Checkpoint High Availability Monitoring
Hi, once again ;)
I would like to monitor the HA cluster between 2 Checkpoint Firewall.
Several time a month, the cluster failed down, sound like one of the numerous Ethernet card seems to be off during a couple of second, thus the HA cluster switch to safe mode. I would like to detect this nasty state from the Hobbit server to broadcast an alarm.
I don't know how the 2 Firewalls exchange health information (maybe via Heartbeat). Anyone already figure out how to monitor this issue?
Thanks by advance,
LMJL.M.J. a écrit :
Hi, once again ;)
I would like to monitor the HA cluster between 2 Checkpoint Firewall.
Several time a month, the cluster failed down, sound like one of the numerous Ethernet card seems to be off during a couple of second, thus the HA cluster switch to safe mode. I would like to detect this nasty state from the Hobbit server to broadcast an alarm.
you have some commands that need to be parsed to do so. try "cphaprob -a if" and "cphaprob state".
I don't know how the 2 Firewalls exchange health information (maybe via Heartbeat). Anyone already figure out how to monitor this issue?
they exchange information via heartbeat. you can set up on smartdashboard the "fail over" tracking option. the main difficulty in my opinion is to be sure your monitoring will also work if the HA priority changes.
there is also an active firewall 1 archiev if you wish to ask the question to firewall-1 users.
Thanks by advance,
LMJ
pkc_mls a écrit :
there is also an active firewall 1 archiev if you wish to ask the question to firewall-1 users. there is also an active firewall-1 mailing list if you wish to ask the question to firewall-1 users. sorry for monday morning typo.
Thanks by advance,
LMJ
Le Mon, 28 Apr 2008 09:33:09 +0200, pkc_mls <pkc_mls at yahoo.fr> a écrit :
L.M.J. a écrit :
Hi, once again ;)
I would like to monitor the HA cluster between 2 Checkpoint Firewall.
Several time a month, the cluster failed down, sound like one of the numerous Ethernet card seems to be off during a couple of second, thus the HA cluster switch to safe mode. I would like to detect this nasty state from the Hobbit server to broadcast an alarm.
you have some commands that need to be parsed to do so. try "cphaprob -a if" and "cphaprob state".
I don't know how the 2 Firewalls exchange health information (maybe via Heartbeat). Anyone already figure out how to monitor this issue?
they exchange information via heartbeat. you can set up on smartdashboard the "fail over" tracking option. the main difficulty in my opinion is to be sure your monitoring will also work if the HA priority changes.
Hi pkc_mls,
If you suggest to parse some command, I guess you mean to install Hobbit Client on the CheckPoint linux firewalls which sound like not supported by CP (+ I guess my colleague, directly responsible of the FW, will be able disagree :-/)
Gonna first check out the Checkpoint SPLAT devmon template (thanks Michael)
Thanks you very much guys,
CU
L.M.J a écrit :
Le Mon, 28 Apr 2008 09:33:09 +0200, pkc_mls <pkc_mls at yahoo.fr> a écrit :
L.M.J. a écrit :
Hi, once again ;)
I would like to monitor the HA cluster between 2 Checkpoint Firewall.
Several time a month, the cluster failed down, sound like one of the numerous Ethernet card seems to be off during a couple of second, thus the HA cluster switch to safe mode. I would like to detect this nasty state from the Hobbit server to broadcast an alarm.
you have some commands that need to be parsed to do so. try "cphaprob -a if" and "cphaprob state".
I don't know how the 2 Firewalls exchange health information (maybe via Heartbeat). Anyone already figure out how to monitor this issue?
they exchange information via heartbeat. you can set up on smartdashboard the "fail over" tracking option. the main difficulty in my opinion is to be sure your monitoring will also work if the HA priority changes.
Hi pkc_mls,
If you suggest to parse some command, I guess you mean to install Hobbit Client on the CheckPoint linux firewalls which sound like not supported by CP (+ I guess my colleague, directly responsible of the FW, will be able disagree :-/)
that's true. the client for rhel3 works flawlessly on my splat ngx r62.
I rebuilt a static version for splat, but this is a tar.gz archive, not a clean rpm.
Gonna first check out the Checkpoint SPLAT devmon template (thanks Michael)
Thanks you very much guys,
CU
I have a hobbit client running on my R65 SPLAT systems with no problem's. I statically compiled RHE7.2 hobbit client last year with the libraries and it works great.
Let me know if you need a copy.
Thanks, michael
P.S. - Just don't tell Checkpoint ;-)
On 4/28/08 11:44 AM, "pkc_mls" <pkc_mls at yahoo.fr> wrote:
L.M.J a écrit :
Le Mon, 28 Apr 2008 09:33:09 +0200, pkc_mls <pkc_mls at yahoo.fr> a écrit :
L.M.J. a écrit :
Hi, once again ;)
I would like to monitor the HA cluster between 2 Checkpoint Firewall.
Several time a month, the cluster failed down, sound like one of the numerous Ethernet card seems to be off during a couple of second, thus the HA cluster switch to safe mode. I would like to detect this nasty state from the Hobbit server to broadcast an alarm.
you have some commands that need to be parsed to do so. try "cphaprob -a if" and "cphaprob state".
I don't know how the 2 Firewalls exchange health information (maybe via Heartbeat). Anyone already figure out how to monitor this issue?
they exchange information via heartbeat. you can set up on smartdashboard the "fail over" tracking option. the main difficulty in my opinion is to be sure your monitoring will also work if the HA priority changes.
Hi pkc_mls,
If you suggest to parse some command, I guess you mean to install Hobbit Client on the CheckPoint linux firewalls which sound like not supported by CP (+ I guess my colleague, directly responsible of the FW, will be able disagree :-/)
that's true. the client for rhel3 works flawlessly on my splat ngx r62.
I rebuilt a static version for splat, but this is a tar.gz archive, not a clean rpm.
Gonna first check out the Checkpoint SPLAT devmon template (thanks Michael)
Thanks you very much guys,
CU
To unsubscribe from the hobbit list, send an e-mail to hobbit-unsubscribe at hswn.dk
Some one posted a Checkpoint SPLAT devmon template and it works great, it will monitor the cluster state for you.
Here is a copy..
Thanks, michael
On 4/28/08 3:15 AM, "L.M.J." <linuxmasterjedi at free.fr> wrote:
Hi, once again ;)
I would like to monitor the HA cluster between 2 Checkpoint Firewall.
Several time a month, the cluster failed down, sound like one of the numerous Ethernet card seems to be off during a couple of second, thus the HA cluster switch to safe mode. I would like to detect this nasty state from the Hobbit server to broadcast an alarm.
I don't know how the 2 Firewalls exchange health information (maybe via Heartbeat). Anyone already figure out how to monitor this issue?
Thanks by advance,
LMJTo unsubscribe from the hobbit list, send an e-mail to hobbit-unsubscribe at hswn.dk
On Monday 28 April 2008 13:50:54 Michael A. Price wrote:
Some one posted a Checkpoint SPLAT devmon template and it works great, it will monitor the cluster state for you.
Here is a copy..
I would like to add this to the devmon templates release, but I would prefer to have some contact who uses this template (we only have Cisco firewalls).
Also, it may be better to use the same test name as the PIX/ASA templates (which use "cluster", I note some of the other extensions from deadcat - e.g. the one for Sun Cluster - also use "cluster").
But, we should probably move discussion to the devmon list.
Regards, Buchan
Le Mon, 28 Apr 2008 07:50:54 -0400, "Michael A. Price" <mprice at sgt-inc.com> a écrit :
Some one posted a Checkpoint SPLAT devmon template and it works great, it will monitor the cluster state for you.
Here is a copy..
Thanks, michael
Incredible, it works perfectly! Thanks to all!
Last question for this time ;) How can i get CPU & Mem graphs activated, I just have the current state right now. Is it possible to run devmon on SNMPV3 protocol ?
Thanks
Le Thu, 1 May 2008 08:22:30 +0200, "L.M.J" <linuxmasterjedi at free.fr> a écrit :
Le Mon, 28 Apr 2008 07:50:54 -0400, "Michael A. Price" <mprice at sgt-inc.com> a écrit :
Some one posted a Checkpoint SPLAT devmon template and it works great, it will monitor the cluster state for you.
Here is a copy..
Thanks, michael
Incredible, it works perfectly! Thanks to all!
Last question for this time ;) How can i get CPU & Mem graphs activated, I just have the current state right now. Is it possible to run devmon on SNMPV3 protocol ?
Thanks
LOL, i'm a liar, I still have extra questions : what about FW OneEdge CP (tiny appliance)? Is it also possible to monitor them via Devmon?
L.M.J a écrit :
LOL, i'm a liar, I still have extra questions : what about FW OneEdge CP (tiny appliance)? Is it also possible to monitor them via Devmon?
It should be, theoretically, but you have to deal with the sofaware mibs. I doubt you'll have the same OIDs as in checkpoint MIBs.
participants (4)
-
bgmilne@staff.telkomsa.net
-
linuxmasterjedi@free.fr
-
mprice@sgt-inc.com
-
pkc_mls@yahoo.fr