This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
tytdoge
Participant
3 weeks ago
Jump to solution

Configuring ClusterXL on Threat Emulation Appliance(TE250XN)

Hi,

I was trying to setup a HA architecture and wish to use the cluster VIP to be the API endpoint for 2 TE250XN Appliance to receive malicious files.

However, after i have setup cluster on the Security Management Server and also enabled the cluster membership on both TE Appliance, here's what i got when checking the HA status

 

[Expert@hostname:0]# cphaprob stat

HA module not started.

and here is the debug output from cphaconf.elg
---Starting debug---

[cphaconf 18627 4123109184]@HKTLSGTE02[11 Aug 15:30:32] cphaconf called with these arguments: cphaconf stop
[cphaconf 18627 4123109184]@HKTLSGTE02[11 Aug 15:30:32] DEBUG: fwd_reload_database_file: Start
[cphaconf 18627 4123109184]@HKTLSGTE02[11 Aug 15:30:32] in fwd_reload_database(do_database=1, dir=database, fn=objects.C
[cphaconf 18627 4123109184]@HKTLSGTE02[11 Aug 15:30:32] fwa_db_init: calling fwme_init_module
[cphaconf 18627 4123109184]@HKTLSGTE02[11 Aug 15:30:32] fwa_db_init: called
[cphaconf 18627 4123109184]@HKTLSGTE02[11 Aug 15:30:32] do_links_getver: strncmp failed. Returning -2
[cphaconf 18627 4123109184]@HKTLSGTE02[11 Aug 15:30:32] fwobj_destroy_reference_hash: reference_resolving_hash_users<0
[cphaconf 18627 4123109184]@HKTLSGTE02[11 Aug 15:30:32] reference_resolving_hash created
[cphaconf 18627 4123109184]@HKTLSGTE02[11 Aug 15:30:32] fwd_load_nat_fix_registry_params: failed get NAT_NEGATE_FIX key from registry, set default
[cphaconf 18627 4123109184]@HKTLSGTE02[11 Aug 15:30:32] fwd_load_nat_fix_registry_params: failed get NAT_MAIN_IP_FIX key from registry, set default
[cphaconf 18627 4123109184]@HKTLSGTE02[11 Aug 15:30:32] CachedObject::SetObject: small size, modifying (0 --> 10)
[cphaconf 18627 4123109184]@HKTLSGTE02[11 Aug 15:30:32] CachedObject::CreateHash: Created internal hashtable, size: 10
[cphaconf 18627 4123109184]@HKTLSGTE02[11 Aug 15:30:32] fwha_mcset_terminate: failed to open the /opt/CPsuite-R81/fw1/tmp/fwhamcd.pid file
[cphaconf 18627 4123109184]@HKTLSGTE02[11 Aug 15:30:32] stop_ha: fwha_mcset_terminate failed
[cphaconf 18627 4123109184]@HKTLSGTE02[11 Aug 15:30:32] cpuser_socket_connect: Connecting to server /vs0/dev/fw0 for /dev/fw0
[cphaconf 18627 4123109184]@HKTLSGTE02[11 Aug 15:30:32] cpuser_socket_connect: connected socket 12
[cphaconf 18627 4123109184]@HKTLSGTE02[11 Aug 15:30:32] stop_ha: HA stopped successfully
[cphaconf 11860 4122294080]@HKTLSGTE02[11 Aug 16:02:43]

 

 

Do anyone have same experience on it? or there are just impossible to start HA cluster for TE250XN (R81)?

0 Kudos
2 Solutions

Accepted Solutions
emmap
Employee
Employee
3 weeks ago
Jump to solution

The TE appliances aren't designed to work in a cluster, they should be deployed as independent devices and have the load balancing / high availability be achieved by the devices sending the files.

View solution in original post

(1)
emmap
Employee
Employee
3 weeks ago
In response to tytdoge
Jump to solution

The hardware spec is not specific to TE appliances, the Sync port is there for other applications.

View solution in original post

(1)
7 Replies
emmap
Employee
Employee
3 weeks ago
Jump to solution

The TE appliances aren't designed to work in a cluster, they should be deployed as independent devices and have the load balancing / high availability be achieved by the devices sending the files.

(1)
tytdoge
Participant
3 weeks ago
In response to emmap
Jump to solution

Hi emmap,

 

Thank you for your reply, but i can see there is a Sync interface on TE250XN model. What is the usage for that port if it is not designed to work in a cluster?

 

 

0 Kudos
emmap
Employee
Employee
3 weeks ago
In response to tytdoge
Jump to solution

The hardware spec is not specific to TE appliances, the Sync port is there for other applications.

(1)
tytdoge
Participant
3 weeks ago
In response to emmap
Jump to solution

OK Thank you for your explanation!

0 Kudos
Chris_Atkinson
Employee Employee
Employee
3 weeks ago
In response to tytdoge
Jump to solution

If it helps with understanding sk110369, sk102309 outline ways that multiple TE appliances are leveraged otherwise.

So as @emmap suggests for your application you need to implement the load-balancing in front of the TE appliances. 

CCSM R77/R80/ELITE
0 Kudos
Lari_Luoma
Ambassador Ambassador
Ambassador
3 weeks ago
Jump to solution

Hi!

As far as I know TE appliances cannot be clustered the same way as regular gateways. To achieve HA multiple gateways can be configured to use different TE appliances for threat emulation.

0 Kudos
Forsaken_61
Explorer
Tuesday
Jump to solution

Hi 

As previous users have replied. You cannot cluster Threat Emulation Appliances for load balacing.
Bumped almost into the same issue.

To fix this I've a Security Gateway in front, which Is configured to send files for Remote Emulation to my Threat Emulation Appliance boxes.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events