Detecting FW failover issues

Detecting FW failover issues

At our company we have had some issues after CheckPoint firewall failovers if our F5 units have auto last hop activated on the virtual forwarding servers and the CheckPoint cluster is not using magic mac. Would it be possible to detect this in some way?

Maybe we can set something up in the lab?

Oh this is really good! This sounds like an "asymmetric forwarding" problem.

Is this how the traffic looked like in an extremely overgeneralized manner?


Edge -> CP FW1 (Active) -> F5 -> Pool Member


Pool Member -> F5 -> CP FW1 (Passive) [failed path] Edge

It is not safe to assume that the CP FW1 had an outage and may response to broadcast traffic.

Just for clarification. Would you want to validate that magic mac is in use for the checkpoint cluster or check if the CP FW MAC used for Auto Last Hop has failed?

The early version of GAIA clusters were implemented via gratuitous ARP. We had issues when we failed over, most of linux servers had customized configuration for ARP and did not allow to update ARP when the firewalls failed over. The checkpoint gave us temp hotfix to let us configure virtual MAC. The later version of GAIA provides the GUI to enable virtual MAC.

From my experiences, the current GAIA clusters are very solid. Two years ago, we kept asking Checkpoint for zero down time upgrade. Now they did.