Remove interface and vlan from ClusterXL Monitoring

[ba3113]

Can someone advise how I can remove VLAN interface and Physical interface from the ClusterXL Monitoring in VSX environment. I do not want to touch topology.I just wanted to isolate the one virtual system out of the 5 as temporary so once VSX isolate the VSX gateway does not try to failover and move into split brain situation.

[mcnallym]

Same as on a physical device with the $FWDIR/conf/discntd.if file.

List the interfaces want to ignore within ClusterXL and then install Security policy. Just make sure change to the appropriate vs within the CLI


Stop all Check Point Services:

[Expert@HostName]# cpstop


2.Edit the $FWDIR/conf/discntd.if with a Vi text editor:

[Expert@HostName]# vi $FWDIR/conf/discntd.if

Note:
If the $FWDIR/conf/discntd.if file does not exist, then create it:
[Expert@HostName]# touch $FWDIR/conf/discntd.if


3.Add the names of all interface that should not be monitored by ClusterXL on separate lines.

Example:
eth4
eth5
eth6

To obtain the correct interface names, run this command:
[Expert@HostName]# fw ctl iflist

Note: In Gaia OS, in R75.47 and R77.20 (and above), this file is not needed anymore to list the unused interfaces (except for the physical slaves of Bond interfaces).


4.Save changes in the Vi editor and exit.


5.Start all Check Point Services:

[Expert@HostName]# cpstart


6.Repeat the same actions for the other cluster members.

Note: If after making these changes to the $FWDIR/conf/discntd.if and running 'cpstart', the problematic interfaces are not shown as 'Disconnected' in the output of 'cphaprob -a if' command, then reboot the cluster members.

[ba3113]

As you said in in R75.47 and R77.20 (and above) its not needed anymore.I am going to do this in R77.30 so what I would need to know without impacting other live VS.

[varera]

Same as on a physical device with the $FWDIR/conf/discntd.if file.

List the interfaces want to ignore within ClusterXL and then install Security policy. Just make sure change to the appropriate vs within the CLI


Stop all Check Point Services:

[Expert@HostName]# cpstop


2.Edit the $FWDIR/conf/discntd.if with a Vi text editor:

[Expert@HostName]# vi $FWDIR/conf/discntd.if

Note:
If the $FWDIR/conf/discntd.if file does not exist, then create it:
[Expert@HostName]# touch $FWDIR/conf/discntd.if


3.Add the names of all interface that should not be monitored by ClusterXL on separate lines.

Example:
eth4
eth5
eth6

To obtain the correct interface names, run this command:
[Expert@HostName]# fw ctl iflist

Note: In Gaia OS, in R75.47 and R77.20 (and above), this file is not needed anymore to list the unused interfaces (except for the physical slaves of Bond interfaces).


4.Save changes in the Vi editor and exit.


5.Start all Check Point Services:

[Expert@HostName]# cpstart


6.Repeat the same actions for the other cluster members.

Note: If after making these changes to the $FWDIR/conf/discntd.if and running 'cpstart', the problematic interfaces are not shown as 'Disconnected' in the output of 'cphaprob -a if' command, then reboot the cluster members.

This approach is for physical GWs and not VSX. In fact there is no any "clean"way to achieve the desired results without touching topology of the VS in question.

You still can disable interfaces and VLANs attached to that particular VS on the adjacent networking devices. In this case all interfaces on the VS will be down.

Alternatively, you can uninstall policy on that VS on both cluster members.

Neither way is "clean" and non-intrusive.


Sent from my iPhone using Tapatalk

[ba3113]

My assumption is that once I disable the ports to adjacent device the firewall may try to failover because of ClusterXL monitoring so I do not want firewall not to be failover.

[varera]

My assumption is that once I disable the ports to adjacent device the firewall may try to failover because of ClusterXL monitoring so I do not want firewall not to be failover.

Are you running VSLS or not?

[ba3113]

We are running VSX in Active Standy Mode.

[varera]

We are running VSX in Active Standy Mode.

In this case yes, disabling interfaces might face failover and WILL cause Active/Down status on the cluster. Same for unloading policy from VS in question.

If you are looking a clean way, best would be to remove interfaces from VS or VS in whole.

[ba3113]

If we disable interface on both device active and standy.Will is be there any Tie between device so they won't failover.