Cluster ID mismatch across cluster members-checkpoint-gaia,secureplatform
Vendor: checkpoint
OS: gaia,secureplatform
Description:
indeni will identify when two devices are part of a cluster and alert if the cluster ID settings are different.
Remediation Steps:
Follow https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk25977 to ensure the cluster ID is configured the same on both members.
How does this work?
The cluster ID can be set in two ways, the old method of modifying the $FWDIR/boot/modules/fwkern.conf file, and the new method of using a new command, called “cphaconf cluster_id”. If the cluster ID is configured in both way the old method takes precedence.
Why is this important?
A Check Point cluster has a value used in cluster communication, called cluster ID. It can be the same for several clusters, as long as they do not share any layer 2 segment. If all the members of a cluster do not have the same setting, the cluster will not work correctly. More information can be found in Check Point KB article SK25977: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk25977
Without Indeni how would you find this?
An administrator could login and manually run the command.
chkp-cphaconf-cluster-id
name: chkp-cphaconf-cluster-id
description: Determine check point cluster-id number (not "cluster-id" tag)
type: monitoring
monitoring_interval: 10 minutes
requires:
vendor: checkpoint
high-availability: 'true'
clusterxl: 'true'
or:
- os.name: gaia
- os.name: secureplatform
os.version.num:
compare-type: version-compare
op: "<"
value: "80.40"
asg:
neq: 'true'
comments:
cluster-id-number:
why: |
A Check Point cluster has a value used in cluster communication, called cluster ID. It can be the same for several clusters, as long as they do not share any layer 2 segment. If all the members of a cluster do not have the same setting, the cluster will not work correctly. More information can be found in Check Point KB article SK25977: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk25977
how: |
The cluster ID can be set in two ways, the old method of modifying the $FWDIR/boot/modules/fwkern.conf file, and the new method of using a new command, called "cphaconf cluster_id". If the cluster ID is configured in both way the old method takes precedence.
can-with-snmp: false
can-with-syslog: false
chkp-cluster-id-conflict:
why: |
A Check Point cluster has a value used in cluster communication, called cluster ID. It can be the same for several clusters, as long as they do not share any layer 2 segment. If all the members of a cluster do not have the same setting, the cluster will not work correctly. The cluster ID can be configured in two different ways, but both methods must not be used at the same time. More information can be found in Check Point KB article SK25977: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk25977
how: |
Attempting to list the cluster ID using both the old and the new method, and if both method are used an alert can be issued.
can-with-snmp: false
can-with-syslog: false
steps:
- run:
type: SSH
command: ${nice-path} -n 15 cat $FWDIR/boot/modules/fwkern.conf ;
${nice-path} -n 15 cphaconf cluster_id get ;
modinfo -p $FWDIR/boot/modules/fw*.o | sort -u | grep _type | grep fwha_mac |
awk 'BEGIN {FS=":"} ; {print $1}' | while read parameter ; do
${nice-path} -n 15 fw ctl get int $parameter;
done;
${nice-path} -n 15 cphaprob mmagic
parse:
type: AWK
file: cphaconf-cluster_id-get.parser.1.awk
checkpoint_compare_cluster_id
Failed to fetch the data: https://bitbucket.org/indeni/indeni-knowledge/src/master/rules/templatebased/checkpoint/checkpoint_compare_cluster_id.scala