This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
lol2
Explorer
‎2023-07-26 07:23 PM

Sync Redundancy

hi,

I have two Gaia fw in one Cluster (HA model),one cable between the two firewalls for synchronization。

Now I need to redundant the sync network,so i added one more cable to make a bond interface,When doing bond, I need to delete the IP address of the  interface that i was using to  sync.i think that will occurs cluster failover .

so my question is the configuring a bond Interface will cause problems ?cluster failover or access .....

After deleting the IP address, it seems that the policy installation button turns gray and cannot be used

Labels
0 Kudos
4 Replies
PhoneBoy
Admin
Admin
‎2023-07-27 05:21 AM

Any changes to interfaces in a ClusterXL cluster should be made in a maintenance window since it can affect production traffic.
I believe you should make the underlying changes in the OS before attempting changes in SmartConsole.
Also, there’s a note here about adding the slave interfaces for the bond in the same order on both members: https://support.checkpoint.com/results/sk/sk92804

Timothy_Hall
Champion Champion
Champion
‎2023-07-27 05:58 AM

If you are adding/removing interfaces in ClusterXL, the way to avoid a spurious failover due to interface "failure" is to cphastop the standby, complete all your changes on both cluster members and the SmartConsole, install policy to both members, then cphastart the standby.  See this rather old SK for the detailed failover-free procedure:

sk57100: Adding or removing an interface in ClusterXL High Availability topology might cause fail-ov...

Since you will be modifying the sync interface, as an additional precaution you may want to uncheck "drop of out state TCP" in the Global Properties ahead of time and reinstall policy, on the off-chance an unexpected failover occurs when state sync is not working.  Having this box unchecked will blunt the unwanted effects of a non-stateful failover; just don't forget to recheck it when the work is complete and tested!

 

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com
Bob_Zimmerman
Authority
Authority
‎2023-07-27 08:00 AM

  1. Create the bond at the OS level with only the second interface in it. Use a different network from your current sync network.
  2. Change the cluster object's configuration on the management server to use the bond for sync. Remove the old sync interface from the cluster object's topology table.
  3. Push policy.
  4. Remove the IP from your old sync interface at the OS level.
  5. Add the old sync interface to the bond.

This process should not cause a failover, as you have working sync at all times. Still, assume there will be an outage at some point.

(1)

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events