Print Download PDF Send Feedback

Previous

Next

Working with VSX Clusters

In This Section:

Configuration Overview

Creating VSX Clusters

Modifying a Cluster Definition

Working with Cluster Members

Changing the Cluster Type

Enabling VSX Gateway High Availability

Configuring Virtual System Load Sharing

Configuring Virtual Systems in Bridge Mode

Advanced Clustering Configuration

This chapter presents the procedures for configuring VSX in various cluster deployment scenarios. In addition to the basic scenarios, conceptual material and illustrative examples are presented for several advanced features, including the Bridge mode and dynamic routing.

You will use SmartDashboard for most of the basic cluster configurations. You will need the command line interface to add more members, remove members, and upgrade members. Many advanced cluster management procedures require the command line.

Configuration Overview

The majority of the basic cluster configuration process is performed using SmartDashboard, both in Security Management and Multi-Domain Security Management models. However, you will need to use the command line interface to add additional members, remove members and upgrade existing members to VSX clusters. Many advanced cluster management, including Load Sharing definitions, require the command line.

Creating VSX Clusters

Creating a New Cluster

This section describes how to create a new VSX cluster using the VSX Cluster Wizard. The wizard guides you through the following steps to configure a VSX cluster.

After completing the VSX Cluster Wizard, you can modify most cluster and member properties directly from SmartDashboard.

To create a new cluster:

  1. Open SmartDashboard.

    If you are using Multi-Domain Security Management, open SmartDashboard from the Domain Management Server in which you are creating the cluster.

  2. From the Network Objects tree, right-click Check Point and select VSX > Cluster.

    The General Properties page of the VSX Cluster Wizard opens.

Defining Cluster General Properties

The Cluster General Properties page contains basic identification properties for VSX clusters.

This window contains the following properties:

Note - All cluster members must use the type of platform, with the same specifications and configuration.

Selecting Creation Templates

The Virtual Systems Creation Templates allows you to select a Virtual System Creation Template that automatically applies predefined, default topology and routing definitions to Virtual Systems when they are first created. This feature ensures consistency among Virtual Systems and speeds up the provisioning process.

You always have the option of overriding the default creation template when creating or modifying a Virtual System

The available creation templates are as follows:

Adding Members

The VSX Cluster Members window defines the members of the new cluster. You must define at least two cluster members, and up to as many as eight members. You can add new members later.

To add a new cluster member:

  1. In the VSX Cluster Members window, click Add.
  2. The Member Properties window opens.
  3. Enter the name and its IP address for the cluster member.
  4. Enter and confirm the activation key to initialize SIC trust between the cluster member and the management server.
  5. Do these steps again for all the cluster members.

Defining Cluster Interfaces

The VSX Cluster Interfaces window lets you define physical interfaces as VLAN trunks. The list displayed contains all interfaces currently defined on the gateway machine or cluster.

To configure a VLAN trunk:

Select an interface to define it as a VLAN trunk. You can clear an interface to remove the VLAN trunk assignment.

Important - You cannot define the management interface as a VLAN trunk. To use a VLAN as the management interface, you must define the VLAN on the Security Gateway before you use SmartDashboard to create the VSX Gateway.

Configuring Cluster Members

If you selected the custom configuration option, the VSX Cluster Members window appears. In this window, you define the synchronization IP address for each member.

To configure the cluster members:

  1. Select the synchronization interface from the list.
  2. Enter the synchronization interface IP address and net mask for each member.

To use a VLAN as a synchronization interface:

  1. Define the VLAN on the Security Gateway.
  2. Open SmartDashboard and create the VSX Gateway.
  3. On the VSX Gateway, from the CLI open fwkern.conf and add this line:

    fwha_monitor_all_vlan=1

Cluster Management

The VSX Gateway Management page allows you to define several security policy rules that protect the cluster itself. This policy is installed automatically on the new VSX cluster.

Note - This policy applies only to traffic destined for the cluster. Traffic destined for Virtual Systems, other virtual devices, external networks, and internal networks is not affected by this policy.

The security policy consists of predefined rules covering the following services:

Configuring the Cluster Security Policy
  1. Allow: Enable a rule to allow traffic for those services for which you wish to allow traffic. Clear a rule to block traffic. By default, all services are blocked.

    For example, you may wish to allow UDP echo-request traffic in order to be able to ping cluster members from the management server.

  2. Source: Click the arrow and select a Source Object from the list. The default value is *Any.

    Click New Source Object to define a new source.

    For more about security policies, see the R76 Security Management Administration Guide.

Completing the Wizard

To complete the VSX Cluster Wizard:

  1. Click Next to continue and then click Finish to complete the VSX Cluster wizard.

    It can take several minutes to complete. A message appears indicating successful or unsuccessful completion of the process.

    If the process ends unsuccessfully, click View Report to view the error messages. See to the troubleshooting steps for more information

  2. In SmartConsole, double-click the new VSX Cluster object.
  3. Click ClusterXL and make sure that the Use State Synchronization option is enabled.

Converting a Security Gateway Cluster to VSX

Use the VSX Gateway Conversion wizard in SmartDashboard to convert a Gaia High Availability cluster of Security Gateways to a VSX cluster. The settings of each Security Gateway are applied to the VSX Gateway (VS0). For more about using the Conversion wizard, see sk79260.

You can only convert a cluster that uses the Gaia operating system.

Important - There is no loss of connectivity during the conversion process. You cannot use the conversion wizard to convert a Load Sharing cluster of Security Gateways.

Modifying a Cluster Definition

Once you create a cluster using the wizard, you can modify the topology and other parameters using the VSX Cluster Properties window. This window also allows you to configure many advanced features not available with the wizard.

To work with a VSX cluster definition, double-click on the cluster object in the SmartDashboard Network Object tree. The VSX Cluster Properties window opens, showing the General Properties page.

Most cluster objects and properties can be defined using the SmartDashboard GUI. Several definitions, however, require CLI commands, while others may be performed using either method.

A brief explanation for each of the definition pages follows. More detailed explanations for features that are not specific to VSX (NAT, IPS, VPN, etc.) are available in the online help or in the appropriate product Administration Guide.

General Properties

See the General Properties page to view general properties and to activate Check Point products for use with this cluster and its members.

You can modify the following properties:

Cluster Members

The Cluster Members page lets you view and modify several properties for individual cluster members, including IP addresses for members and the internal communication network. You can also view where cluster and member objects in the object database are used.

Gateway Cluster Member List

The Cluster Members page shows all the VSX cluster members on the VSX Gateway.

To edit a cluster member:

From the Cluster Member page, select a member and click Edit.

The Cluster Member Properties window opens. These are the settings that you can edit:

Where Used

Click Where used to show information about the selected member in the objects database.

Internal IP Address and Net Mask

VSX creates an internal communication network and automatically assigns it an IP address and net mask from a predefined pool. You can change this IP address here if you have not yet defined a Virtual System. Although traffic from this address is never sent to any networks, you must ensure that this IP address is unique and not in use anywhere on your defined network.

ClusterXL

You can enable or disable state synchronization in the ClusterXL window and choose options to track changes in the state of cluster members on this page. All other properties are ClusterXL configuration properties are disabled. You can modify the ClusterXL configuration using the vsx_util command.

Creation Templates

The Creation Templates page displays the creation template used to create Virtual Systems. You can change from the current creation template to the Custom Configuration template and change the shared physical interface if the Shared Interface template is active.

Physical Interfaces

The Physical Interfaces page allows you to add or delete a physical interface on the VSX Gateway, and to define interfaces to be used as VLAN trunks.

Synchronization

The Synchronization window displays the state synchronization network. There are no configurable properties.

Topology

The Topology page contains interface and routing definitions.

Interfaces

The Interfaces section defines interfaces and links to devices. You can add new interfaces as well as delete and modify existing interfaces.

To add an interface:

  1. Click New and select one of these options:
    • Regular - Create a new interface
    • State Synchronization
    • Leads to Virtual Router
    • Leads to Virtual Switch

    The Interface Properties window opens.

    Click Actions > Copy to Clipboard to copy the Interfaces table in CSV format.

  2. Define the appropriate properties.
  3. Click OK.

To change an interface:

  1. Double-click an interface.

    The Interface Properties window opens.

  2. Change the parameters for the interface.
  3. Click OK.

To delete an interface:

  1. From the Topology page, select the interface and click Delete.
  2. Click OK.

Routes

The Routes section of the Topology window defines routes between network devices, network addresses, and virtual devices. Some routes are defined automatically based on the interface definitions. You can add new routes as well as delete and change existing routes.

To add a default route to the routing table:

  1. Click Add Default Route.

    The Default Gateway window opens.

  2. Enter the default route IP address or select the default Virtual Router.
  3. Click OK.

    The default route is added to the routing table.

  4. Select the default route and click Edit.

    The Route Configuration window opens.

  5. Configure the settings for the default route and click OK.

To add a new route to the routing table:

  1. Click Add.

    The Route Configuration window opens.

  2. Configure the Destination IP address and netmask.
  3. Configure the next hop IP address or Virtual Router.
  4. Optional: Select Propagate route to adjacent virtual devices to "advertise" the route to neighboring virtual devices, and enable connectivity between them.
  5. Click OK.

To change a route:

  1. Select the route.
  2. Click Edit.

    The Route Configuration window opens.

  3. Change the settings.
  4. Click OK.

To delete a route:

  1. Select the route.
  2. Click Remove.

    A confirmation window opens.

  3. Click OK.

Calculating Topology Automatically Based on Routing Information

Enable this option to allow VSX to automatically calculate the network topology based on interface and routing definitions (enabled by default). VSX creates automatic links, or connectivity cloud objects linked to existing internal or external networks.

VPN Domain

The VPN Domain section in the Topology page defines the set of hosts that use a VPN tunnel to communicate with peer Virtual Systems.

Define a VPN Domain to include a virtual device as part of the VPN connection. The domain defines the Virtual System interfaces that are in the VPN. You can define a VPN Domain in different ways:

To specify the VPN domain:

  1. Click Set domain for Remote Access Community.

    The VPN Domain per Remote Access Community window opens.

  2. Double-click a Remote Access Community.

    The Set VPN Domain window opens.

  3. Select a VPN domain from the list, or click New, to define a new domain.
  4. Click OK.

NAT

The NAT > Advanced page lets you configure NAT rules for packets originating from a Virtual System.

To enable and configure NAT for a Virtual System:

  1. Select Add Automatic Address Translation.
  2. Select a translation method:
    • Hide: Hide NAT only allows connections originating from the internal network. Internal hosts can access internal destinations, the Internet and other external networks. External sources cannot initiate a connection to internal network addresses.
    • Static: Static NAT translates each private address to a corresponding public address.
  3. If you select Hide, select one of these options:
    • Hide behind Gateway hides the real IP address behind the Virtual System external interface IP address,

      or

    • Hide behind IP Address hides the real address behind a virtual IP address, which is a routable, public IP address that does not belongs to any real machine.
  4. If you selected Static NAT, enter the static IP address in the appropriate field.
  5. Select the VSX Gateway from the Install on Gateway list.

VSX Bridge Configuration

The VSX Bridge Configuration page allows you to specify the loop detection algorithm when working in the Bridge mode.

Enable the Check Point ClusterXL option to enable the Active/Standby Bridge Mode loop detection algorithms contained in ClusterXL.

Enable the Standard Layer-2 Loop Detection Protocols to use standard loop detection protocols, such as STP or PVST+.

Cooperative Enforcement

Cooperative Enforcement works with Check Point Endpoint Security servers. This feature utilizes the Endpoint Security server compliance capability to verify connections arriving from various hosts across the internal network. The Cooperative Enforcement window contains several configuration properties for defining this feature. For more information, please refer to the online help and the R76 Firewall Administration Guide.

Changing the Cluster Management IP and/or Subnet

You can change the cluster management IP address and/or subnet by executing the vsx_util change_mgmt_ip and vsx_util change_mgmt_subnet commands.

Changing the Internal Communication Network IP

You can change the internal communication network IP address by using the vsx_util change_private_net command.

Working with Cluster Members

This section presents procedures for adding and deleting cluster members, as well as for upgrading existing cluster members to VSX.

Adding a New Member

Important - Verify that no other administrators are connected to the management server before proceeding. The vsx_util command cannot modify the management database if the database is locked because other administrators are connected.

To add a new member to an existing cluster:

  1. Close SmartDashboard and backup the management database.
  2. From the management server CLI, enter expert mode.
  3. Run the vsx_util add_member command and follow the on-screen instructions.
  4. Wait until the add member operation finished successfully message appears, indicating that the database has been successfully updated and saved.

    Note - In a Multi-Domain Security Management environment, this operation will skip any Domain Management Servers locked by an administrator. If this should occur, run the operation again for the relevant Domain Management Servers once they become available.

  5. Open SmartDashboard and verify that an object representing the new member appears in the specified cluster.
  6. If necessary, modify the cluster configuration.
  7. Close SmartDashboard.
  8. From the management server CLI, enter expert mode.
  9. Run the vsx_util add_member_reconf command and follow the on-screen instructions.
  10. Wait until the Reconfigure module operation completed successfully summary notice appears.

    Note - In a Multi-Domain Security Management environment, the operation will skip any Domain Management Servers locked by an administrator. If this should occur, run the operation again for the relevant Domain Management Servers when they become available.

  11. Reboot the new member.
  12. If the cluster is running in the VSLS mode, run vsx_util vsls to redistribute Virtual Systems to the newly added member.

Deleting a Member

Important - Verify that no other administrators are connected to the management server before proceeding. The vsx_util command cannot modify the management database if the database is locked.

You perform this operation using the management server command line. It is strongly recommended that you back up the database prior to removing a member.

To remove a member from a cluster:

  1. Detach the license from the member to be removed. You cannot remove a member if the license is attached.
  2. Close SmartDashboard.
  3. From the management server command line, run the vsx_util remove_member command. Perform the following tasks as prompted:
    1. Enter the Security Gateway or main Domain Management Server IP address.
    2. Enter the administrator name and password.
    3. Type 'y' to confirm that you have detached the license from the member.
    4. Enter the cluster name.
    5. Enter the cluster member name.
    6. Type 'y' to confirm that the member to be removed has been disconnected.
  4. Wait until the remove member operation finished successfully message appears. The database is now updated and saved. In SmartDashboard, the object for the deleted member no longer appears in the specified cluster.
  5. Open SmartDashboard and verify that deleted member no longer appears in the specified cluster.

    Note - In a Multi-Domain Security Management environment, the operation will skip any Domain Management Servers locked by an administrator. If this should occur, run the operation again for the relevant Domain Management Servers when they become available.

Upgrading Cluster Members

This section describes the procedures for upgrading cluster members that were initially installed using an earlier version of VSX. You perform the upgrade process using the vsx_util upgrade command. Afterwards, you use the vsx_util reconfigure command to apply settings stored in the management database to the newly upgraded member.

Upgrading a Member to the Current Version

Important - Verify that no other administrators are connected to the management server before proceeding. The vsx_util command cannot modify the management database if the database is locked.

Performing the following steps to upgrade the cluster and its members:

  1. Close SmartDashboard.
  2. Enter the Expert mode.
  3. Execute the vsx_util upgrade command from the management server command line.

    Enter the following information when prompted:

    1. Security Gateway or main Domain Management Server IP address
    2. Administrator name and password
    3. Cluster name
  4. When prompted, select the version to which you wish to upgrade.
  5. Wait until the Finished upgrading/database saved successfully message appears, indicating that the database has been updated and saved.
  6. Open SmartDashboard and verify that an object representing the new member now appears in the specified cluster.

    Note - In a Multi-Domain Security Management environment, the operation will skip any Domain Management Servers locked by an administrator. If this should occur, run the operation again for the relevant Domain Management Servers when they become available.

  7. Perform a fresh installation of VSX on each upgraded member.
  8. Perform the initial configuration steps on each member as described in the R76 Installation and Upgrade Guide. These steps include:
    1. Define the IP address, net mask and default gateway.
    2. Install a valid license.
    3. Set the SIC activation key.
    4. Configure the cluster properties as required. These property settings must be the same as defined for the other cluster members.
  9. Run the vsx_util reconfigure command from the management server command line. Enter the following information when prompted:
    1. Management server or main Domain Management Server IP address
    2. Administrator name and password
    3. SIC activation key for the upgraded member

    This action installs the existing security policy and configuration on the newly upgraded members.

  10. Wait until the Finished upgrading/database saved successfully message appears.

    Note - In a Multi-Domain Security Management environment, the operation will skip any Domain Management Servers locked by an administrator. If this should occur, run the operation again for the relevant Domain Management Servers when they become available.

  11. Reboot each member.

Notes to the Upgrade Process

Changing the Cluster Type

This section presents procedures for converting cluster members from one cluster type (High Availability or VSLS) to the other. Changing the cluster mode involves the use of the vsx_util convert_cluster command.

Converting from VSLS to High Availability

Do these procedures to convert a cluster from VSLS to High Availability:

  1. Redistributing all active Virtual Systems to one member
  2. Disabling VSLS options
  3. Converting the cluster to High Availability

Redistributing Active Virtual Systems to One Member

To redistribute all active Virtual Systems to one member:

  1. Close SmartDashboard.
  2. Enter the Expert mode.
  3. Execute the vsx_util vsls command.
  4. Enter the Security Management Server or Multi-Domain Security Management Domain Management Server IP address.
  5. From the Load Sharing, enter "3. Set all VSs active on one member".
  6. Enter the administrator user name and password.
  7. Enter the VSX cluster name.
  8. Enter the number corresponding to the member designated to host all active members.
  9. Enter "y" to save and apply the configuration.
  10. Exit the Load Sharing menu.

When the convert_cluster command finishes, there should be only one active member on which all Virtual Systems are in the active state, and one standby member on which all virtual devices are in the standby state. Any additional members should be in standby mode and their virtual devices in the down state.

Disabling VSLS Options

To convert existing cluster members to the VSX Gateway High Availability mode:

  1. On each member, execute the cpconfig command and do the following:
    1. Disable the Per Virtual System State for each member.
    2. Disable ClusterXL for Bridge Active/Standby for each member.
  2. Re-initialize the members using the cpstop and cpstart commands.

Converting the Cluster

To convert the cluster to High Availability:

  1. Execute the vsx_util convert_cluster command .
  2. Enter the Security Management Server or Multi-Domain Security Management Domain Management Server IP address.
  3. From the Load Sharing menu, enter "3. Set all VSs active on one member".
  4. Enter the administrator user name and password.
  5. Enter the VSX cluster name.
  6. Enter "HA"
  7. Re-initialize all members using the cpstop and cpstart commands.

Converting from High Availability to VSLS

To convert an existing High Availability cluster to VSLS Load Sharing:

  1. Close SmartDashboard.
  2. On each member:
    1. Run cpconfig
    2. Enable the Per Virtual System State.
    3. Enable ClusterXL for Bridge Active/Standby.
  3. Restart the members: cpstop and cpstart
  4. On the management server, enter Expert mode.
  5. Run: vsx_util convert_cluster
  6. Enter the Security Management Server or Multi-Domain Security Management Domain Management Server IP address.
  7. Enter the administrator user name and password.
  8. Enter the VSX cluster name.
  9. Enter: LS
  10. At the "Proceed with conversion?" prompt, enter: y
  11. Select an option to distribute Virtual Systems among members:
    1. Distribute all Virtual Systems equally.
    2. Set all Virtual Systems as Active on the same member.
  12. Reboot the members.

Note - You cannot convert a VSX cluster to the VSLS mode if it contains Virtual Systems in the Active/Active Bridge mode or Virtual Routers.

Sample Command Output

The following screen printout shows an example of the output from the vsx_util convert_cluster command.

vsx_util convert_cluster
 
*************************************************
Note: the operation you are about to perform changes the information in the
management database. Back up the database before continuing.
*************************************************
Enter Security Management Server/main Domain Management Server IP address (Hit 'ENTER' for 'localhost'):
Enter Administrator Name:
Enter Administrator Password:
Enter VSX cluster object name:
Enter desired ClusterXL mode: HA-High Availability, LS-Load Sharing 
(HA | LS): LS
 
All modules must be in the 'Per VS State' mode to conclude this operation
 successfully. Use the command cpconfig on each module to verify compliance
before continuing with the operation.
 
When converting a cluster, there are two options for distributing the existing
Virtual System(s) among cluster members:
1. Distribute all Virtual Systems so that each cluster member is equally loaded.
2. Set all Virtual Systems as Active on the same cluster member.
 
After converting the cluster, the command vsx_util redistribute_vsls may be
used to modify Virtual System distribution.
Enter distribution option (1-2) [1]: 1
 
Converting the cluster to ClusterXL Load Sharing mode...
The cluster was successfully converted to ClusterXL Load Sharing mode
Installing new policy...
...
Policy installation finished successfully.
 


Enabling VSX Gateway High Availability


VSX Gateway High Availability is the default cluster configuration. If Load Sharing (VSLS) is not active, a cluster functions in the VSX Gateway High Availability mode. All members of a cluster must be configured to use the same clustering mode.


Configuring New Cluster Members


To configure members for VSX Gateway High Availability:


In the Gaia First Time Configuration Wizard Products page, select ClusterXL.


Configuring Virtual System Load Sharing


This section presents the various procedures for configuring VSLS deployments. You use the vsx_util vsls to perform various VSLS configurations tasks.


To start vsx_util vsls:


  1. From the management server Expert mode, execute vsx_util vsls.
  2. Enter the management server IP address.
  3. Enter administrator user name and password.
  4. Enter the VSX Gateway name.
  5. From the VSLS menu, choose the desired option.


Enabling VSLS


In order to use VSLS for VSX, you must first activate the Per Virtual System State mode on each cluster member. You can then create a Load Sharing cluster, either by creating a new cluster object, or by converting an existing High Availability cluster to Load Sharing mode. After completing this process, you can modify Virtual Systems as required.


Enabling the Per Virtual System State Mode


The Per Virtual System State mode enables active Virtual Systems to be placed on different cluster members, and for Virtual System-specific failover. This setting is mandatory for VSLS. On each cluster member, do the following:









Note - The following virtual devices are not supported when the Per Virtual System state is enabled:


  • Virtual Routers
  • Virtual Switches that do not have physical or VLAN interfaces







  1. Run cpconfig.
  2. Select Enable Check Point Per Virtual System State.
  3. Answer y to the question: Would you like to enable Per Virtual System state?
  4. Reboot the machine.
  5. Repeat this procedure for each member.


Creating a New VSLS Cluster


To create a new VSLS cluster:


  1. Open SmartDashboard.
  2. From the Network Objects tree, right click Check Point and select VSX > Cluster. 
    The VSX Cluster Wizard opens.
    

  3. Create and configure the new cluster. 
    1. On the General Properties page, from VSX Cluster Platform, select Check Point ClusterXL Virtual System Load Sharing.
    2. On the Creation Templates page, select the creation template.
    3. Complete the VSX Cluster Wizard.


Using the vsx_util vsls Command


You use the vsx_util vsls command to perform various Virtual System Load Sharing configuration tasks, including:


  1. Displaying the current VSLS configuration
  2. Distributing Virtual Systems equally amongst cluster members
  3. Set all Virtual Systems as active on one member
  4. Manually define the priority and weight for individual Virtual Systems
  5. Import VSLS configurations from comma separated value (CSV) text files
  6. Export VSLS configurations to comma separated value (CSV) text files
  7. Exporting and Import VSLS configurations from/to comma separated value (CSV) text files
To work with the vsx_util vsls command:


  1. Run vsx_util vsls from the Expert mode on the management server
  2. Select the desired choice from the VSLS menu


vsls_config vsls main menu






Enter Administrator Name: aa


Enter Administrator Password:


Enter VSX cluster object name: vsx


 


VS Load Sharing - Menu


________________________________


1. Display current VS Load sharing configuration


2. Distribute all Virtual Systems so that each cluster member is equally loaded


3. Set all VSs active on one member


4. Manually set priority and weight


5. Import configuration from a file


6. Export configuration to a file


7. Exit


 


Enter redistribution option (1-7) [1]:










Distributing Virtual Systems Amongst Members


The primary advantage of VSLS is the ability to distribute active, standby and backup Virtual Systems amongst cluster members in order to maximize throughput and user response time. You can choose to distribute Virtual Systems according to one of the following options:



Distributing Virtual Systems for Equal Member Loading


To distribute Virtual Systems for equal member loading:


  1. From the VSLS menu, select "2. Distribute all Virtual Systems so that each cluster member is equally loaded". 
  2. At the "Save & apply configuration?" prompt, enter "y" to continue. 
The process update process may take several minutes or longer to complete, depending on the quantity of Virtual Systems and cluster members.


Placing All Active Systems on the Same Member


  1. From the VSLS menu, select "3. Set all VSs active on one member".
  2. When prompted, enter the number corresponding to the member designated as the primary member.
  3. When prompted, enter the number corresponding to the member designated as the standby member.  All other members will be designated as backup members.
  4. At the "Save & apply configuration?" prompt, enter "y" to continue. 
The process update process may take several minutes or longer to complete, depending on the quantity of Virtual Systems and cluster members.


Assigning Priorities and Weights for a Single Virtual System


You can modify these settings in one of two ways:


To automatically assign weights to all Virtual Systems:


  1. From the VSLS menu, select Manually set priority and weight.
  2. Enter "a" to automatically scroll through each Virtual System.  
  3. For each Virtual System, enter a weight value and press Enter.
    1. If you do not enter a weight value for a Virtual System, the currently assigned weight is retained.
    2. To stop entering weight values for additional Virtual Systems, enter s. Only those Virtual Systems that have been assigned a new weight value will be updated.
  4. At the Save & apply configuration prompt, enter y to continue. 
The process update process may take several minutes or longer to complete, depending on the quantity of Virtual Systems and cluster members.


To manually assign priorities and weights for individual Virtual Systems:


  1. From the VSLS menu, select Manually set priority and weight.
  2. Enter m to manually update both priorities and weights for individual Virtual Systems.  
  3. At the Would you like to change the Virtual System's priority list? prompt, enter y to change the member priority.
    1. Enter the number associated with the member to receive the highest priority.
    2. Enter the number associated with the member to receive the next highest priority.  
    3. Continue until all members have been assigned a priority.
  4. At the Would you like to change the Virtual System's weight? prompt, enter y to assign a weight n to retain the existing weight value.
    1. At the prompt, enter an integer between 1 and 100, representing the new weight value.
  5. At the "Do you wish to configure another Virtual System?" prompt, enter "y" to configure another Virtual System or "n" continue.
  6. At the "Save & apply configuration?" prompt, enter "y" to continue. 
The process update process may take several minutes or longer to complete, depending on the quantity of Virtual Systems and cluster members.


Viewing VSLS Status


To view the current VSLS status and Virtual System distribution amongst members, select "1. Display current VS Load Sharing configuration" from the VSLS menu. The output is similar to the below example"






----+---------+-----------+-----------+-----------+--------+


VSID| VS name | gw150     | gw151     | gw152     | Weight |


----+---------+-----------+-----------+-----------+--------+


  2 | vs1     | 0         | 1         | 2         | 10     |


  3 | vs2     | 2         | 0         | 1         | 10     |


  4 | vs3     | 1         | 2         | 0         | 10     |


  5 | vs5     | 0         | 2         | 1         | 10     |


  6 | vs4     | 1         | 0         | 2         | 10     |


----+---------+-----------+-----------+-----------+--------+


 Total weight | 20        | 20        | 10        | 50     |


----+---------+-----------+-----------+-----------+--------+


 


Legend:


0 - Highest priority


1 - Next priority


2 - Lowest priority










Virtual System Priority


Virtual System priority refers to a preference regarding which member hosts a Virtual System's active, standby, and backup states. This preference is expressed as an integer value.






Priority



Definition







0



Highest priority, indicating the member designated to host the Virtual System active state.







1



Second highest priority, indicating the member designated to host the Virtual System standby state.







> 1



Lower priorities, indicating members designated to host a Virtual System's backup state. The cluster member assigned priority 2 will be the first to switch the Virtual System to the Standby state in the event of a failure of either the Active or Standby Virtual System. A cluster member assigned priority 3 would be the next in line to come online in the event of another failure.










Virtual System Weight


Each Virtual System is assigned a weight factor, which indicates its traffic volume relative to the total traffic volume (the sum of all weight factors) on a given cluster member. VSX uses the weight factor to determine the most efficient distribution of Virtual Systems amongst cluster members.  System resource allocation is not affected by the weight factor, nor does VSX take weight into consideration for any other purpose.


By default, all Virtual Systems are assigned an equal weight factor of 10.


Exporting and Importing VSLS Configurations


When working with large scale VSLS deployments consisting of many Virtual Systems, multiple cluster members, using the vsx_util command to perform configuration tasks can be quite time consuming. To allow administrators to efficiently configure such deployments, VSX supports uploading VSLS configuration files containing configuration information for all Virtual Systems directly to management servers and cluster members.  


This capability offers the following advantages:


VSLS configuration files are comma separated value (CSV) files that are editable using a text editor or another applications, such as Microsoft Excel. You can use the configuration file to rapidly change the weight and cluster member priority for each Virtual Systems in the list.









Note - You cannot use the VSLS configuration file to add or remove cluster members.  You must use the appropriate vsx_util commands to accomplish this.


You can use the VSLS configuration file to change member priorities for Virtual Systems after adding or removing a member.










VSLS Configuration File


The VSLS configuration file is a comma separated value (CSV) text file that contains configuration settings for all Virtual Systems controlled by a management server. All lines preceded by the # symbol are comments and are not imported into the management database. 






# Check Point VSX - VS Load Sharing configuration file


#


# Administrator        : aa


# SmartCenter/Main Domain Management Server : 192.168.50.160


# Generated on         : Thu Jul 23 13:08:42 2009


#


#


#


# VSID, Weight, Active member, Standby member, Backup member #1


# Virtual System name: vs1


2,10,gw150,gw151,gw152


 


# Virtual System name: vs2


3,10,gw151,gw152,gw150


 


# Virtual System name: vs3


4,10,gw152,gw150,gw151


 


# Virtual System name: vs4


6,10,gw151,gw150,gw152


 


# Virtual System name: vs5


5,10,gw150,gw152,gw151








The configuration file contains one line for each Virtual System, consisting of the following data as shown below:




Each line contain the VSID, the weight assigned the Virtual System, one primary member and one standby member.  Additional backup members are listed following the standby member.


Exporting a VSLS configuration


The most common way to use VSLS configuration files is to initially define your cluster environment and Virtual Systems using SmartDashboard. 


To export a VSLS configuration to a text file:


  1. From the VSLS menu, select "6. Export configuration to a file".
  2. Enter a file name, include its fully qualified path, for example:
    /home/admin/MyConfiguration
    



Processing Options


You can insert the following commands in the VSLS Configuration file to display audit trail information while validating and processing data. Each of the commands act as a toggle, whereby the first occurrence of a command enables the action and the next occurrence disables it.  These options his allow you to efficiently debug very long configuration files by displaying or logging only suspicious sections of the data.






 Command



Action







!comments



Sequentially displays comment lines (those preceded with the '#' character) contained in the configuration file. You can insert comments into the configuration file to indicate which Virtual Systems are currently being processed or to provide status information as the parser processes the data.  







!verbose



Displays whether or not each data line has been successfully verified and the configuration parameters for each Virtual System.







!log



Saves !comments and !verbose information in the vsx_util.log file.










Importing a VSLS configuration


To import a VSLS configuration from a text file:


  1. From the VSLS menu, select "5. Import configuration from a file".
  2. Enter the file name, include its fully qualified path, for example:
    /home/admin/MyConfiguration
    

  3. At the "Save & apply configuration?" prompt, enter "y" to continue. 
During the import process, the parser reads the configuration file and attempts to validate the contents.  Errors are displayed on the screen together with the offending line number.  If either the !comments or !verbose processing options are enabled, the appropriate information appears on the screen. 


The process update process may take several minutes or longer to complete, depending on the quantity of Virtual Systems, Domain Management Servers and cluster members.


Configuring Virtual Systems in Bridge Mode


This section explains configurations and procedures for Virtual Systems in Bridge mode. With native layer-2 bridging instead of IP routing, you can add Virtual Systems without affecting the existing IP structure.


When in Bridge mode, Virtual System interfaces do not require IP addresses. You can assign an IP address to the Virtual System itself (not the interfaces) to enable layer-3 monitoring. This feature enhances network fault detection.


VSX supports these Bridge mode models:



Overview


STP Bridge Mode


This section presents the procedures for enabling and configuring the STP Bridge mode for Virtual Systems and VSX Gateways.


The same procedures are applicable for a VSX cluster for PVST + Load Sharing. 


Defining the Spanning Tree Structure


Define and configure the Spanning Tree structure according to your network requirements. (For PVST + Load Sharing, configure the structure for each VLAN.) 


See your hardware documentation for the specific procedures for your network deployment. 


Enabling Active/Active Bridge Mode when Creating Member


When you create a new VSX Gateway to use as a cluster member, configure it as a cluster member when you first define the gateway.


  1. Run: cpconfig 
  2. At Would you like to install a Check Point clustering product, enter: y 
  3. If prompted to disable Active/Standby Bridge Mode, enter: n 
  4. Continue with the cpconfig options as usual.


Enabling Active/Active Bridge Mode for Existing Members


To enable the Active/Active Bridge mode for existing cluster members:


  1. Run: cpconfig 
  2. Enable cluster membership for this member.
    (If a numerical value appears here, cluster membership has already been enabled).
    

  3. Disable ClusterXL for Bridge Active/Standby.
  4. Reboot the member.


Configuring Clusters for Active/Active Bridge Mode


To enable the Active/Active Bridge mode for a cluster:


  1. Open SmartDashboard.
  2. From the Network Objects tree, double-click the VSX Cluster object.
    The VSX Cluster Properties window opens.
    

  3. Select Other > VSX Bridge Configuration.
  4. Select Standard Layer-2 Loop Detection Protocols.


Configuring Virtual Systems for STP Bridge Mode


To configure a Virtual System to use bridge mode, define it as a Virtual System in bridge mode when you first create it. You cannot reconfigure a non-Bridge mode Virtual System to use bridge mode later.


Configuring PVST + Load Sharing


Defining the Spanning Tree Structure


Define and configure the Spanning Tree structure for each VLAN according to your network deployment. Please refer to your network hardware documentation for specific procedures.


Configuring a Cluster for PVST + Load Sharing


To configure a VSX cluster for PVST + Load Sharing, perform the procedures described in the STP Bridge Mode section.


Active/Standby Bridge Mode


This section presents the procedures for enabling and configuring the Active/Standby Bridge Mode for Virtual Systems and VSX Gateways.


Enabling and Configuring Active/Standby Bridge Mode


Enabling Active/Standby Bridge Mode for a New Member


When you create a new cluster member, enable the cluster options during the first configuration.


  1. In the Gaia First Time Configuration Wizard Products page, select ClusterXL.
  2. From the VSX Gateway CLI, run: cpconfig
    • If you enable the Per Virtual System State feature, (required for VSLS), Active/Standby Bridge Mode is enabled automatically. 
    • If you chose not to enable Virtual System Load Sharing, an option to enable Active/Standby Bridge Mode appears. Enter y and continue with the gateway configuration.


Enabling Active/Standby Bridge Mode for Existing Members


To enable the Active/Standby Bridge Mode on existing Virtual Systems:


  1. Run:  cpconfig 
  2. Enable ClusterXL for Bridge Active/Standby.
  3. Reboot the member.


Configuring Clusters for Active/Standby Bridge Mode


To enable the Active/Standby Bridge Mode for a cluster:


  1. Open SmartDashboard.
  2. From the Network Objects tree, double-click the VSX Cluster object.
    The VSX Cluster Properties window opens.
    

  3. Select Other > VSX Bridge Configuration.
  4. Select Check Point ClusterXL. 
    The Active/Standby Bridge Mode loop detection algorithms in ClusterXL is enabled.
    



Configuring Virtual Systems for Active/Standby Bridge Mode


To configure a Virtual System to use bridge mode, define it as such when you first create the object. 


To configure a Virtual System for the Active/Standby Bridge Mode:


  1. In the Virtual System General Properties page of the new Virtual System object, select Bridge Mode.
  2. Click Next.
    The Virtual System Network Configuration window opens.
    

  3. Configure the external and internal interfaces for the Virtual System.
  4. Optional: Select Enable Layer-3 Bridge Interface Monitoring. 
    The IP address must be unique and on the same subnet as the protected network.
    

  5. Click Next and then click Finish.


Advanced Clustering Configuration


This section presents several advanced cluster scenarios and procedures for their configuration.


Clusters on the Same Layer-2 Segment


The recommended cluster architecture contains interfaces connect to a Layer-2 segment that is isolated from other clusters. When configuring a cluster with only two members, you should connect the secured interfaces of the sync network using a crossover cable.


However, in a deployment where multiple clusters need to connect to the same Layer-2 segment, the same MAC address may be used by more than one cluster for Cluster Control Protocol (CCP) communication. This may direct traffic to the incorrect cluster. In this case you will need to modify the source MAC address(es) of the clusters.


This section describes how source MAC addresses are assigned, and explains how to change them. This procedure applies to both ClusterXL and OPSEC certified clustering products using the High Availability mode.


Source Cluster MAC Addresses


Cluster members use CCP to communicate with each other. In order to distinguish CCP packets from ordinary network traffic, CCP packets are given a unique source MAC address.






Default Value Of Fifth Byte



Purpose







0xfe



CCP traffic







0xfd



Forwarding layer traffic








When multiple clusters are connected to the same Layer-2 segment, setting a unique value to the fifth byte of the MAC source address of each cluster allows them to coexist on the same Layer-2 segment.


Changing a Cluster's MAC Source Address


To change a cluster's MAC source address, run these commands on each cluster member:


fw ctl set int fwha_mac_magic <value>


fw ctl set int fwha_mac_forward_magic <value>






Parameter



Default value







fwha_mac_magic



0xfe







fwha_mac_forward_magic



0xfd








Use any value, as long as the two gateway configuration parameters are different. To avoid confusion, do not use the value 0x00.


Making the Change Permanent


You can configure the above parameters to persist following reboot. 


  1. Use a text editor to open the file fwkern.conf, located at $FWDIR/boot/modules/.
  2. Add the line Parameter=<value in hex>. Make sure there are no spaces.


Monitoring all VLANs with ClusterXL


By default, ClusterXL only monitors two VLANS for failure detection and failover. These are the highest and lowest VLAN tags defined for a given interface.


For example, if the topology for interface eth1 includes several VLAN tags in the range of eth1.10 to eth1.50, ClusterXL only monitors VLANs eth1.10 and eth1.50 for failure. Failures on any of the other VLANs are not detected in the default configuration.









Note - The command line option cphaprob -a if displays the highest and lowest VLANs being monitored.








When both the highest and lowest VLANs fail, all the VLANs are considered down, and a failover occurs. This means that if a VLAN which is not listed as the highest or lowest goes down, the trunk is still considered "up", and no failover occurs.


There are instances in which it would be advantageous to monitor all the VLANs in the trunk, not just the highest and lowest, and initiate a failover when any one of the VLANs goes down.


To enable monitoring of all VLANs, enable the fwha_monitor_all_vlan property in $FWDIR/boot/modules/fwkern.conf. Change the property to fwha_monitor_all_vlan=1.









Note - Monitoring all VLANS is enabled automatically when the Per VLAN state option is enabled.










Enabling Broadcast Mode


The default ClusterXL Control Protocol transport mode is multicast. Use the cphaconf set_ccp command to configure broadcast or multicast mode for the cluster.


To enable broadcast or multicast mode:


  1. On a cluster member, run cphaconf set_ccp {broadcast|multicast} 
  2. Do the previous steps for all the cluster members.



						










	09 August 2016
	
		© 2016 Check Point Software Technologies Ltd. All rights reserved.