possible:

• The kernel debug is a heavy operation (even if it's "light") and might cause a machine to hang or even crash the machine.

• You must perform this operation only during a maintenance window due to the high impact this operation might have.

• Be sure to have a console connection available in case the machine hangs.

• Validate before and after the operation that the state of the machine is stable (no high CPU, etc).

BE AWARE

Important - To prevent negative impact on your production environment, double-check the provided information in the Administration Guide for the involved product.

Learn more:

Best,
Andy

Matlu · ‎2025-03-22

Thanks for the accurate data, Buddy.

I have a question, do you know if it is possible from the CLI to know which equipment is ‘hooked’ to a particular CMA?

It happens that I have only CLI access now to a MDS, in the MDS I have several CMA, and there are many equipments hooked to each of the CMA.

What we need to know now, is if it is ‘possible’ to see which equipment is tethered to a CMA but all by CLI.

Thanks.

the_rock · ‎2025-03-22

You mean which CMA manages which gateway? Maybe if in cma context, go to $FWDIR/state dir and see if there is fw dir there.

Andy

Best,
Andy

Amir_Senn · ‎2025-03-23

Hi @Matlu ,

Have you tried MGMT API?

https://sc1.checkpoint.com/documents/latest/APIs/index.html#cli/show-ha-status~v2%20

Output examples:

[Expert@MDS-Primary:0]# mgmt_cli show ha-status -d 10.32.9.4
Username: ^C
[Expert@MDS-Primary:0]# mgmt_cli show ha-status -d 10.32.9.4 -r true
uid: "69114fb1-6423-4e99-92c3-31fbade78cbe"
name: "Dedicated_Servers"
domain-type: "domain"
servers:
- sync-state: "Ok"
last-successful-sync:
iso-8601: "2025-03-23T15:38+0200"
posix: 1742737091214
ha-state: "standby"
ip-address: "10.32.10.4"
name: "Dedicated_Servers_CMA"
successfully-synced: true

[Expert@MDS-Primary:0]# mgmt_cli show ha-status -d Global -r true
uid: "1e294ce0-367a-11e3-aa6e-0800200c9a66"
name: "Global"
domain-type: "global domain"
servers:
- sync-state: "Ok"
last-successful-sync:
iso-8601: "2025-03-23T15:36+0200"
posix: 1742736961243
ha-state: "standby"
ip-address: "192.168.32.10"
multi-domain-server: "Secondary-32.10"
- sync-state: "Ok"
last-successful-sync:
iso-8601: "2025-03-23T15:36+0200"
posix: 1742736961242
ha-state: "standby"
ip-address: "192.168.13.206"
multi-domain-server: "MLM-ST5150"
- sync-state: "Ok"
last-successful-sync:
iso-8601: "2025-03-23T15:36+0200"
posix: 1742736961243
ha-state: "standby"
ip-address: "192.168.32.11"
multi-domain-server: "MLM-1-VM"
successfully-synced: true

Kind regards, Amir Senn

Tal_Paz-Fridman · ‎2025-03-24

Adding to what Amir wrote this is a new API option that was added in R81.20 JHF take 26 and obviously in R82

https://sc1.checkpoint.com/documents/Jumbo_HFA/R81.20/R81.20/R81.20-List-of-all-Resolved-Issues.htm

Matlu · ‎2025-05-28

Hello, @Amir_Senn

When the active member of your HA MDS “goes down” unexpectedly; in which device file are these events saved?
Can these events be read from the device CLI once the device is up again?

Thanks 🙂

Amir_Senn · ‎2025-05-29

Sorry, I didn't fully understand the question.

MDS goes down - server is inaccessible? Management processes are down? Server itself is down?

With MGMT API you need management processes to be up and running. If the issue is elsewhere, you can look in dmesg, coredumps, relevant processes or other.

Kind regards, Amir Senn

Matlu · ‎2025-05-29

Hello,
Sorry for the poorly phrased question
Our MDS box went down completely, there was no access anywhere (SmartConsole, SSH, HTTPS).
It was like this for about 30min
Then the box came back up again without any intervention.
These events is it possible for us to check it ourselves without TAC intervention?
At least to get an 'idea'.
What is the way to check it in the dmsg file?
Or is it better to check data in 'messages'?
Thanks

Amir_Senn · ‎2025-05-29

Check for coredumps here: /var/log/dump/usermode/

Check here: /var/log/dmesg

You can also run HCP

All good places to start

Kind regards, Amir Senn

Duane_Toler · ‎2025-05-29

Was this MDS in Azure, by chance?

--
Ansible for Check Point APIs series: https://www.youtube.com/@EdgeCaseScenario and Substack

Are you a member of CheckMates?

Check HA MDS status by CLI

Parameters:

Example:

Possible Statuses of Processes:

Check Current HA Status:

Set Management Station to Standby:

Set Management Station to Active:

Restart Management Station: