This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Kaspars_Zibarts
MVP Gold CHKP MVP Gold CHKP
MVP Gold CHKP
‎2018-03-01 05:25 AM

Oneliner to compare routes between two cluster members

Running into "get interfaces with topology" feature problem recently due to route mismatch on cluster members prompted me to write a quick one-liner to compare routes with least possible effort.

It must be noted for example simplicity I used SNMP V1 with public community (which is not advisable in production) so update command snmp part in red accordingly. Also it does require that SNMP port is open on Sync interface (IPs from cphaprob stat output)

For example below I added a dummy 1.1.1.1/32 route to FW1

[Expert@fw1:0]# i=0; cphaprob stat | egrep ^[1,2] | sed 's/(local)//' | awk '{print $2}'| while read line; do let i++; snmpwalk -c public -v 1 $line IP-FORWARD-MIB::inetCidrRouteIfIndex.ipv4 | awk -F\" '{print $2, $4, substr($3,2,2)}' > fw.$i; done; if [ `diff -q fw.1 fw.2 | wc -l` -gt 0 ]; then diff fw.1 fw.2; else echo "Routes OK"; fi
2d1
< 1.1.1.1 10.3.81.67 32

NormaL output would be

[Expert@fwfran1:0]# i=0; cphaprob stat | egrep ^[1,2] | sed 's/(local)//' | awk '{print $2}'| while read line; do let i++; snmpwalk -c public -v 1 $line IP-FORWARD-MIB::inetCidrRouteIfIndex.ipv4 | awk -F\" '{print $2, $4, substr($3,2,2)}' > fw.$i; done; if [ `diff -q fw.1 fw.2 | wc -l` -gt 0 ]; then diff fw.1 fw.2; else echo "Routes OK"; fi
Routes OK

7 Replies
KennyManrique
Advisor
‎2018-03-01 06:20 AM

Great solution Kaspar!

It's a useful tip when Cloning Groups are not in use. For cluster enviroments the best is configure a Cloning Group that follows ClusterXL to sync all routing related parameters.

Regards.

Kaspars_Zibarts
MVP Gold CHKP MVP Gold CHKP
MVP Gold CHKP
‎2018-03-01 06:41 AM
In response to KennyManrique

absolutely (about cloning groups) but there are some reasons that I'm not able to discuss here why we are not doing it Smiley Happy

Danny
MVP Platinum
MVP Platinum
‎2023-03-27 12:39 AM

Because of egrep ^[1,2] this only works for clusters consisting of two members only.
Because of snmpwalk -c public -v 1 this only works with insecurely configured SNMP.
Because SNMPv3 is standard I recommend to update this one-liner to work with stattest.

0 Kudos
Kaspars_Zibarts
MVP Gold CHKP MVP Gold CHKP
MVP Gold CHKP
‎2023-03-27 01:09 AM
In response to Danny

@Danny that's why I wrote: It must be noted for example simplicity I used SNMP V1 with public community (which is not advisable in production)  🙂 

It was more of an idea that can be replicated in specific environment accordingly. Not everything has be served on silver plate 🙂 it's good to engage our little grey cells as the famous Poirot said 🙂

0 Kudos
Vincent_Bacher
Leader Leader
Leader
‎2023-07-07 01:10 AM

could be extended for VSX devices using a loop 🙂

and now to something completely different - CCVS, CCAS, CCTE, CCCS, CCSM elite
0 Kudos
Kaspars_Zibarts
MVP Gold CHKP MVP Gold CHKP
MVP Gold CHKP
‎2023-07-24 12:16 AM
In response to Vincent_Bacher

Since VSX routes are pushed from Mgmt, they "should" the same on all cluster members, else topology push would fail.

0 Kudos
_Val_
Admin
Admin
‎2023-07-24 12:19 AM

Why not make it a part of a ToolBox collection?

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events