Sychronization question driving me Crazy

[Afontanilla]

Ok everyone here has their own opinion on this controversial type of question.

What is the best way to view full state synchronization?

well there you can either use the cphaprob -i list command( see a list of critical devices on cluster member:show state of internal (interfaces, HA inialization and so on)

or the fw ctl pstat command (which show hash system kernal memory, packets inspected, drefragmented, encryption stats, nat stats and state synchorinization stats) Well state state sychronization statistics is fine and dandy but does it show full state sycnhronization.

well from Checkpoint documentation the (Cphaprob state) command shows the status of full state synchronization. If it was between CPAhaprob state and fw ctl pstat I would choose cpahaprob state(too bad it doesn't ask this).

Which is it?!!!!!$!!$???!??!$!$!$?$?

[northlandboy]

Personally I use a combo of "cpstat ha" and "fw tab -t connections -s" on both nodes of the cluster.

If the connection tables are close in value, then that to me is the best confirmation that sync is working.

I'd probably use the other commands to dig around further if I saw some problem with the output of the above two commands.

[Afontanilla]

Ok i finally found the answer from Checkpoint themselves..

The question ask which command showsfull state synchronization?

the answer is:...

fw ctl pstat
Because:
Checkpoint hilights this command when it comes to finding out which command shows the status of sychronization.. It also shows statistics such as sync packets received, dropped, sent ....in detail


The only other viable command is cphaprob -i list but his is not 100% correct. This command shows internal interface synchronization status..but fw ctl pstat gives a more comphrehensive answer when it comes to device sychronization.


Of course there are about a couple of other commands that would work...but none of them are directly listed in the question ...ie cphaprob state etc.

[Afontanilla]

Actually the best way to test this is:
1. Go to work, ssh into one of your cluster members and type the commands and output them to a text file and judge for yourself.
2. get qty 2 secureplatform servers or my favorite an qty 2 ol Nokia IP330s. Slap a version of r60 on them and have a smartserver on hand. Setup clusterXL and Nokia VRRP and go to step 1.

Its funny how Nokia came out with functionality that was presents years ago, that only now Checkpoint is introducing as brand new R65 features..I guess nokia is being edged out with the new checpoint edge products....


For example: Dynamic routing protocol support was present on the Nokia platfrom back when Checkpoint 4.1 was out (OSPF BGP)..now Checkpoint r65 charges you extra to have dynamic routing support on secureplatform Pro...

[Tan Da Boss]

Dynamic routing was introduced with NGX R60 but you're right Nokia has proposed these functionnalities much sooner than CP.