The information you are about to copy is INTERNAL!
DO NOT share it with anyone outside Check Point.
Missing dynamic object configuration on ClusterXL standby member causes outage after failover
R77.30 (EOL), R80.10 (EOL)
Platform / Model
After failover, newly elected active ClusterXL member stops processing traffic.
In kernel debug (fw ctl zdebud + drop), traffic is getting dropped by dynamic object rule (any/dynamic > dynamic/any drop).
Dynamic routing (OSPF and BGP) neighborship with peers is not formed anymore.
zdebug drop might show below drop
dropped by fw_first_packet_xlation Reason: Dynamic object is already being resolved
Dynamic object was defined on the Security Management server and policy was installed. But, the IP range was defined only on the ClusterXL active member. As soon as the cluster fails over, the traffic starts to drop.