This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Maarten_Sjouw
Champion
Champion
‎2019-01-15 01:57 AM
Jump to solution

Cluster Sync lost after Get Interfaces with topology

Last week we ran into an issue that a cluster was loosing the sync status and the backup member went into down state.

Investigation learned that the Get Topology command erased the sync status of the Sync interfaces. There is no verification on the SmartConsole for this anymore, in R77.30 there was no way you could get out of the Topology window without a Sync interface set.

In R80.10 you can and you can push policy without any notification.

Regards, Maarten
1 Solution

Accepted Solutions
Vladimir
Champion
Champion
‎2019-01-21 01:23 PM
Jump to solution

Can we get a repeated prompts if the "Get Interfaces with Topology" is selected?

Something like:

1. Are you sure you want to get Interfaces with Topology? It's been known to cause some unexpected surprises.

and

2. Have you freed-up your evening or weekend or have decided to change your occupation and the country of residence?

and

3. Have you at least made a snapshots and backups of the infrastructure you are working on?

View solution in original post

9 Replies
Kaspars_Zibarts
MVP Gold CHKP MVP Gold CHKP
MVP Gold CHKP
‎2019-01-15 03:28 AM
Jump to solution

ouch! did you manage to find out why did it remove it from topology? was it missing on the gateway? was it set up manually before or with the get? just curious.

we have some other weird examples of R80.10 not doing good verification and pushing out changes that shouldn't be allowed (object creation with the same name..) but not related to topology. will write once I had more time to sum it up

0 Kudos
Maarten_Sjouw
Champion
Champion
‎2019-01-15 03:37 AM
In response to Kaspars_Zibarts
Jump to solution

It was probably setup manually before, one of my colleagues added a new interface and did the get topology and then did not check all interfaces properly, when we tried to get the added interface running in a change window, we found that the cluster was having issues and the interface VIP did not get activated, not pingable nor showing in cphaprob -a if Then after a while we found that the sync interface was no longer set as a cluster 1st Sync. Restoring theat and pushing policy activated the VIP on the additonal interface but we are still having some issues with the cluster itself. We ran out the change window and they shut the switch ports again which left the cluster in problem state. even removing the added interface in the SmartConsole did not resolve this yet, waiting for the next window.

Regards, Maarten
0 Kudos
PhoneBoy
Admin
Admin
‎2019-01-15 06:00 AM
Jump to solution

If you can reproduce this, I recommend opening a TAC case.

My understanding is that we're still using SmartDashboard-style code for editing gateway/cluster objects due to the fact they still operate in CPMI.

Thus I would expect they would have all the same checks in place.

0 Kudos
Maarten_Sjouw
Champion
Champion
‎2019-01-15 09:54 PM
In response to PhoneBoy
Jump to solution

Oh yeah very simply reproducible, just got to any cluster and change the Sync interface to private and click Ok, push policy and only then I did see one verification error: 
Regardless of state synchronization, Cluster FWC must have a trusted (secured) network defined for normal clustering operations.

Regards, Maarten
JozkoMrkvicka
Authority
Authority
‎2019-01-15 01:58 PM
Jump to solution

Lession learned:

Do NOT click on "get interfaces from topology" in any case.

Did it once and spent around 4 hours to check all 800 VLANs to find missing IP...

Of course I didnt do database revision because... all will be fine

Lession learned volume II:

Do database revision (no valid for R80)...

Kind regards,
Jozko Mrkvicka
0 Kudos
PhoneBoy
Admin
Admin
‎2019-01-15 02:56 PM
In response to JozkoMrkvicka
Jump to solution

The "do database revision" also does not apply with VSX (which never supported database revisions).

Petr_Hantak
Advisor
Advisor
‎2019-01-17 04:59 AM
In response to JozkoMrkvicka
Jump to solution

I fully agree with your lessons because I had similar "hard way" learning couple years ago as well.

Vladimir
Champion
Champion
‎2019-01-21 01:23 PM
Jump to solution

Can we get a repeated prompts if the "Get Interfaces with Topology" is selected?

Something like:

1. Are you sure you want to get Interfaces with Topology? It's been known to cause some unexpected surprises.

and

2. Have you freed-up your evening or weekend or have decided to change your occupation and the country of residence?

and

3. Have you at least made a snapshots and backups of the infrastructure you are working on?

Maarten_Sjouw
Champion
Champion
‎2019-01-21 01:32 PM
In response to Vladimir
Jump to solution

LOL, and what about this one:

1. Could you please check yourself if that you have at least 1 Sync interface?

Regards, Maarten

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events