Introduction to ClusterXL

The Need for Gateway Clusters

Gateways and VPN connections are business critical devices. The failure of a Security Gateway or VPN connection can result in the loss of active connections and access to critical data. The gateway between the organization and the world must remain open under all circumstances.

ClusterXL Gateway Cluster Solution

A ClusterXL cluster is a group of identical Check Point Security Gateways connected in such a way that if one fails, another immediately takes its place.

ClusterXL is a software-based Load Sharing and High Availability solution that distributes network traffic between clusters of redundant Security Gateways and provides transparent failover between machines in a cluster.

A High availability cluster ensures gateway and VPN connection redundancy by providing transparent failover to a backup gateway in the event of failure.
A Load Sharing cluster provides reliability and also increases performance, as all cluster members are active

clustering-intro

How ClusterXL Works

ClusterXL uses unique physical IP and MAC addresses for the cluster members and virtual IP addresses to represent the cluster itself. Virtual IP addresses do not belong to an actual machine interface (except in High Availability Legacy mode, explained later).

ClusterXL provides an infrastructure that ensures that data is not lost due to a failure, by ensuring that each cluster member is aware of connections passing through the other members. Passing information about connections and other Security Gateway states between the cluster members is known as State Synchronization.

Security Gateway Clusters can also be built using OPSEC certified High Availability and Load Sharing products. OPSEC certified clustering products use the same State Synchronization infrastructure as ClusterXL.

Note - This guide refers to ClusterXL in Security Gateway mode only. For more on VSX mode, see the R76 VSX Administration Guide.

The Cluster Control Protocol

The Cluster Control Protocol (CCP) is the glue that links together the machines in the Check Point Gateway Cluster. CCP traffic is distinct from ordinary network traffic and can be viewed using any network sniffer.

CCP runs on UDP port 8116, and has the following roles:

It allows cluster members to report their own states and learn about the states of other members by sending keep-alive packets (this only applies to ClusterXL clusters).
State Synchronization.

The Check Point CCP is used by all ClusterXL modes as well as by OPSEC clusters. However, the tasks performed by this protocol and the manner in which they are implemented may differ between clustering types.

Note - There is no need to add a rule to the Security Policy Rule Base that accepts CCP

Installation and Platform Support

ClusterXL must be installed in a distributed configuration in which the Security Management server and the cluster members are on different machines. ClusterXL is part of the standard Security Gateway installation.

For installation instructions, see the R76 Installation and Upgrade Guide.

For ClusterXL supported Platforms, see the R76 Release Notes.

ClusterXL Licenses

To use ClusterXL for High Availability, each gateway in the configuration must have a regular gateway license and the management machine must have a license for each cluster defined.

To use ClusterXL for Load Sharing, each gateway in the configuration must have a regular gateway license and the management machine must have a license for each cluster defined and one additional cluster-1 primitive license.

It does not matter how many gateways are included in the cluster. If the proper licenses are not installed, the install policy operation will fail.

For more about licenses, visit the Check Point Support Center.

Clock Synchronization in ClusterXL

When using ClusterXL, make sure to synchronize the clocks of all of the cluster members. You can synchronize the clocks manually or using a protocol such as NTP. Features such as VPN only function properly when the clocks of all of the cluster members are synchronized.

Clustering Definitions and Terms

Different vendors give different meanings to terms that relate to Gateway Clusters, High Availability, and Load Sharing. Check Point uses the following definitions and terms when discussing clustering:

Active Up - When the High Availability machine that was Active and suffered a failure becomes available again, it returns to the cluster, not as the Active machine but as one of the standby machines in the cluster.

Cluster - A group of machines that work together to provide Load Sharing and/or High Availability.

Critical Device - A device that the Administrator has defined to be critical to the operation of the cluster member. A critical device is also known as a Problem Notification (pnote). Critical devices are constantly monitored. If a critical device stops functioning, this is defined as a failure. A device can be hardware or a process. The fwd and cphad processes are predefined by default as critical devices. The Security Policy is also predefined as a critical device. The Administrator can add to the list of critical devices using the cphaprob command.

Failure - A hardware or software problem that causes a machine to be unable to filter packets. A failure of an Active machine leads to a Failover.

Failover - A machine taking over packet filtering in place of another machine in the cluster that suffered a failure.

High Availability - The ability to maintain a connection when there is a failure by having another machine in the cluster take over the connection, without any loss of connectivity. Only the Active machine filters packets. One of the machines in the cluster is configured as the Active machine. If a failure occurs on the Active machine, one of the other machines in the cluster assumes its responsibilities.

Hot Standby - Also known as Active/Standby. It has the same meaning as High Availability.

Load Sharing - In a Load Sharing Gateway Cluster, all machines in the cluster filter packets. Load Sharing provides High Availability, gives transparent Failover to any of the other machines in the cluster when a failure occurs, and provides enhanced reliability and performance. Load Sharing is also known as Active/Active.

Multicast Load Sharing - In ClusterXL's Load Sharing Multicast mode, every member of the cluster receives all of the packets sent to the cluster IP address. A router or Layer 3 switch forwards packets to all of the cluster members using multicast. A ClusterXL decision algorithm on all cluster members decides which cluster member should perform enforcement processing on the packet.

Unicast Load Sharing - In ClusterXL's Load Sharing Unicast mode, one machine (the Pivot) receives all traffic from a router with a unicast configuration and redistributes the packets to the other machines in the cluster. The Pivot machine is chosen automatically by ClusterXL.

SmartDashboard Toolbar

You can use the SmartDashboard toolbar to do these actions:

Icon	Description
	Open the SmartDashboard menu. When instructed to select menu options, click this button to show the menu. For example, if you are instructed to select Manage > Users and Administrators, click this button to open the Manage menu and then select the Users and Administrators option.
	Save current policy and all system objects.
	Open a policy package, which is a collection of policies saved together with the same name.
	Refresh policy from the Security Management Server.
	Open the Database Revision Control window.
	Change global properties.
	Verify rule base consistency.
	Install the policy on Security Gateways or VSX Gateways.
	Open SmartConsoles.