Index
A
B
C
D
E
F
G
H
I
J K
L
M
N
O
P
Q
R
S
T
U
V
W
X Y Z
A
Adding an Existing Gateway as a Member
Adding Another Member to an Existing Cluster
Advanced Cluster Configuration
Anti-Spoofing
Avg |Missing Updates per Request
Avg Held Duration (ticks)
Avg Length of Sending Queue
B
Blocked Packets
Blocking New Connections Under Load
Blocking Scenarios
Bond Failover
C
Changes to the Destination MAC Address
Changes to the Source MAC Address
Check Point Software Compatibility
Choosing the CCP Transport Mode on the Cluster Members
Choosing the Load Sharing Mode
Classic Mode Configuration
Classic Mode Configuration
Classic Mode Configuration
Clock Synchronization in ClusterXL
Cluster Fold and Cluster Hide
Clustering Definitions and Terms
ClusterXL Advanced Configuration
ClusterXL Commands for Interface Bonds
ClusterXL Compatibility (Excluding IPS)
ClusterXL Compatibility with IPS
ClusterXL Configuration Commands
ClusterXL Error Messages
ClusterXL Gateway Cluster Solution
ClusterXL Hardware Compatibility
ClusterXL Hardware Requirements
ClusterXL High Availability
ClusterXL High Availability for IPv6
ClusterXL Licenses
ClusterXL Log Messages
ClusterXL Modes
ClusterXL Sync Network Configuration
Completing the Definition
Components of the System
Configuration of Cluster Addresses on Different Subnets
Configuring a Service Not to Synchronize
Configuring a Static ARP Entry on the Router
Configuring Cisco Switches for Load Sharing
Configuring Cluster Addresses on Different Subnets
Configuring Cluster Addresses on Different Subnets
Configuring Cluster Addresses on Different Subnets
Configuring Cluster IP Addresses in SmartDashboard
Configuring Cluster Objects & Members
Configuring ClusterXL
Configuring ClusterXL Properties
Configuring ClusterXL Properties
Configuring ClusterXL Properties
Configuring Duration Limited Synchronization
Configuring Full Synchronization Advanced Options
Configuring General Properties
Configuring High Availability Legacy Mode
Configuring IPv6 Clusters
Configuring ISP Redundancy on a Cluster
Configuring NAT on a Cluster Member
Configuring NAT on the Gateway Cluster
Configuring OPSEC Certified Clustering Products
Configuring Policy Update Timeout
Configuring Routing for Client Machines
Configuring Services not to Synchronize
Configuring State Synchronization
Configuring Static Routes on the Members
Configuring the Cluster Topology
Configuring the Sticky Decision Function
Configuring VPN and Clusters
Connecting Several Clusters on the Same VLAN
Connecting to the Cluster Members from the Cluster Network
Connectivity Between Cluster Members
Connectivity Delays on Switches
Contact Technical Support
Controlling the Clustering and Synchronization Timers
CPHA Command Line Behavior in OPSEC Clusters
CPHA tick (ms)
Creating an Interface Bond in High Availability Mode
Creating Synchronized and Non-Synchronized Versions
D
Default Gateway on SecurePlatform
Defining a Disconnected Interface on Unix
Defining a Disconnected Interface on Windows
Defining Cluster Members
Defining Disconnected Interfaces
Defining Interface Bond in Load Sharing Mode
Defining Static Cam Entries
Defining the Cluster Member IP Addresses
Defining the Cluster Virtual IP Addresses
Defining the Interface Bond
Defining VLANs on an Interface Bond
Defining VPN Peer Clusters with Separate Security Management Servers
Disabling IGMP Snooping
Disabling Multicast Limits
Disabling Multicast Packets from Reaching the Router
Duplicate Multicast MAC Addresses: The Problem
Duplicate Multicast MAC Addresses: The Solution
Duplicate Source Cluster MAC Addresses: The Problem
Duplicate Source Cluster MAC Addresses: The Solution
Duration Limited Synchronization
Dynamic Routing in ClusterXL
E
Enabling Dynamic Routing Protocols in a Cluster Deployment
Enabling Interface Link State Monitoring
Enhanced 3-Way TCP Handshake Enforcement
Enlarging the CPHA Timer
Enlarging the Receiving Queue
Enlarging the Sending Queue
Enlarging the Sync Timer
Establishing a Third-Party Gateway in a Hub and Spoke Deployment
Example
Example
Example
Example
Example ClusterXL Topology
Example Configuration of a Cisco Catalyst Routing Switch
Example cphaprob Script
Example cphaprob Script
Example cphaprob Script
Example Legacy Mode Deployment
Example of Cluster Addresses on Different Subnets
F
Failover
Failover Support for VLANs
Failure Recovery
Footnotes
For 802.3ad:
For XOR:
Forwarding Layer
From SmartDashboard
Fully Meshed Redundancy
G
General ClusterXL Error Messages
General logs
H
HA New and Load Sharing Unicast Modes
Hardware Requirements, Compatibility and Cisco Example
High Availability and Load Sharing in ClusterXL
High Availability Legacy Mode
High Availability Mode
High Availability or Load Sharing
Hold Pkts Events
How a Recovered Cluster Member Obtains the Security Policy
How ClusterXL Works
How State Synchronization Works
How the Destination Cluster MAC Address is Assigned in Load Sharing Multicast Mode
How the Source Cluster MAC Address is Assigned
How to Configure Gateway Configuration Parameters
How to Configure Gateway to Survive a Boot
How to Initiate Failover
I
Implementation Planning Considerations
In SmartDashboard for Machine 'A'
In SmartDashboard, for Machine 'B'
Installation and Platform Support
Interface logs
Introduction
Introduction to Cluster Addresses on Different Subnets
Introduction to ClusterXL
Introduction to ClusterXL Modes
Introduction to cphaprob [-reset] syncstat
Introduction to High Availability and Load Sharing
Introduction to High Availability Legacy Mode
Introduction to OPSEC Certified Clustering Products
Introduction to Sticky Connections
IP Address Migration
IP Address Migration
IP Address Migration
IPSO Specific Error Messages
L
Limitations of Cluster Addresses on Different Subnets
Link Aggregation - High Availability Mode
Link Aggregation - Load Sharing Mode
Link Aggregation and Clusters
Linux/SecurePlatform
Load Sharing
Load Sharing Multicast Mode
Load Sharing Multicast Mode
Load Sharing Multicast Mode
Load Sharing Multicast Mode with "Semi-Supporting" Hardware
Load Sharing Unicast Mode
Local Updates
Lost Sync Connection (num of events)
M
Manual Proxy ARP
Max Held Duration (ticks)
Max Length of Sending Queue
Member Fails to Start After Reboot
Mode Comparison Table
Monitoring and Troubleshooting Gateway Clusters
Monitoring Cluster Interfaces
Monitoring Cluster Status
Monitoring Cluster Status Using SmartConsole Clients
Monitoring Critical Devices
Monitoring Synchronization (fw ctl pstat)
Monitoring the Interface Link State
More Information
Moving from a Single Gateway to a ClusterXL Cluster
Moving from High Availability Legacy with Minimal Downtime
Moving from High Availability Legacy with Minimal Effort
N
Non-Sticky Connection Example: TCP 3-Way Handshake
Non-Sticky Connections
Non-Synchronized Services
Not Held Due to no Members
Notes
O
Old or too-new Arriving Updates
On Machine 'A'
On Machine 'B'
On the Gateways
On the Single Gateway Machine
Operating System Compatibility
Other Member Updates
Output of cphaprob [-reset] syncstat
Overview
P
Performance Guidelines for Link Aggregation
Planning Considerations
Platform Specific Error Messages
Pnote logs
Preparing Cluster Members
Preparing the Cluster Member Machines
Preparing the Switches and Configuring Routing
Q
Queues
R
Reason Strings
Receiving Queue Size
Reconfiguring the Acknowledgment Timeout
Recv Duplicate Retrans request
Recv Retransmission requests
Reducing the Number of Pending Packets
Registering a Critical Device
Registering Critical Devices Listed in a File
Removing a Member
Removing IP Addresses from Slave Interfaces
Reporting Critical Device Status to ClusterXL
Routers
Routing Configuration
Routing Configuration
Routing Configuration
Routing Switch
Routing Table Synchronization
S
Sample Configuration of PortFast Feature on a Cisco Switch
SecureXL logs
Security Management server Location
Sending Queue Size
Sent Retransmission Requests
Setting Affinities
Setting Critical Required Interfaces
Setting Module Variables in IPSO 6.1 and Later
Setting Slave Interfaces as Disconnected
Shared Interfaces IP and MAC Address Configuration
Simple Redundant Topology
SmartDashboard Configuration
SmartDashboard Configuration for OPSEC Clusters
SmartDashboard Toolbar
SmartView Monitor
SmartView Tracker
SmartView Tracker Active Mode Messages
Starting and Stopping ClusterXL Using SmartView Monitor
State logs
Sticky Connections
Switch (Layer 2 Forwarding) Considerations
Switches
Sync Related Error Messages
Sync Statistics (IDs of F&A Peers - 1)
Sync tick (ms)
Synchronization Troubleshooting Options
Synchronized Cluster Restrictions
Synchronizing Clusters on a Wide Area Network
Synchronizing Connection Information Across the Cluster
Synchronizing Non-Sticky Connections
T
TCP Out-of-State Error Messages
The Check Point State Synchronization Solution
The Cluster Control Protocol
The clusterXL_monitor_process script
The cphaconf command
The cphaprob Command
The cphaprob Command in OPSEC Clusters
The cphastart and cphastop Commands
The cphastart and cphastop Commands in OPSEC Clusters
The Need for Gateway Clusters
The Sticky Decision Function
The Synchronization Interface
The Synchronization Network
The Synchronization Network
The Synchronization Network
Third-Party Gateways in Hub and Spoke Deployments
Timed out Sync Connection
Timers
Total Generated Updates
Troubleshooting Bonded Interfaces
Troubleshooting Synchronization
Troubleshooting Workflow
U
Unhold Pkt Events
Unregistering a Critical Device
Unsynced Missing Updates
Using the Wizard
V
Verifying that a Cluster is Working Properly
Verifying that the Bond is Functioning Properly
Virtual IP Integration
Virtual MAC mode - VMAC
VLAN Support in ClusterXL
VPN Tunnels with 3rd Party Peers and Load Sharing
W
Warnings Regarding Use of PortFast
What Happens When a Gateway Recovers?
What is a Failover?
When Does a Failover Occur?
Windows
Workflow of Interface Bond in Load Sharing Mode
Working with NAT and Clusters
Working with OPSEC Certified Clustering Products
Working with SmartView Tracker Active Mode
Working with VLANS and Clusters
Working with VPNs and Clusters