This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Don_Paterson
MVP Gold
MVP Gold
‎2023-12-08 03:24 PM
Jump to solution

ClusterXL and port 263

I noticed that an R81.20 HA ClusterXL (main train) didn't use port 256 to sync after a member reboot. It was not used at all.

Instead port 263 was used as the only port along with port 8116.

Is that the full sync port?

 

https://support.checkpoint.com/results/sk/sk52421

 

Clustering
TCP263not predefinedFull Synchronization between Security Group Members in a Scalable Platform (by CXLD daemons over the internal network 192.0.2.0/24)

 

 

ProtocolPort numberService Name and CommentUsage
Firewall
TCP256 FW1 - Check Point Security Gateway Service

Connections to Security Gateway Service (to FWD daemon):

  • Fetching topology information by Security Gateway (by FWD daemon) from Security Management Server or Domain Management Server (CMA)
  • Full Synchronization between ClusterXL members (by FWD daemons)
  • IPS packet capture
Used by the following commands:
  • fw isp_link <server_ip>
  • fw getver <server_ip>
  • fw logswitch -h <server_ip>
  • fw lslogs <server_ip>
  • fw fetchlogs <server_ip>
Clustering
TCP256FW1 - Check Point Security Gateway ServiceFull Synchronization between ClusterXL members (by FWD daemons)

 

0 Kudos
1 Solution

Accepted Solutions
Sergei_Shir
Employee
Employee
‎2023-12-12 11:29 AM
Jump to solution

Hi

This is the short answer (the complete answer will be added to the relevant ClusterXL Admin Guides and relevant SK articles)

(1)

In R81 and higher versions (due to merge of the Scalable Platform code):

To perform a Full Sync with a peer cluster member, the CXLD daemon on a cluster member connects to the TCP port 263 on the peer cluster member

If this connection fails, then the cluster member falls back to the previous mechanism - the FWD daemon connects to the TCP port 256 on the peer cluster member

(2)

In R80.40 and lower versions:

To perform a Full Sync with a peer cluster member, the FWD daemon on a cluster member connects to the TCP port 256 on the peer cluster member

View solution in original post

(1)
22 Replies
the_rock
MVP Gold
MVP Gold
‎2023-12-08 06:15 PM
Jump to solution

My R81.20 cluster member

[Expert@CP-FW-02:0]# netstat -anp | grep 256
tcp 0 0 0.0.0.0:256 0.0.0.0:* LISTEN 8232/fwd
tcp 0 0 0.0.0.0:42569 0.0.0.0:* LISTEN 8232/fwd
[Expert@CP-FW-02:0]# netstat -anp | grep 263
tcp 0 0 0.0.0.0:263 0.0.0.0:* LISTEN 8189/cxld
unix 3 [ ] STREAM CONNECTED 26362 7986/sxl_statd
unix 3 [ ] STREAM CONNECTED 26364 7986/sxl_statd
unix 3 [ ] STREAM CONNECTED 26360 7986/sxl_statd
unix 3 [ ] STREAM CONNECTED 26363 7986/sxl_statd
unix 3 [ ] STREAM CONNECTED 26361 7986/sxl_statd
[Expert@CP-FW-02:0]#

0 Kudos
Don_Paterson
MVP Gold
MVP Gold
‎2023-12-08 11:00 PM
In response to the_rock
Jump to solution

What if you do a tcpdump for host FW-01 (other member) -w and then reboot the other member. 

When it is back up then cpmonitor the capture file. 

?

0 Kudos
the_rock
MVP Gold
MVP Gold
‎2023-12-09 04:50 AM
In response to Don_Paterson
Jump to solution

As a matter of fact, did that last night and it was exact same outcome.

Best regards,

Andy

Don_Paterson
MVP Gold
MVP Gold
‎2023-12-09 09:46 AM
In response to the_rock
Jump to solution

Can you say ElasticXL   😉

 

Just a couple of reference to make this post more interesting:

https://support.checkpoint.com/results/sk/sk180742

 

https://support.checkpoint.com/results/sk/sk97638 

Security Gateway Software Blades and Features

 

DaemonSectionInformation

cxld

DescriptionRuns the cluster Full Sync (R81 and higher).
Path$FWDIR/bin/cxld
Log file$FWDIR/log/cxld.elg
To Stopcpstop
To Startcpstart
DebugRuns with debug by default

 

0 Kudos
the_rock
MVP Gold
MVP Gold
‎2023-12-09 10:49 AM
In response to Don_Paterson
Jump to solution

I cant say elasticXL, as I have no clue in the world what that even is lol

Andy

0 Kudos
Don_Paterson
MVP Gold
MVP Gold
‎2023-12-09 11:03 AM
In response to the_rock
Jump to solution

https://community.checkpoint.com/t5/General-Topics/R82-ElasticXL/m-p/194697

0 Kudos
the_rock
MVP Gold
MVP Gold
‎2023-12-09 11:05 AM
In response to Don_Paterson
Jump to solution

Just looked it up before you gave the link...well, its definitely not applicable, since R82 is not even EA yet.

Andy

Don_Paterson
MVP Gold
MVP Gold
‎2023-12-09 11:32 AM
In response to the_rock
Jump to solution

The port is used by the SP (Scalable Platform), as per sk52421.
Since TCP 256 was originally used and it seems there has been a change to 263 it may be that they are preparing for ElasticXL, or simply unifying sync mechanisms across platforms.

0 Kudos
_Val_
Admin
Admin
‎2023-12-10 11:43 PM
In response to the_rock
Jump to solution

R82 is on EA for over 3 weeks: https://community.checkpoint.com/t5/Product-Announcements/R82-EA-Program-Production/ba-p/198695

0 Kudos
Don_Paterson
MVP Gold
MVP Gold
‎2023-12-09 04:08 AM
Jump to solution

I did some debugs and I cannot see port 256 being part of the full sync.

I see a some evidence that 263 is the port used when the member wants to do a full sync.

 

[12516 3934414848]@FW-02[9 Dec 10:41:14] fwasync_get_maxbuf: maxbuf=4194304
fwsync: starting full sync with cluster member 10.10.10.2 (ctrl-c anytime to abort)

[12516 3934414848]@FW-02[9 Dec 10:41:14] fwsyncn_connect: server 10.10.10.2 alive 1

fwsyncn_connect: trying to connect to 10.10.10.2 with CXLD_PORT
[12516 3934414848]@FW-02[9 Dec 10:41:14] fwclient_do_connect_e: server 10.10.10.2 port 263 sicname CN=FW-01,O=xyz.abc.aic5ip cmd 57

[12516 3934414848]@FW-02[9 Dec 10:41:14] fwasync_conn_params_ex: fd: <24>, my addr: <10.10.10.3,61458>, peer addr: <10.10.10.2,263>

0 Kudos
Don_Paterson
MVP Gold
MVP Gold
‎2023-12-09 10:27 AM
Jump to solution

From sk180742, this is a simple way to see full sync port 263 is used.

tailf $FWDIR/log/cxld.elg | grep 263

[cxld 9315 3934513920]@FW-01[9 Dec 18:51:35] fwasync_conn_params_ex: fd: <36>, my addr: <10.10.10.2,263>, peer addr: <10.10.10.3,35059>
[cxld 9315 3934513920]@FW-01[9 Dec 18:51:35] PM_session_init: given session I(CN=FW-01,O=SMS.abc.com.aizyx;CN=FW-02,O=SMS.abc.com.aizyx;263;syncn).
[cxld 9315 3934513920]@FW-01[9 Dec 18:51:35] PM_policy_query: input session I(CN=FW-01,O=SMS.abc.com.aizyx;CN=FW-02,O=SMS.abc.com.aizyx;263;syncn).

 

with grep -i instance it covers more detail on "full sync".

 

Note:
I used sk37030 debug steps as part of stopping and starting sync (forcing full sync) and included the tailf cxld.elg into that procedure to capture the output above.

fw ctl setsync off

fw -d fullsync 10.10.10.2 2

0 Kudos
the_rock
MVP Gold
MVP Gold
‎2023-12-09 10:49 AM
In response to Don_Paterson
Jump to solution

Yup, just did that tail command, nada, nothing

Andy

0 Kudos
Don_Paterson
MVP Gold
MVP Gold
‎2023-12-09 11:10 AM
In response to the_rock
Jump to solution

Try this in a separate session:

fw ctl setsync off

fw -d fullsync 10.10.10.2 2

 

I added note and sk reference to my post to cover that.

0 Kudos
the_rock
MVP Gold
MVP Gold
‎2023-12-09 11:20 AM
In response to Don_Paterson
Jump to solution

Already done, no change. Only still see connection on port 256.

0 Kudos
_Val_
Admin
Admin
‎2023-12-10 11:48 PM
Jump to solution

Checking with the internal teams if the documentation needs to be updated. Will keep you posted.

Don_Paterson
MVP Gold
MVP Gold
‎2023-12-10 11:51 PM
In response to _Val_
Jump to solution

Thanks Val.
I checked on an R80.40 cluster and there was no use of port 263, like in R81 and above. Only 256 was used.

Also, $FWDIR/log/cxld.elg did not exist on the R80.40 cluster member that I tested on.

_Val_
Admin
Admin
‎2023-12-11 04:34 AM
In response to Don_Paterson
Jump to solution

We know. We expect documentation to be updated soon.

0 Kudos
Timothy_Hall
MVP Gold
MVP Gold
‎2023-12-11 04:37 AM
In response to Don_Paterson
Jump to solution

Right I believe cxld was added in R81 to get the full sync process out of the kernel and into process space (or perhaps take that responsibility away from fwd), similarly to the Firewall Worker Instances being pulled out of the kernel with User Space Firewall (USFW) in fwk processes.  Starting in R81.20 on the Quantum Lightspeed appliances only, even SecureXL is mostly located outside the kernel (called UPPAK).  Eventually UPPAK will be the default mode for SecureXL on all appliances, very curious to see what kind of performance hit the fastpath will take as a result.

Gaia 4.18 (R82) Immersion Tips, Tricks, & Best Practices Video Course
Now Available at https://shadowpeak.com/gaia4-18-immersion-course
Martin_Raska
Advisor
Advisor
‎2023-12-11 05:58 AM
In response to Don_Paterson
Jump to solution

I have the same, R81.20

fwasync_conn_params_ex: fd: <34>, my addr: <192.168.254.1,263>, peer addr: <192.168.254.2,56792>
[cxld 30169 3933345856]@chkp-demo-gw-1[2 Dec 15:40:09] fwsyncn_init: starting new sync client on port 263

0 Kudos
the_rock
MVP Gold
MVP Gold
‎2023-12-11 06:10 AM
In response to Martin_Raska
Jump to solution

I am on R81.20 jumbo 41 in the lab, I dont have that problem.

Andy

0 Kudos
Martin_Raska
Advisor
Advisor
‎2023-12-11 06:28 AM
In response to Martin_Raska
Jump to solution

I have 

HOTFIX_R81_20_JUMBO_HF_MAIN Take: 14

0 Kudos
Sergei_Shir
Employee
Employee
‎2023-12-12 11:29 AM
Jump to solution

Hi

This is the short answer (the complete answer will be added to the relevant ClusterXL Admin Guides and relevant SK articles)

(1)

In R81 and higher versions (due to merge of the Scalable Platform code):

To perform a Full Sync with a peer cluster member, the CXLD daemon on a cluster member connects to the TCP port 263 on the peer cluster member

If this connection fails, then the cluster member falls back to the previous mechanism - the FWD daemon connects to the TCP port 256 on the peer cluster member

(2)

In R80.40 and lower versions:

To perform a Full Sync with a peer cluster member, the FWD daemon on a cluster member connects to the TCP port 256 on the peer cluster member

(1)

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events