Fixing F5 Webui Access Issue:

lssue:

Unable to access F5 webui for the management activity.

Cause:

Https service is not working properly or in hung state

Resolution:

Restart httpd and tomcat services to resolve webui access issues.  Command details are mentioned below.

 

tmsh restart /sys service httpd

tmsh restart /sys service tomcat

 

 

 

 

 

 

Failover Traffic From Master Fortigate Firewall to Standby (Slave):

To failover traffic from Primary Fortigate firewall to standby just change the priotiy of the firewall. Details are mentioned with an example.

Primary Firewall configuration:

Fortigate-Primary (global) # show system ha
config system ha
set group-id 1
set mode a-p
set hbdev “port1” 50 “port2” 50
set session-pickup enable
set override enable
set priority 200
set monitor “port3” “port4”
end

Secondary Firewall configuration:

Fortigate-Secondary (global) # show system ha
config system ha
set group-id 1
set mode a-p
set hbdev “port1” 50 “port2” 50
set session-pickup enable
set priority 125
set override enable
set monitor “port3” “port4”
end

Verfify cluster status:

Fortigate-Primary (global) # get system ha status
Model: 3810
Mode: a-p
Group: 1
Debug: 0
ses_pickup: enable
Master:200 CERTVIDEOS-FORTI-PRI FG3J1A6122622645 0
Slave   :125 CERTVIDEOS-FORTI-SEC FG3J1A6122611412 1
number of vcluster: 1
vcluster 1: work 198.1.1.1
Master:0 FG3J1A6122622645
Slave   :1 FG3J1A6122611412

Failover the traffic from active to standby (Master to slave):

Fortigate-Primary-~ (global) # config system ha
Fortigate-Primary-~ (ha) # set priority 124
Fortigate-Primary-~ (ha) # end

To do this from GUI, navigate to Config > HA, click the edit icon and change the firewall priority.

 

F5-BIGIP-Rename virtual server and pool names:

Please follow below steps to rename virtual server and pool  on F5 BIGIP :

  1. Enable database so that you can modify the virtual server and pool.

                 tmsh modify /sys db mcpd.mvenabled value true

2. Rename virtual server with mv command

              tmsh mv ltm virtual <original_VS_name> <new_VS_name>

3.  Rename your pool with same command

            tmsh mv ltm pool <original_pool_name> <new_pool_name>

4.  Disable database so no one can modify configurations

           tmsh modify /sys db mcpd.mvenabled value false

 

 

 

Checkpoint Cluster-XL member status:

  1.  Everything is OK.

[Expert@]# cphaprob state

Cluster Mode:   New High Availability (Active Up)

Number Unique Address Assigned Load State
 

1 (local)

 

1.1.1.1

 

100%

 

Active

2 1.1.1.2 0% Standby

2. Active Attention – problem has been detected, but the cluster member still forwarding packets, since it is the only machine in the cluster, or there are no active machines in the cluster.

[Expert@]# cphaprob state

Cluster Mode:   New High Availability (Active Up)

Number Unique Address Assigned Load State
 

1 (local)

 

1.1.1.1

 

100%

 

Active attention

2 1.1.1.2 0% down

3. Down – one of the critical devices is having problems.

[Expert@]# cphaprob state

Cluster Mode:   New High Availability (Active Up)

Number Unique Address Assigned Load State
 

1 (local)

 

1.1.1.1

 

100%

 

Active

2 1.1.1.2 0% down

4. Ready 

When cluster members have different versions of Check Point Security Gateway, the members with a new version have the ready state and the members with the previous version have the active state.
Before a cluster member becomes active, it sends a message to the rest of the cluster, and then expects to receive confirmations from the other cluster members agreeing that it will become active. In the period of time before it receives the confirmations, the machine is in the ready state.
When cluster members in versions R70 and higher have different number of CPU cores and/or different number of CoreXL instances, the member with higher number of CPU cores and/or higher number of CoreXL instances will stay in Ready state, until the configuration is set identical on all members.

[Expert@]# cphaprob state

Cluster Mode:   New High Availability (Active Up)

Number Unique Address Assigned Load State
 

1 (local)

 

1.1.1.1

 

100%

 

Ready

5. Initializing– the cluster member is booting up, and ClusterXL product is already running, but the Security Gateway is not yet ready.

6.ClusterXL inactive or machine is down — Local machine cannot hear anything coming from this cluster member.

[Expert@]# cphaprob state

Cluster Mode:   New High Availability (Active Up)

Number Unique Address Assigned Load State
 

1 (local)

 

1.1.1.1

 

100%

 

Active

2 1.1.1.2 0% ClusterXL inactive or machine is down