Failover can we generate with a lot of way. One way is with cphaprob, the most complicated way if you do not know it, but I am here for you to understand and use it instead of just an ifdown/ifup for an interface. :-)
On the other hand it is an important command for the exam.
cphaprob usage:
cphaprob state cphaprob [-a] if The following commands are NOT applicable for 3rd party: cphaprob -d -t -s [-p] register cphaprob -f register cphaprob -d [-p] unregister cphaprob -a unregister cphaprob -d -s report cphaprob [-i[a]] [-e] list cphaprob igmp .................. IGMP membership status cphaprob [-reset] ldstat ....... Sync serialization statistics cphaprob [-reset] syncstat ..... Sync transport layer statistics cphaprob fcustat ............... Full connectivity upgrade statistics cphaprob tablestat ............. Cluster tables |
Test:
The Firewalls are in Load sharing multicast mode now. The actual state is clear, there is no problem with the cluster.
[Expert@myfirewall]# cphaprob stat Cluster Mode: Load Sharing (Multicast) Number Unique Address Assigned Load State 1 (local) 192.168.168.10 50% Active 2 192.168.168.20 50% Active [Expert@myfirewall]# cphaprob -ia list Built-in Devices: Device Name: Problem Notification Current state: OK Device Name: Interface Active Check Current state: OK Device Name: HA Initialization Current state: OK Device Name: Load Balancing Configuration Current state: OK Registered Devices: Device Name: fwd Registration number: 0 Timeout: none Current state: OK Time since last report: 0.2 sec Device Name: cphad Registration number: 1 Timeout: none Current state: OK Time since last report: 0.2 sec |
Add a device, named SHIT and report a problem of it.
[Expert@myfirewall]# cphaprob -d SHIT -t 0 -s ok -p register Registered SHIT in failure detection mechanism. Registration no. 2 [Expert@myfirewall]# cphaprob -d SHIT -s problem report [Expert@myfirewall]# [Expert@myfirewall]# cphaprob -ia list Built-in Devices: Device Name: Problem Notification Current state: problem Device Name: Interface Active Check Current state: OK Device Name: HA Initialization Current state: OK Device Name: Load Balancing Configuration Current state: OK Registered Devices: Device Name: fwd Registration number: 0 Timeout: none Current state: OK Time since last report: 0.8 sec Device Name: cphad Registration number: 1 Timeout: none Current state: OK Time since last report: 0.8 sec Device Name: SHIT Registration number: 2 Timeout: none Current state: problem Time since last report: 9.3 sec |
The cluster member is down:
[Expert@myfirewall]# cphaprob state Cluster Mode: Load Sharing (Multicast) Number Unique Address Assigned Load State 1 192.168.168.10 100% Active 2 (local) 192.168.168.20 0% Down [Expert@myfirewall]# |
Delete the device from failure detection mechanism:
[Expert@myfirewall]# cphaprob -d SHIT -p unregister Unregistered SHIT from failure detection mechanism |
The cluster member is up
[Expert@myfirewall]# cphaprob state Cluster Mode: Load Sharing (Multicast) Number Unique Address Assigned Load State 1 192.168.168.10 50% Active 2 (local) 192.168.168.20 50% Active [Expert@myfirewall]# cphaprob -ia list Built-in Devices: Device Name: Problem Notification Current state: OK Device Name: Interface Active Check Current state: OK Device Name: HA Initialization Current state: OK Device Name: Load Balancing Configuration Current state: OK Registered Devices: Device Name: Synchronization Registration number: 0 Timeout: none Current state: OK Time since last report: 1572.1 sec Device Name: Filter Registration number: 1 Timeout: none Current state: OK Time since last report: 140.4 sec Device Name: fwd Registration number: 2 Timeout: 2 sec Current state: OK Time since last report: 0.6 sec Device Name: cphad Registration number: 3 Timeout: 2 sec Current state: OK Time since last report: 0.6 sec |
itsecworks 
CheckPoint Blows
January 23, 2013
Easier command is “clusterXL_admin down” or “clusterXL_admin up” This immediately will cause a graceful failover if you down the active firewall. It will remain admin down until you reboot or issue the admin up command.