Routes defined in clish/webUI are missing for Check Point


Check Point


Sometimes the routes that are defined in the Check Point Web UI or through clish may not be fully applied to the operating system layer. If this happens, Indeni will alert.

Remediation Steps

A workaround to get it to work can be to restart the routeD daemon by running "cpstop;cpstart" or restarting the device. However since this should not happen a case can also be opened with your technical support provider. In the case of devices in a cluster it is possible that the issue happens only for one of the nodes and a failover to the other node could lessen the impact of the issue.

How does this work?

Actual routes are retrieve using the built-in "netstat" command, and the configured routes from the gaia configuration database /config/active. The two are then compared to make sure they are the same.

Why is this important?

If a static route is configured via Clish or WebUI, there is no guarantee successful propagation to the Linux kernel routing table. To ensure that all routes are applied correctly it is recommended to compare the actual routes with the configured ones.

Without Indeni how would you find this?

An administrator could login and manually list routes from both commands, and then compare it. However often there are a lot of routes configured, combined with the difference in output (for example subnet), it can be a cumbersome task.

View Source Code