Wednesday, 27 June 2012

CheckPoint HA: How to force a failover (ClusterXL/VRRP)

Based on some recent conversations I've had, it seems most people don't know how to force or test a failover with Check Point HA.

There is a single requirement for non-SPLAT/GAIA systems; FW-1 Monitoring State needs to be enabled. If you're running IPSO, you can do this via the VRRP configuration page.

To force a failover, run the following commands on the current cluster master:

This creates a pnote (problem notification) that is in problem state:
cphaprob -d fail -s problem -t 0 register
Verify it's in problem state with
cphaprob stat
cphaprob -i list
(you should see 'fail' in problem state)

Once you've finished your testing, run these two to reset it:
cphaprob -d fail -s ok report
cphaprob -d fail unregister

Make sure to verify that the pnote has been removed correctly before you log off.

That's it!