Cluster ID settings conflict-checkpoint-gaia,secureplatform
Vendor: checkpoint
OS: gaia,secureplatform
Description:
There are two ways to configure the cluster ID in a Check Point cluster - through cphaconf and through the kernel parameters. If both are used, odd issues may occur.
Remediation Steps:
Follow sk25977 on how to configure the cluster ID, depending on the version you are using.
How does this work?
Attempting to list the cluster ID using both the old and the new method, and if both method are used an alert can be issued.
Why is this important?
A Check Point cluster has a value used in cluster communication, called cluster ID. It can be the same for several clusters, as long as they do not share any layer 2 segment. If all the members of a cluster do not have the same setting, the cluster will not work correctly. The cluster ID can be configured in two different ways, but both methods must not be used at the same time. More information can be found in Check Point KB article SK25977: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk25977
Without Indeni how would you find this?
An administrator could login and manually run the command.
chkp-cphaconf-cluster-id
name: chkp-cphaconf-cluster-id
description: Determine check point cluster-id number (not "cluster-id" tag)
type: monitoring
monitoring_interval: 10 minutes
requires:
vendor: checkpoint
high-availability: 'true'
clusterxl: 'true'
or:
- os.name: gaia
- os.name: secureplatform
os.version.num:
compare-type: version-compare
op: "<"
value: "80.40"
asg:
neq: 'true'
comments:
cluster-id-number:
why: |
A Check Point cluster has a value used in cluster communication, called cluster ID. It can be the same for several clusters, as long as they do not share any layer 2 segment. If all the members of a cluster do not have the same setting, the cluster will not work correctly. More information can be found in Check Point KB article SK25977: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk25977
how: |
The cluster ID can be set in two ways, the old method of modifying the $FWDIR/boot/modules/fwkern.conf file, and the new method of using a new command, called "cphaconf cluster_id". If the cluster ID is configured in both way the old method takes precedence.
can-with-snmp: false
can-with-syslog: false
chkp-cluster-id-conflict:
why: |
A Check Point cluster has a value used in cluster communication, called cluster ID. It can be the same for several clusters, as long as they do not share any layer 2 segment. If all the members of a cluster do not have the same setting, the cluster will not work correctly. The cluster ID can be configured in two different ways, but both methods must not be used at the same time. More information can be found in Check Point KB article SK25977: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk25977
how: |
Attempting to list the cluster ID using both the old and the new method, and if both method are used an alert can be issued.
can-with-snmp: false
can-with-syslog: false
steps:
- run:
type: SSH
command: ${nice-path} -n 15 cat $FWDIR/boot/modules/fwkern.conf ;
${nice-path} -n 15 cphaconf cluster_id get ;
modinfo -p $FWDIR/boot/modules/fw*.o | sort -u | grep _type | grep fwha_mac |
awk 'BEGIN {FS=":"} ; {print $1}' | while read parameter ; do
${nice-path} -n 15 fw ctl get int $parameter;
done;
${nice-path} -n 15 cphaprob mmagic
parse:
type: AWK
file: cphaconf-cluster_id-get.parser.1.awk
chkp_cluster_id_conflict
Failed to fetch the data: https://bitbucket.org/indeni/indeni-knowledge/src/master/rules/templatebased/checkpoint/chkp_cluster_id_conflict.scala