Print Download PDF Send Feedback

Previous

Next

Working with VPNs and Clusters

Included Topics

Configuring VPN and Clusters

Defining VPN Peer Clusters with Separate Security Management Servers

Configuring VPN and Clusters

Configuring a Security Gateway cluster using SmartDashboard is very similar to configuring a single Security Gateway. All attributes of the VPN are defined in the Cluster object, except for two attributes that are defined per cluster member.

  1. Go to the Cluster Properties window, Cluster Members page. For each cluster member, in the Cluster member Properties window, configure the VPN tab:
    • Office Mode for Remote access — If you wish to use Office Mode for remote access, define the IP pool allocated to each cluster member.
    • Hardware Certificate Storage List — If your cluster member supports hardware storage for IKE certificates, define the certificate properties. In that case, Security Management Server directs the cluster member to create the keys and supply only the required material for creation of the certificate request. The certificate is downloaded to the cluster member during policy installation.
  2. In a VPN cluster, IKE keys are synchronized. In the Synchronization page of the Cluster Properties window, make sure that Use State Synchronization is selected, even for High Availability configurations.
  3. In the Topology page of the Cluster Properties window, define the encryption domain of the cluster. Under VPN Domain, choose one of the two possible settings:
    • All IP addresses behind cluster members based on topology information. This is the default option.
    • Manually Defined. Use this option if the cluster IP address is not on the member network, in other words, if the cluster virtual IP address is on a different subnet than the cluster member interfaces. In that case, select a network or group of networks, which must include the virtual IP address of the cluster, and the network or group of networks behind the cluster.

Defining VPN Peer Clusters with Separate Security Management Servers

When working with a VPN peer that is a Check Point Cluster, and the VPN peer is managed by a different Security Management Server, do NOT define another cluster object. Instead, do the following:

  1. In the objects tree, Network Objects branch, right click and select New Check Point Externally Managed Security Gateway.
  2. In the Topology page, add the external and internal cluster interface addresses of the VPN peer. Do not use the cluster member interface addresses, except in the following cases:
    • If the external cluster is of version 4.1, add the IP addresses of the cluster member interfaces.
    • If the cluster is an OPSEC certified product (excluding IPSO), you may need to add the IP addresses of the cluster members.

    When adding cluster member interface IP addresses, in the interface Topology tab, define the interface as Internal, and the IP Addresses behind this interface as Not defined.

  3. In the VPN Domain section of the page, define the encryption domain of the externally managed Security Gateway to be behind the internal virtual IP address of the Security Gateway. If the encryption domain is just one subnet, choose All IP addresses behind cluster members based on topology information. If the encryption domain includes more than one subnet, it must be Manually Defined.
16 January 2018 © 2018 Check Point Software Technologies Ltd. All rights reserved.