Print Download PDF Send Feedback

Previous

Next

Configuring ClusterXL

In This Section:

Creating Cluster Members

Configuring Routing for Client Computers

Choosing the CCP Transport Mode on the Cluster Members

Configuring the Cluster Object and Members

Configuring Gateway Cluster in Bridge Mode

Configuring Link State Propagation

This procedure describes how to configure the Load Sharing Multicast, Load Sharing Unicast, and High Availability New Modes from scratch. Their configuration is identical, apart from the mode selection in SmartDashboard Cluster object or Cluster creation wizard.

If you are still using the High Availability Legacy Mode, refer to the appendix.

Creating Cluster Members

Important - The hardware for all cluster members must be exactly the same, including:

  • CPU
  • Motherboard
  • Memory
  • Number and type of interfaces

To create new cluster members for ClusterXL:

  1. Obtain and install a ClusterXL central license for your Security Management Server.
  2. Install and configure Check Point Security Gateway for all cluster members. Each member must use the identical version and build. For installation and initial configuration procedures, refer to the R77 Installation and Upgrade Guide.

    During the installation process, enable ClusterXL and State Synchronization:

    • For Gaia members, run cpconfig from the command line and select Enable cluster membership for this gateway.
    • For SecurePlatform and Solaris members, select Enable cluster membership for this gateway.
    • For Windows members, select This Gateway is part of a cluster.

      If you did not perform this action during installation, you can always do so by using the cpconfig utility at a later time. Run the cpconfig from the command line, and select the appropriate options to enable cluster capabilities for that member. You may be asked to reboot the member.

  3. Define an IP address for each interface on all members. Do not define IPv6 addresses for synchronization interfaces.
  4. For VPN cluster members, synchronize member clocks accurately to within one second of each other. If these members are constantly up and running it is usually enough to set the time once. More reliable synchronization can be achieved using NTP or some other time synchronization services supplied by the operating system. Cluster member clock synchronization is not applicable for non VPN cluster functionality.
  5. Connect the cluster members to each other and to the networks through switches. For the synchronization interfaces, you can use a cross cable or a dedicated switch. Make sure that each network (internal, external, Synchronization, DMZ, and so on) is configured on a separate VLAN, switch or hub.

Note - You can also perform synchronization over a WAN

Configuring Routing for Client Computers

To configure routing for client computers:

  1. Configure routing so that communication with internal networks uses the external cluster virtual IP address. For example, configure a static route such that internal network 10.10.0.0 is accessible through 192.168.2.100.
  2. Configure routing so that communication with external networks uses the internal cluster IP address. For example, define the internal network IP address 10.10.0.100 as the default Security Gateway for each computer on the internal side of the router.

Choosing the CCP Transport Mode on the Cluster Members

The ClusterXL Control Protocol (CCP) uses multicast by default, because it is more efficient than broadcast. If the connecting switch cannot forward multicast traffic, it is possible, though less efficient, for the switch to use broadcast to forward traffic.

To change the CCP mode between broadcast and multicast, run:

cphaconf set_ccp broadcast|multicast