State synchronization during policy installation may, in certain cases, cause a cluster member to initiate a failover. To prevent this situation, you can modify the Security Gateway global parameter
fwha_freeze_state_machine_timeout. This parameter sets the number of seconds, during policy installation, in which no state synchronization will be performed. You should set this parameter to the shortest period needed to eliminate the issue; the recommended value is 30 seconds.
- Enable the « freeze » mechanism by running:
fw ctl set int fwha_freeze_state_machine_timeout 30,at prompt. (By default this mechanism is disabled.)
- Disable this mechanism by running
fw ctl set int fwha_freeze_state_machine_timeout 0
- To make this setting survive reboot, follow sk26202: Changing the kernel global parameters on all platforms
- This parameter is not related to the synchronization mechanism in any way. It is related to what Check Point calls the « state machine ». The « state machine » is responsible for determining the state of each machine, i.e. if the machine is active/standby/down. When the state of the machine is changed, failover results. During install policy, there are cases, in which, the state is changed, and consequently an unwanted failover may occur. Correctly setting
fwha_freeze_state_machine_timeoutshould prevent the unwanted failover.
- Correctly setting
fwha_freeze_state_machine_timeoutshould also prevent unwanted failovers in 3rd party environments, especially in cases in which the 3rd party environment may bring the cluster down, during policy installation. In 3rd party environments, the state of the cluster member is determined by the 3rd party environment. Whereas, in ClusterXL, the state of the cluster member is determined by the ClusterXL state machine code, which may cause unwanted failovers during policy installation.