Converting Gateways to VSX Gateways

Use the VSX Gateway Conversion wizard in SmartDashboard to convert Gaia Security Gateways to VSX Gateways. You can convert one Security Gateway or all the members of a cluster to VSX. The settings of the Security Gateways are applied to the VSX Gateway (VS0). You can also use SmartDashboard to convert a VSX Gateway to a Security Gateway.

We recommend that you go to sk79260, before you use the Conversion wizard. You can only convert Security Gateways or clusters that use the Gaia operating system.

Note - The Security Gateway loses connectivity during the conversion process.

Converting a Security Gateway

SmartDashboard converts a Security Gateway or cluster to VSX. You can only complete the Conversion Wizard if the features and settings of the Security Gateway or cluster are compatible with VSX.

When the Conversion Process window is shown, you cannot cancel or close the Conversion Wizard.

To convert a Security Gateway:

1. Open SmartDashboard.
2. In the Network Objects tree, right-click the Security Gateway or cluster and select Convert to VSX.
3. When the Welcome to the VSX Conversion window opens, click Next to continue.
4. In the Compatibility Check window, click Next to continue.

   The compatibility check makes sure that the Security Gateway or cluster is compatible with VSX.

5. In the Security Management Server Interface Sharing window, configure how interfaces are created for the new Virtual Systems and then click Convert.
6. After the conversion process completes, click Finish.

   The Converting window shows as the management database is updated.

   Note - You cannot use SmartDashboard while the Converting window shows.

Checking Compatibility

The VSX Gateway Conversion Wizard cannot convert a Security Gateway or cluster that uses Software Blades or other features that VSX does not support. The wizard automatically checks for common compatibility problems with the Security Gateway. We recommend that you go to sk79260, to see a full list of limitations and compatibility problems.

If the Security Gateway is not compatible, the Compatibility Check window tells you the solution for each compatibility problem. Close the wizard, disable the unsupported features, and run the VSX Gateway Conversion Wizard again.

Completing the Conversion

Complete the Security Gateway to VSX Gateway Conversion Wizard. When you complete the wizard, the management database is updated with the new VSX Gateway object.

To complete the Conversion Wizard:

Click Finish. The Converting window is shown as the management database is updated.

Note - You cannot use SmartDashboard while the Converting window is shown.

Converting a VSX Gateway

SmartDashboard converts a VSX Gateway or cluster to a Security Gateway. You must remove all the Virtual Systems and other Virtual Devices from the VSX object before you can convert the VSX Gateway.

You cannot convert a VSX Gateway that uses a shared interface configuration to a Security Gateway.

To convert a VSX Gateway to a Security Gateway:

1. Remove all the Virtual Devices from the VSX object.

   From the Network Objects tree, right-click each Virtual Device object and select Delete.

2. Right-click the VSX Gateway or cluster and select Convert to Gateway.

   A confirmation window opens.

3. Click Yes.

   The VSX Gateway is converted to a Security Gateway.

   Note - You cannot use SmartDashboard while the Converting window is shown.

Installing Full High Availability Appliances

In This Section Gaia Appliances Configuring Standalone Full High Availability

Standalone Full HA - Security Management Server and Security Gateway are each installed on one appliance, and two appliances work in High Availability mode. One is active, and one is standby.

	Item	Description
	1	Primary appliance
	2	Direct appliance to appliance connection
	3	Backup appliance
		Security Gateway component
		Security Management Server component

• If the active member has a failure that affects the Security Management Server and the Security Gateway, they failover to the standby.
• If the Security Management Server on the active member experiences a failure, only the Security Management Server fails over to the standby. The Security Gateway on the first member continues to function.
• If the Security Gateway on the active member experiences a failure, only the Security Gateway fails over to the standby. The Security Management Server on the first member continues to function.

After you install the Gaia or SecurePlatform operating system, configure Standalone Full HA. First, configure each of the two standalone appliances with its First Time Configuration Wizard. Then configure the High Availability options in SmartDashboard.

Note - SmartEvent Server and SmartReporter are not supported in Management High Availability Availability and ClusterXL Full High Availability environments. In these environments, install SmartEvent Server and SmartReporter on dedicated machines.

For more, see sk25164

Gaia Appliances

Some appliances have a dedicated SYNC interface that is used to synchronize with the other appliance. If there is no SYNC interface on the appliance, use the ETH1 interface.

Note - The internal interface (INT) on a UTM-1 appliance is used as the management interface.

To start the First Time Configuration Wizard on Gaia:

1. Connect the appliance to your management network through the management interface, which is marked MGMT.

   The management interface is preconfigured with the IP address 192.168.1.1. If you later change it through the Check Point Portal, make sure that the new address is on the same subnet as the management network.

2. Open a connection from a browser to the management IP address.

   The login page opens.

3. Log in to the system with the default username and password: admin and admin
4. Click Login.

   The First Time Configuration Wizard runs.

5. Follow the instructions on the screen.

Note - Settings that you configure in the First Time Configuration Wizard, can be changed later in the Portal, from an Internet browser go to https://<appliance_ip_address>

To configure Gaia Full HA appliances:

1. In the First Time Configuration Wizard, set the username and password for the administrator account and then click Next.
2. Select Continue with configuration of Gaia R77.
3. Click Next.
4. Change the default administrator password.
5. Click Next.
6. Set an IPv4 and an IPv6 address for the management interface, or set one IP address (IPv4 or IPv6).

   If you change the management IP address, the new IP address is assigned to the interface. The old IP address is added as an alias and is used to maintain connectivity.

7. Set the host name for the appliance.

   Optional:

   • Set the domain name, and IPv4 or IPv6 addresses for the DNS servers.
   • Set the IP Address and Port for a Proxy Server
8. Click Next.
9. Set the date and time manually, or enter the hostname, IPv4 address or IPv6 address of the NTP server.

   Click Next.

10. Select Security Gateway and Security Management.
11. Configure these Advanced settings:
    • Select Unit is part of a cluster
    • Select ClusterXL
    • Select Primary
    • Enter a value for Cluster Global ID

    Click Next.

12. Set the username and password for the Security Management Server administrator account and then click Next.
13. Define IP addresses from which SmartConsole clients can log in to the Security Management Server.
    • If you select This machine or Network, define an IPv4 or an IPv6 address.
    • You can also select a range of IPv4 addresses.
14. Click Next.
15. Get a license automatically from the UserCenter and activate it, or use the trial license.

    If there is a proxy server between the appliance and the Internet, enter its IP address and port.

16. Click Next.
17. Review the summary and, if correct, click Finish.
18. To start the configuration process, click Yes.

    A progress bar tracks the configuration of each task.

19. Click OK.
20. If the Help Check Point Improve Upgrades (CPUSE) window shows, click Yes or No.

    Gaia R77 is installed on the appliance.

21. Log in to the Gaia Portal with the new management IP address that you entered in the First Time Configuration Wizard.
22. Double-click the SYNC or eth1 interface and configure the settings. This interface is used to synchronize with the other appliance. Click Apply.
23. Configure the settings for other interfaces that you are using.
24. Use a cross-over cable to connect the SYNC or eth1 interfaces on the appliances.
25. Do steps 1 - 15 again for the secondary appliance, with these changes:
    • Step 5 - It is not necessary to change the management IP address.
    • Step 7 - Select Secondary.
    • Define the Secure Internal Communication (SIC) Activation Key that is used by the gateway object in SmartDashboard and then click Next.

      This key is necessary to configure the appliances in SmartDashboard.

    • Step 14 - Use a different IP address for the SYNC or eth1 interface on the secondary appliance. Make sure that the primary and secondary appliances are on the same subnet.
26. If necessary, download SmartConsole from the Gaia Portal.
    1. Open a connection from a browser to the Portal: https://<management_ip_address>
    2. In the Overview page, click Download Now!

Configuring Standalone Full High Availability

After you set up the appliances for Standalone Full High Availability, configure this deployment in SmartDashboard. You must configure both cluster members before you open the cluster configuration wizard in SmartDashboard.

The LAN1 interface serves as the SYNC interface between cluster members. If not configured, SYNC interfaces are automatically set to 10.231.149.1 and 10.231.149.2. If these addresses are already in use, their values can be manually adjusted. If you manually adjust the default IP SYNC addresses, verify that both reside on the same subnet.

Note - All interfaces in the cluster must have unique IP addresses. If the same IP address is used twice, policy installation will fail. A Load on gateway failed error message is displayed.

The cluster has a unique IP address, visible to the internal network. The unique Virtual IP address makes the cluster visible to the external network, and populates the network routing tables. Each member interface also has a unique IP address, for internal communication between the cluster members. These IP addresses are not in the routing tables.

To configure Standalone Full High Availability:

1. Open SmartDashboard.
2. Connect to the primary appliance and then click Approve to accept the fingerprint as valid.

   The Security Cluster wizard opens.

   Click Next.

3. Enter the name of the Standalone Full High Availability configuration and then click Next.
4. Configure the settings for the secondary appliance.
   1. In Secondary Member Name, enter the hostname.
   2. In Secondary Member Name IP Address, enter the IP address of the management interface.
   3. Enter and confirm the SIC activation key.

   Click Next.

5. Configure the IP address of the paired interfaces on the appliances. Select one of these options:
   • Cluster Interface with Virtual IP - Enter a virtual IP address for the interface.
   • Cluster Sync Interface - Configure the interface as the synchronization interface for the appliances.
   • Non-Cluster Interface - Use the configured IP address of this interface.

   Click Next.

6. Do step 5 again for all the interfaces.
7. Click Finish.

Removing a Cluster Member

You can remove one of the two members of a cluster without deleting the cluster object. A cluster object can have only a primary member, as a placeholder, while you do maintenance on an appliance. You must remove the cluster member in the Portal and in the CLI.

To remove a cluster member:

1. Open the Portal of the member to keep.
2. Open Product Configuration > Cluster.
3. Click Remove Peer.
   • If the current member is the primary member, the secondary member is deleted.
   • If the current member is the secondary member, the secondary member is promoted to primary. Then the peer is deleted.

   Services running on the appliance are restarted.

4. On the appliance command line, run: cp_conf fullha disable

   This command changes back the primary cluster member to a standalone configuration.

5. Reboot.

The former cluster object is now a locally managed gateway and Security Management Server.

Adding a New Appliance to a High Availability Cluster

You can add a standalone appliance to a cluster, after the High Availability cluster is defined. You can change which member is primary.

To add an existing appliance to a cluster:

1. Open the Portal of the appliance.
2. On the Product Configuration, Cluster page, select Make this Appliance the primary member of a High Availability Cluster.
3. Click Apply.
4. Reboot the appliance.
5. In SmartConsole, open the object of the primary member.

   The first-time cluster configuration wizard opens.

6. Complete the wizard to configure the secondary cluster member.

Troubleshooting network objects:

In SmartConsole, the network object of the standalone appliance is converted to a cluster object. If the standalone appliance was in the Install On column of a rule, or in the Gateways list of an IPSec VPN community, the cluster object is updated automatically. For all other uses, you must manually change the standalone object to the cluster object. These changes can affect policies.

To see objects and rules that use the object to change:

1. Right-click the standalone object and select Where Used.
2. Select a line and click Go To.
3. In the window that opens, replace the standalone object with the cluster object.

   If the Where Used line is a:

   • Host, Network, Group - Browse through the pages of the properties window that opens, until you find the object to change.
   • Policy (for example, dlp_policy) - Open the Gateways page of the Software Blade. Remove the standalone object. Add the cluster object.
4. In Where Used > Active Policies, see the rules that use the standalone object.
5. Select each rule and click Go To.
6. Edit those rules to use the cluster object.

Note - The icon in SmartConsole changes to show new status of the appliance as a primary cluster member. The Name and UID of the object in the database stay the same.

Recommended Logging Options for High Availability

In High Availability, log files are not synchronized between the two cluster members. For this reason, we recommend that you configure the logs of the cluster.

To forward cluster logs to an external log server:

1. Open the properties of the cluster object.
2. Open Logs > Additional Logging.
3. Click Forward log files to Log Server, and select the Log Server.
4. Select or define a time object for Log forwarding schedule.

   Or:

   Configure SmartEvent and SmartReporter with standard reports, to use only one of the cluster members as a source for log file correlation and consolidation.

Deploying Bridge Mode Security Gateways

If you install a new Security Gateway in a network and cannot change the IP routing scheme, use bridge mode. A Security Gateway in bridge mode is invisible to Layer-3 traffic. When authorized traffic arrives, the Security Gateway passes it to the next interface through bridging. This creates a Layer-2 relationship between two or more interfaces. Traffic that enters one interface exits the other interface. Bridging lets the Security Gateway inspect and forward traffic, without the original IP routing.

Before		After
Item	Description
1	Switch 1
2	Switch 2
3 before	Connection between switches, one IP address.
3 after	Security Gateway Firewall bridging Layer-2 traffic over the one IP address, with a subnet on each side using the same address.

Before configuring the bridge, install the Security Gateway.

To manage the gateway in bridge mode, it must have a separate, routed IP address. You must configure the bridged interfaces.

You can configure bridge mode in the Gaia Portal or the CLI.

To configure a bridge interface in the Portal:

1. In the Portal navigation tree, select Network Interfaces.
2. Click Add > Bridge, or select an interface and click Edit.

   The Add (or Edit) Bridge window opens.

3. On the Bridge tab, enter or select a Bridge Group ID (unique integer between 1 and 1024).
4. Select the interfaces from the Available Interfaces list and then click Add.
5. Click the IPv4 or IPv6 tabs, and then enter the IP addresses and subnet.

   Or click Obtain IP Address automatically.

6. Click OK.

To configure a bridge interface with the CLI:

1. Run: add bridging group <Group Name> interface <physical interface name>
2. Run again for each interface in the bridge.
3. Run: save config
4. Add a bridge interface IP address:
   • IPv4: set interface <Group Name> ipv4-address <IP> subnet-mask <Mask>
   • IPV6: set interface <Group Name> ipv6-address <IP> mask-length <Prefix>
5. Run: save config

Installing Management High Availability

Management HA - A Primary and Secondary Security Management Server are configured. The databases of the Security Management Servers are synchronized, either manually or on a schedule, so they can back up one another. The administrator makes one Security Management Server Active and the other(s) Standby. If the Active Security Management Server is down, the administrator can make the Standby server Active.

	Item	Description
	1	Primary Security Management Server
	2	Direct or indirect Security Management Server to Security Management Server connection
	3	Secondary Security Management Server
		Security Management Server component

You can configure Management High Availability between:

• Smart-1 appliances.
• Security Management Servers on open servers.
• Security Management Servers on standalone open servers. However, there is no High Availability between the Security Gateways.

Prerequisites for Management High Availability

• The Primary and Secondary Security Management Servers must:
  • Be installed using the same ISO, or upgraded in the same way.
  • Have the same Check Point version.
  • Have the same Hotfixes installed.
• In a Management High Availability configuration, the SmartEvent and SmartReporter blades can be enabled on one or both management servers (or on a dedicated computer) but the databases are not synchronized. For more, see sk25164

Workflow for Installing and Configuring Management High Availability:

1. Install and configure the primary Security Management Server:
   1. Open server only: Install the operating system (Gaia, SecurePlatform or Windows).
   2. Configure the primary Security Management Server:
      • Gaia: Use the First Time Configuration Wizard.
      • SecurePlatform: Use cpconfig.
      • Windows: when choosing installation options.
2. Install and configure the secondary Security Management Server:
   1. Open server only: Install the operating system (Gaia, SecurePlatform or Windows).
   2. Configure the secondary Security Management Server:
      • Gaia: Use the First Time Configuration Wizard.
      • SecurePlatform: Use cpconfig.
      • Windows: when choosing installation options.

For instructions on installing and configuring the primary and secondary Security Management Server see the applicable section:

• Installing Standalone on Open Servers
• Installing Security Management Server on Appliances
• Installing Security Management Server on Open Servers

To learn how to synchronize the databases of the Security Management Servers and make one Active and the other(s) Standby, see the R77 Security Management Administration Guide.