Frequently Asked Questions Regarding State Synchronization

The following section details various issues that come up when employing State Synchronization on your firewalls, regardless of the underlying HA mechanism.

13.1 How Do I Know State Synchronization Is Working?

FireWall-1 4.1 and earlier used a TCP connection to synchronize information about the connections table. This meant you could use netstat to determine whether or not synchronization was taking place. In FireWall-1 NG, the State Synchronization method cannot be tracked in this way. You could do a snoop or a tcpdump to witness the synchronization packets, but this doesn't necessarily mean State Synchronization is doing the job.

The "correct" way to check the status of synchronization is the command cphaprob state. However, executing the command fw tab -t connections ?s on each firewall has proven to be more reliable. If State Synchronization is working, both firewalls will show a similar value for #VALS (i.e., the number of entries in the table). It's reasonable that these values won't be exactly the same, but they should be fairly close. For instance, if one firewall shows 25,000 entries and the other shows 24,500 entries, the firewalls are synced. If one firewall shows 25,000 and the other shows 50, the firewalls are quite likely not synced.

13.2 Can I Change the MAC Address Used by the State Synchronization Mechanism?

Because each cluster uses the same MAC addresses for active and standby modes, it would not be possible to connect more than one cluster's synchronization interface to the same switch, possibly even different VLANs on the same switch. In NG FP3 HFA-310 or above, you can perform the following steps to change the MAC address.

There are actually two MAC addresses, set by the kernel variables fwha_mac_magic and fwha_mac_forward_magic. This isn't actually the full MAC address, but rather the last octet of the MAC address. You can modify these MAC address by choosing any hexadecimal number between 0x1 and 0xfc?0xfe and 0xfd cannot be used. All members of the same cluster must have these changes made, though each cluster should use unique values with respect to other clusters. In the following examples, I have chosen 0x42 for one system and 0x69 for the other.

On Solaris machines, add the following line to the bottom of the /etc/system file, and then reboot:

set fw:fwha_mac_magic = 0x42
set fw:fwha_mac_forward_magic = 0x69

On Linux machines, edit $FWDIR/boot/modules/fwkern.conf and add the following lines, rebooting afterward:

fwha_mac_magic = 0x42
fwha_mac_forward_magic = 0x69

Check Point states that these variables cannot be changed on Nokia or Windows. However, the IPSO version of the FireWall-1 loadable kernel module does contain the appropriate values, and using the modzap utility from Nokia Resolution 1261 on these values appears to work. Here are the commands you must enter before rebooting:

nokia# modzap $FWDIR/boot/modules/fwmod.o _fwha_mac_magic 0x42
nokia# modzap $FWDIR/boot/modules/fwmod.o _fwha_mac_forward_magic 0x69

13.3 Can I Perform State Synchronization between Two Platforms of Differing Performance Characteristics?

Generally speaking, you can do this. However, the system with the better performance characteristics should be the master.

In one instance, an IP330 with 128MB of RAM was paired with an IP650 with 256MB of RAM. The IP330 was the master. In this configuration, the system frequently lost synchronization with the other members.

13.4 How Can I Prevent a Specific Service from Being Synchronized via State Synchronization?

In FireWall-1 NG FP2 and above, it is possible to configure a service so that it does not synchronize across a cluster by simply unchecking the Synchronize on Cluster checkbox in the appropriate service's Advanced section. In NG FP1 and prior, add the following line to $FWDIR/lib/table.def on the management station and reinstall the security policy:

non_sync_ports = { <80, 6>, <443, 6>, <53, 17> };

The format of each entry is <port number, protocol number>. In the above example we have HTTP (TCP port 80), HTTPS (TCP port 443), and DNS (UDP port 53).