This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Yasushi_Kono1
Collaborator
Collaborator
‎2025-05-07 01:12 AM
Jump to solution

ElasticXL on 9100 and 9700 Appliances

Hi fellow Check Point Experts,

 

I have got a customer who is planning to implement R82 Check Point ElasticXL.

They are having deployed the aforementioned appliances and wanted to interconnect two sites. The dedicated Sync port is not applicable for them since it is copper, and they want to configure SFP instead.

 

Is there a file like /etc/sp_core/conf/vm_mapping.csv for VMware to re-designate an interface for Sync? Can you specify a Bond interface (e.g. Bond1) to re-design it as Sync?

 

Thanks a lot for your assistance!

 

Kind regards,

Yasushi

0 Kudos
2 Solutions

Accepted Solutions
Bob_Zimmerman
Authority
Authority
‎2025-05-07 08:46 AM
Jump to solution

When you set up ElasticXL, the interface named Sync is renamed to eth1-Sync, a new bond named Sync is created, and the interface named eth1-Sync is added to this bond. All you need to do is add the fiber interface(s) to the bond and remove the copper interface from the bond. It's bonding group 1024:

[Expert@DallasticXL-s01-01:0]# gclish -c "show configuration" | grep 1024   
add bonding group 1024 
set bonding group 1024 mode active-backup 
set bonding group 1024 primary eth1-Sync 
set bonding group 1024 xmit-hash-policy layer2 
add bonding group 1024 interface eth1-Sync 
add bonding group 1024 
set bonding group 1024 mode active-backup 
set bonding group 1024 primary eth1-Sync 
set bonding group 1024 xmit-hash-policy layer2 
add bonding group 1024 interface eth1-Sync

View solution in original post

(1)
Bob_Zimmerman
Authority
Authority
‎2025-05-12 06:16 AM
In response to Yasushi_Kono1
Jump to solution

Neither the 9100 nor the 9700 has interfaces named eth11 or eth12. The onboard SFP+ slots on the 9700 seem to be eth1 through eth4, so the commands in gclish would be:

add bonding group 1024 interface eth1
set bonding group 1024 primary eth1
add bonding group 1024 interface eth3
delete bonding group 1024 interface eth1-Sync
save config

Edit: I forgot to set the primary interface before trying to remove eth1-Sync.

View solution in original post

0 Kudos
(1)
8 Replies
PhoneBoy
Admin
Admin
‎2025-05-07 07:00 AM
Jump to solution

Paging @ShaiF 

0 Kudos
Bob_Zimmerman
Authority
Authority
‎2025-05-07 08:46 AM
Jump to solution

When you set up ElasticXL, the interface named Sync is renamed to eth1-Sync, a new bond named Sync is created, and the interface named eth1-Sync is added to this bond. All you need to do is add the fiber interface(s) to the bond and remove the copper interface from the bond. It's bonding group 1024:

[Expert@DallasticXL-s01-01:0]# gclish -c "show configuration" | grep 1024   
add bonding group 1024 
set bonding group 1024 mode active-backup 
set bonding group 1024 primary eth1-Sync 
set bonding group 1024 xmit-hash-policy layer2 
add bonding group 1024 interface eth1-Sync 
add bonding group 1024 
set bonding group 1024 mode active-backup 
set bonding group 1024 primary eth1-Sync 
set bonding group 1024 xmit-hash-policy layer2 
add bonding group 1024 interface eth1-Sync
(1)
APopisteru
Ambassador
Ambassador
‎2025-05-07 01:25 PM
In response to Bob_Zimmerman
Jump to solution

This might become interesting if, after changing the SMO as describe above, one will try to add a new SGM without tinkering with the factory configuration, because exl_detectiond.py is looking for the interface named Sync to start in client mode, with the communication process bound to the sync-ip (the (in)famous line if __machine_info.sync_ifn != 'Sync' and not __machine_info.is_vmware and not __machine_info.is_kvm:), so one might need to change the interface naming in /etc/udev/rules.d/00-ME*.rules on the SGM to be joined to EXL.

 

Personally I will build the EXL cluster in a staging area using the default factory configuration and copper Sync interfaces and allocate SFP slot(s) as described above after having the provisional configuration fully functional.

0 Kudos
Yasushi_Kono1
Collaborator
Collaborator
‎2025-05-12 04:51 AM
In response to Bob_Zimmerman
Jump to solution

Hi Bob,
thanks a lot for your reply! Great job!!

0 Kudos
Yasushi_Kono1
Collaborator
Collaborator
‎2025-05-12 05:02 AM
In response to Bob_Zimmerman
Jump to solution

One question arose: Is it on purpose to use the same sequence of commands twice? I understand that the bonding group has an ID of 1024 and its name is eth1-Sync. However, the sequenced does not reflect the process of adding other interfaces into that bonding group, is it?

 

Thanks again for your reply!

0 Kudos
Yasushi_Kono1
Collaborator
Collaborator
‎2025-05-12 05:14 AM
In response to Yasushi_Kono1
Jump to solution

Could you use the following syntax for adding additional interfaces into the existing bonding group?

add bonding group 1024

set bonding group 1024 mode active-backup

set bonding group 1024 interface eth11

set bonding group 1024 interface eth12

But, if the name of the Bond Interface is expected to be Sync, can you specify that name for the bond interface?

0 Kudos
Bob_Zimmerman
Authority
Authority
‎2025-05-12 06:16 AM
In response to Yasushi_Kono1
Jump to solution

Neither the 9100 nor the 9700 has interfaces named eth11 or eth12. The onboard SFP+ slots on the 9700 seem to be eth1 through eth4, so the commands in gclish would be:

add bonding group 1024 interface eth1
set bonding group 1024 primary eth1
add bonding group 1024 interface eth3
delete bonding group 1024 interface eth1-Sync
save config

Edit: I forgot to set the primary interface before trying to remove eth1-Sync.

0 Kudos
(1)
Bob_Zimmerman
Authority
Authority
‎2025-05-12 06:04 AM
In response to Yasushi_Kono1
Jump to solution

gclish runs commands on all members of a cloning group. That's one of the technologies underpinning maestro and ElasticXL. My cluster has two members, so you see the output twice.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events