This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Matlu
Advisor
Saturday

Check HA MDS status by CLI

Hello, Mates.

I have an HA MDS environment.

Can I query by CLI, entering any of the 2 members, what is the current status of the HA?

Knowing by CLI, ‘who’ is the Active/Passive?

In MDS the command ‘cpstat mg’ should be enough for this, as if it were a simple MGMT HA, or is there another way?

From the CLI, having detected who is the active member, can a ‘manual switch’ be done?

Thanks for the comments.

0 Kudos
10 Replies
the_rock
Legend
Legend
Saturday

mdsstat?

Andy

0 Kudos
Matlu
Advisor
Saturday
In response to the_rock

Hello,

This command does not “show” anything related to the MDS HA, I only see local information of the machine where I am standing right now.

I would like to see information related to the MDS HA, to know if where I am “stopped” is the active or passive member of the HA.

Once I can recognize if I am in the active one, I would like to do a manual failover through the CLI to change the order of the MDS HA.

Cheers.

0 Kudos
Matlu
Advisor
Saturday
In response to Chris_Atkinson

Hi,

In 1 of the Links I found reference to change the HA order but in a SMS HA environment (maybe I'm wrong)

The commands I see you recommend are:

Try:

# cpstop
# cpprod_util FwSetActiveManagement 1
# cpstart

These commands should be replicated to change the order but of a MDS HA by the CLI?

Greetings.

Obs:
The commands you recommend is applied on the active member of the MDS HA?

0 Kudos
the_rock
Legend
Legend
Saturday
In response to Matlu

Hey bro,

See below from AI copilot, it alligns with what @Chris_Atkinson gave.

Andy

**************************

To check the HA status of a Multi-Domain Server, you can use themdsstatcommand. This command shows the status of specific processes on the Multi-Domain Server and Domain Management Servers.

Here is the syntax for themdsstatcommand:

mdsstat [-h] [-m] [<Name or IP Address of Domain Management Server>]

Parameters:

  • -h: Displays help message.
  • -m: Test status for Multi-Domain Server only.
  • : Specifies the Domain Management Server by its name or IPv4 address.

Example:

To check the status of the Multi-Domain Server, you can run the following command:

mdsstat -m

This will display the status of the processes on the Multi-Domain Server.

Possible Statuses of Processes:

  • up: The process is up.
  • down: The process is down.
  • pnd: The process is pending.

If you need to check the HA status specifically, you can use thecpprod_utilcommand to find out the current status and set the Management station to Active or Standby status.

Check Current HA Status:

cpprod_util FwIsActiveManagement
  • 0: Standby
  • 1: Active

Set Management Station to Standby:

cpprod_util FwSetActiveManagement 0

Set Management Station to Active:

cpprod_util FwSetActiveManagement 1

Restart Management Station:

After changing the status, you should restart the Management station:

cpstop
cpstart

Note: On Multi-Domain Security Management Server, use the appropriate commands (mdsenv <Domain Name>and thenmdsstop_customer <Domain Name>).

Please make sure to follow the below mandatory guidelines, to minimize the potential impact of this plan as possible:

• The kernel debug is a heavy operation (even if it's "light") and might cause a machine to hang or even crash the machine.

• You must perform this operation only during a maintenance window due to the high impact this operation might have.

• Be sure to have a console connection available in case the machine hangs.

• Validate before and after the operation that the state of the machine is stable (no high CPU, etc).

BE AWARE
Important - To prevent negative impact on your production environment, double-check the provided information in the Administration Guide for the involved product.
Learn more:
  1. R81 Command Line Interface (CLI) Reference Guide - mdsstat
  2. R80.40 Command Line Interface (CLI) Reference Guide - mdsstat
  3. sk34495 - How to change the HA status of the Management station from command line
  4. R81.20 Command Line Interface (CLI) Reference Guide - mdsstat
  5. R82 Command Line Interface (CLI) Reference Guide - mdsstat
  6. R81 Installation and Upgrade Guide - Upgrading-MDSs-in-Mgmt-HA-from-R80_20-and-higher-with-Migration
  7. R81 Installation and Upgrade Guide - Upgrading-MDSs-in-Mgmt-HA-from-R80_20-and-higher-with-Advanced-...
  8. sk154436 - Multi-Domain Management Deployment on Azure
0 Kudos
Matlu
Advisor
Saturday
In response to the_rock

Thanks for the accurate data, Buddy.

I have a question, do you know if it is possible from the CLI to know which equipment is ‘hooked’ to a particular CMA?

 

It happens that I have only CLI access now to a MDS, in the MDS I have several CMA, and there are many equipments hooked to each of the CMA.

 

What we need to know now, is if it is ‘possible’ to see which equipment is tethered to a CMA but all by CLI.

Thanks.

0 Kudos
the_rock
Legend
Legend
Saturday
In response to Matlu

You mean which CMA manages which gateway? Maybe if in cma context, go to $FWDIR/state dir and see if there is fw dir there.

Andy

0 Kudos
Amir_Senn
Employee
Employee
yesterday
In response to Matlu

Hi @Matlu ,

Have you tried MGMT API?

https://sc1.checkpoint.com/documents/latest/APIs/index.html#cli/show-ha-status~v2%20

Output examples:

[Expert@MDS-Primary:0]# mgmt_cli show ha-status -d 10.32.9.4
Username: ^C
[Expert@MDS-Primary:0]# mgmt_cli show ha-status -d 10.32.9.4 -r true
uid: "69114fb1-6423-4e99-92c3-31fbade78cbe"
name: "Dedicated_Servers"
domain-type: "domain"
servers:
- sync-state: "Ok"
last-successful-sync:
iso-8601: "2025-03-23T15:38+0200"
posix: 1742737091214
ha-state: "standby"
ip-address: "10.32.10.4"
name: "Dedicated_Servers_CMA"
successfully-synced: true

[Expert@MDS-Primary:0]# mgmt_cli show ha-status -d Global -r true
uid: "1e294ce0-367a-11e3-aa6e-0800200c9a66"
name: "Global"
domain-type: "global domain"
servers:
- sync-state: "Ok"
last-successful-sync:
iso-8601: "2025-03-23T15:36+0200"
posix: 1742736961243
ha-state: "standby"
ip-address: "192.168.32.10"
multi-domain-server: "Secondary-32.10"
- sync-state: "Ok"
last-successful-sync:
iso-8601: "2025-03-23T15:36+0200"
posix: 1742736961242
ha-state: "standby"
ip-address: "192.168.13.206"
multi-domain-server: "MLM-ST5150"
- sync-state: "Ok"
last-successful-sync:
iso-8601: "2025-03-23T15:36+0200"
posix: 1742736961243
ha-state: "standby"
ip-address: "192.168.32.11"
multi-domain-server: "MLM-1-VM"
successfully-synced: true

Kind regards, Amir Senn
0 Kudos
Tal_Paz-Fridman
Employee
Employee
16 hours ago
In response to Amir_Senn

Adding to what Amir wrote this is a new API option that was added in R81.20 JHF take 26 and obviously in R82

https://sc1.checkpoint.com/documents/Jumbo_HFA/R81.20/R81.20/R81.20-List-of-all-Resolved-Issues.htm

 

ha-stauts.png

 

 

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events
    Top