Manual failover between ClusterXL members

network

Manual failover between ClusterXL members
August 17th, 2010 A Check Point security gateway cluster running under ClusterXL uses certain devices that must be running on the cluster member for the member to be considered active.

The devices can be displayed using cphaprob -ia list. A normal ouput will look like this:

[Expert@firewall]# cphaprob -ia list

Built-in Devices:

Device Name: Problem Notification
Current state: OK

Device Name: Interface Active Check
Current state: OK

Device Name: HA Initialization
Current state: OK

Device Name: Load Balancing Configuration
Current state: OK

Registered Devices:

Device Name: Synchronization
Registration number: 0
Timeout: none
Current state: OK
Time since last report: 13212.1 sec

Device Name: Filter
Registration number: 1
Timeout: none
Current state: OK
Time since last report: 13201.4 sec

Device Name: cphad
Registration number: 2
Timeout: 2 sec
Current state: OK
Time since last report: 0.1 sec

Device Name: fwd
Registration number: 3
Timeout: 2 sec
Current state: OK
Time since last report: 0.1 sec

If one or more of the devices have a problem, ClusterXL will do a failover from the active member to the standby member. This is only true as long as the second member has no problem itself. If this is happening, the cluster mechanism decides by its own which is the more suitable machine to handle the traffic and will or will not do a failover.

Failover will also occur if the issue cpstop or cphastop on the active member, stopping all Check Point services or just the ClusterXL related service.

For the purpose of maintenance it can be necessary to move away all the traffic from the active member to the secondary member through initiating a failover, leaving the security policy and services active on the machine.

This can be done by registering a new device and adding it to the list of the processes that must be running for the cluster member to be considered active and putting the new device in the problem state.

Use this command line: cphaprob -d STOP -s problem -t 0 register

If you want to unregister the problematic device and make the cluster member available and active again, just use this: cphaprob -d STOP unregister.

Learn more about the usage of cphaprob from the CLI manual.

rain

在（ClusterXL）智能负荷平衡成员之间使用手动故障切换

2010年8月17日，Check Point安全网关集群运行在使用ClusterXL（智能负荷平衡）的某些设备下，这些设备必须运行在被集群成员认为活动的成员里。

使用“cphaprob -ia”命令会列出这些设备。这是正规的输出格式
[Expert@firewall]# cphaprob -ia list

Built-in Devices:

Device Name: Problem Notification
Current state: OK

Device Name: Interface Active Check
Current state: OK

Device Name: HA Initialization
Current state: OK

Device Name: Load Balancing Configuration
Current state: OK

Registered Devices:

Device Name: Synchronization
Registration number: 0
Timeout: none
Current state: OK
Time since last report: 13212.1 sec

Device Name: Filter
Registration number: 1
Timeout: none
Current state: OK
Time since last report: 13201.4 sec

Device Name: cphad
Registration number: 2
Timeout: 2 sec
Current state: OK
Time since last report: 0.1 sec

Device Name: fwd
Registration number: 3
Timeout: 2 sec
Current state: OK
Time since last report: 0.1 sec

如果一个或是多个设备有问题，ClusterXL(智能负荷平衡)会从这个积极活动成员切换到备用成员，这是唯一仅有的第二个成员，只要它本身没有问题。如果发生了这样的情况，群集机制会决定由哪一个比较适合的设备来处理这些通信和做或者不做故障转移。

如果在积极活动的成员上发布了“cpstop”或是“cphastop”，故障转移也将会发生停止所有Check Point服务或是仅仅停止（ClusterXL）智能负荷平衡的相关服务。

为了维护它，它必须能够脱离积极成员状态，通过启动故障转移，将所有通信转移到备用成员上，保留设备上的安全策略和服务活动。


这可以通过注册新设备，并添加它的程序到这个列表，而它必须被活动的群集成员竞选上，然后才能放置这个新设备到问题处理状态里。


使用这个命令行：“cphaprob –d STOP –s problem –t 0 register”


如果你想注销这个有问题设备，使现有集群成员重新激活并可用，可以使用这个命令行：“cphaprob –d STOP unregister”

从CLI使用手册中可以了解更多关于“cphaprob”的使用。

network

有些术语还是欠准确。