Converting Gateways to VSX Gateways

Use the VSX Gateway Conversion wizard in SmartDashboard to convert Gaia Security Gateways to VSX Gateways. You can convert one Security Gateway or all the members of a cluster to VSX. The settings of the Security Gateways are applied to the VSX Gateway (VS0). You can also use SmartDashboard to convert a VSX Gateway to a Security Gateway.

We recommend that you go to sk79260, before you use the Conversion wizard. You can only convert Security Gateways or clusters that use the Gaia operating system.

Note - The Security Gateway loses connectivity during the conversion process.

Converting a Security Gateway

SmartDashboard converts a Security Gateway or cluster to VSX. You can only complete the Conversion Wizard if the features and settings of the Security Gateway or cluster are compatible with VSX.

When the Conversion Process window is shown, you cannot cancel or close the Conversion Wizard.

To convert a Security Gateway:

1. Open SmartDashboard.
2. In the Network Objects tree, right-click the Security Gateway or cluster and select Convert to VSX.
3. When the Welcome to the VSX Conversion window opens, click Next to continue.
4. In the Compatibility Check window, click Next to continue.

   The compatibility check makes sure that the Security Gateway or cluster is compatible with VSX.

5. In the Security Management Server Interface Sharing window, configure how interfaces are created for the new Virtual Systems and then click Convert.
6. After the conversion process completes, click Finish.

   The Converting window shows as the management database is updated.

   Note - You cannot use SmartDashboard while the Converting window shows.

Checking Compatibility

The VSX Gateway Conversion Wizard cannot convert a Security Gateway or cluster that uses Software Blades or other features that VSX does not support. The wizard automatically checks for common compatibility problems with the Security Gateway. We recommend that you go to sk79260, to see a full list of limitations and compatibility problems.

If the Security Gateway is not compatible, the Compatibility Check window tells you the solution for each compatibility problem. Close the wizard, disable the unsupported features, and run the VSX Gateway Conversion Wizard again.

Completing the Conversion

Complete the Security Gateway to VSX Gateway Conversion Wizard. When you complete the wizard, the management database is updated with the new VSX Gateway object.

To complete the Conversion Wizard:

Click Finish. The Converting window is shown as the management database is updated.

Note - You cannot use SmartDashboard while the Converting window is shown.

Converting a VSX Gateway

SmartDashboard converts a VSX Gateway or cluster to a Security Gateway. You must remove all the Virtual Systems and other Virtual Devices from the VSX object before you can convert the VSX Gateway.

You cannot convert a VSX Gateway that uses a shared interface configuration to a Security Gateway.

To convert a VSX Gateway to a Security Gateway:

1. Remove all the Virtual Devices from the VSX object.

   From the Network Objects tree, right-click each Virtual Device object and select Delete.

2. Right-click the VSX Gateway or cluster and select Convert to Gateway.

   A confirmation window opens.

3. Click Yes.

   The VSX Gateway is converted to a Security Gateway.

   Note - You cannot use SmartDashboard while the Converting window is shown.

Installing Full High Availability Appliances

In This Section SecurePlatform Appliances Configuring Standalone Full High Availability

Standalone Full HA - Security Management Server and Security Gateway are each installed on one appliance, and two appliances work in High Availability mode. One is active, and one is standby.

	Item	Description
	1	Primary appliance
	2	Direct appliance to appliance connection
	3	Backup appliance
		Security Gateway component
		Security Management Server component

• If the active member has a failure that affects the Security Management Server and the Security Gateway, they failover to the standby.
• If the Security Management Server on the active member experiences a failure, only the Security Management Server fails over to the standby. The Security Gateway on the first member continues to function.
• If the Security Gateway on the active member experiences a failure, only the Security Gateway fails over to the standby. The Security Management Server on the first member continues to function.

After you install the Gaia or SecurePlatform operating system, configure Standalone Full HA. First, configure each of the two standalone appliances with its First Time Configuration Wizard. Then configure the High Availability options in SmartDashboard.

Note - SmartEvent Server and SmartReporter are not supported in Management High Availability Availability and ClusterXL Full High Availability environments. In these environments, install SmartEvent Server and SmartReporter on dedicated machines.

For more, see sk25164

SecurePlatform Appliances

Some appliances have a dedicated SYNC interface that is used to synchronize with the other appliance. If there is no SYNC interface on the appliance, use the ETH1 interface.

Note - The internal interface (INT) on a UTM-1 appliance is used as the management interface.

To start the First Time Configuration Wizard:

1. Connect a standard network cable to the appliance management interface and to your management network.

   The management interface is marked MGMT.

2. Open Internet Explorer to the default management IP address, https://192.168.1.1:4434
3. Log in to the system using the default login name/password: admin/admin.

   Note - You can use the Portal menu to configure the appliance settings. Navigate to https://<appliance_ip_address>:4434.

4. Set the username and password for the administrator account.
5. Click Save and Login.

   The First Time Configuration Wizard opens.

To configure Full High Availability:

1. In the First Time Configuration Wizard, set the date and time and then click Next.
2. Configure the settings for the network connections.
   1. Click the Mgmt interface and configure the settings and then click Apply.
   2. Click the SYNC or eth1 interface and configure the settings and then click Apply. This interface is used to synchronize with the other appliance.
   3. Configure the settings for other interfaces that you are using.

   Click Next.

3. Configure the settings for the routing table and then click Next.
4. Set the host name (required), domain name (optional), and DNS servers (optional) and then click Next.
5. Select Locally Managed and then click Next.
6. Configure the appliance as the primary cluster member.
   1. Select This appliance is part of a Check Point Cluster.
   2. Select Primary cluster member.

   Click Next.

7. Set the clients that can manage the appliance using a web or SSH connection and then click Next.
8. Optional: Download SmartConsole and then click Next.

   The Summary window shows the settings for the appliance.

9. Click Finish.

   SecurePlatform R77 is installed on the primary appliance.

10. Use a cross-over cable to connect the SYNC or eth1 interfaces on the appliances.
11. Do steps 1 - 9 again for the secondary appliance, with these changes:
    • Step 2b - Use a different IP address for the SYNC or eth1 interface on the secondary appliance.
    • Step 6b - Select Secondary cluster member.
    • Define the Secure Internal Communication (SIC) Activation Key that is used by the gateway object in SmartDashboard and then click Next.

      This key is necessary to configure the appliances in SmartDashboard.

Configuring Standalone Full High Availability

After you set up the appliances for Standalone Full High Availability, configure this deployment in SmartDashboard. You must configure both cluster members before you open the cluster configuration wizard in SmartDashboard.

The LAN1 interface serves as the SYNC interface between cluster members. If not configured, SYNC interfaces are automatically set to 10.231.149.1 and 10.231.149.2. If these addresses are already in use, their values can be manually adjusted. If you manually adjust the default IP SYNC addresses, verify that both reside on the same subnet.

Note - All interfaces in the cluster must have unique IP addresses. If the same IP address is used twice, policy installation will fail. A Load on gateway failed error message is displayed.

The cluster has a unique IP address, visible to the internal network. The unique Virtual IP address makes the cluster visible to the external network, and populates the network routing tables. Each member interface also has a unique IP address, for internal communication between the cluster members. These IP addresses are not in the routing tables.

To configure Standalone Full High Availability:

1. Open SmartDashboard.
2. Connect to the primary appliance and then click Approve to accept the fingerprint as valid.

   The Security Cluster wizard opens.

   Click Next.

3. Enter the name of the Standalone Full High Availability configuration and then click Next.
4. Configure the settings for the secondary appliance.
   1. In Secondary Member Name, enter the hostname.
   2. In Secondary Member Name IP Address, enter the IP address of the management interface.
   3. Enter and confirm the SIC activation key.

   Click Next.

5. Configure the IP address of the paired interfaces on the appliances. Select one of these options:
   • Cluster Interface with Virtual IP - Enter a virtual IP address for the interface.
   • Cluster Sync Interface - Configure the interface as the synchronization interface for the appliances.
   • Non-Cluster Interface - Use the configured IP address of this interface.

   Click Next.

6. Do step 5 again for all the interfaces.
7. Click Finish.

Removing a Cluster Member

You can remove one of the two members of a cluster without deleting the cluster object. A cluster object can have only a primary member, as a placeholder, while you do maintenance on an appliance. You must remove the cluster member in the Portal and in the CLI.

To remove a cluster member:

1. Open the Portal of the member to keep.
2. Open Product Configuration > Cluster.
3. Click Remove Peer.
   • If the current member is the primary member, the secondary member is deleted.
   • If the current member is the secondary member, the secondary member is promoted to primary. Then the peer is deleted.

   Services running on the appliance are restarted.

4. On the appliance command line, run: cp_conf fullha disable

   This command changes back the primary cluster member to a standalone configuration.

5. Reboot.

The former cluster object is now a locally managed gateway and Security Management Server.

Adding a New Appliance to a High Availability Cluster

You can add a standalone appliance to a cluster, after the High Availability cluster is defined. You can change which member is primary.

To add an existing appliance to a cluster:

1. Open the Portal of the appliance.
2. On the Product Configuration, Cluster page, select Make this Appliance the primary member of a High Availability Cluster.
3. Click Apply.
4. Reboot the appliance.
5. In SmartConsole, open the object of the primary member.

   The first-time cluster configuration wizard opens.

6. Complete the wizard to configure the secondary cluster member.

Troubleshooting network objects:

In SmartConsole, the network object of the standalone appliance is converted to a cluster object. If the standalone appliance was in the Install On column of a rule, or in the Gateways list of an IPSec VPN community, the cluster object is updated automatically. For all other uses, you must manually change the standalone object to the cluster object. These changes can affect policies.

To see objects and rules that use the object to change:

1. Right-click the standalone object and select Where Used.
2. Select a line and click Go To.
3. In the window that opens, replace the standalone object with the cluster object.

   If the Where Used line is a:

   • Host, Network, Group - Browse through the pages of the properties window that opens, until you find the object to change.
   • Policy (for example, dlp_policy) - Open the Gateways page of the Software Blade. Remove the standalone object. Add the cluster object.
4. In Where Used > Active Policies, see the rules that use the standalone object.
5. Select each rule and click Go To.
6. Edit those rules to use the cluster object.

Note - The icon in SmartConsole changes to show new status of the appliance as a primary cluster member. The Name and UID of the object in the database stay the same.

Recommended Logging Options for High Availability

In High Availability, log files are not synchronized between the two cluster members. For this reason, we recommend that you configure the logs of the cluster.

To forward cluster logs to an external log server:

1. Open the properties of the cluster object.
2. Open Logs > Additional Logging.
3. Click Forward log files to Log Server, and select the Log Server.
4. Select or define a time object for Log forwarding schedule.

   Or:

   Configure SmartEvent and SmartReporter with standard reports, to use only one of the cluster members as a source for log file correlation and consolidation.

Deploying Bridge Mode Security Gateways

If you install a new Security Gateway in a network and cannot change the IP routing scheme, use bridge mode. A Security Gateway in bridge mode is invisible to Layer-3 traffic. When authorized traffic arrives, the Security Gateway passes it to the next interface through bridging. This creates a Layer-2 relationship between two or more interfaces. Traffic that enters one interface exits the other interface. Bridging lets the Security Gateway inspect and forward traffic, without the original IP routing.

Before		After
Item	Description
1	Switch 1
2	Switch 2
3 before	Connection between switches, one IP address.
3 after	Security Gateway Firewall bridging Layer-2 traffic over the one IP address, with a subnet on each side using the same address.

Before configuring the bridge, install the Security Gateway.

To manage the gateway in bridge mode, it must have a separate, routed IP address. You must configure the bridged interfaces.

SecurePlatform

You can configure bridge mode in the SecurePlatform Portal or the CLI.

To configure a bridge interface in the SecurePlatform Portal:

1. Connect to the management interface of the Security Gateway.
2. Select Network > Connections > New > Bridge.
3. Select the two interfaces of the bridge and click Add.
4. Enter the IP Address and Netmask of the bridge (not the physical) interface.
5. Select Apply.

To configure a bridge interface in the Command Line:

1. Enter: sysconfig
2. Select Network Connections > Add new connection > Bridge.
3. Add a pair of interfaces which are not configured with an IP address to the bridge.
4. Enter: N
5. Enter the IP address and netmask of the bridge (not the physical) interface.

If anti-spoofing is required for the bridged interfaces, define different IP address ranges behind each bridged interface. Do not use the same network for the two interfaces, as this can cause a loss of connectivity.

To see the bridge status:

The brctl show command displays the status of the bridge configuration. For example:

[Expert@GW-1]# brctl show   bridge name bridge id STP enabled interfaces br0 8000.000423b93e56 no eth0 eth1

The interfaces are the two bridged interfaces. The MAC address of the bridge is inherited from one of the physical interfaces.

Installing Management High Availability

Management HA - A Primary and Secondary Security Management Server are configured. The databases of the Security Management Servers are synchronized, either manually or on a schedule, so they can back up one another. The administrator makes one Security Management Server Active and the other(s) Standby. If the Active Security Management Server is down, the administrator can make the Standby server Active.

	Item	Description
	1	Primary Security Management Server
	2	Direct or indirect Security Management Server to Security Management Server connection
	3	Secondary Security Management Server
		Security Management Server component

You can configure Management High Availability between:

• Smart-1 appliances.
• Security Management Servers on open servers.
• Security Management Servers on standalone open servers. However, there is no High Availability between the Security Gateways.

Prerequisites for Management High Availability

• The Primary and Secondary Security Management Servers must:
  • Be installed using the same ISO, or upgraded in the same way.
  • Have the same Check Point version.
  • Have the same Hotfixes installed.
• In a Management High Availability configuration, the SmartEvent and SmartReporter blades can be enabled on one or both management servers (or on a dedicated computer) but the databases are not synchronized. For more, see sk25164

Workflow for Installing and Configuring Management High Availability:

1. Install and configure the primary Security Management Server:
   1. Open server only: Install the operating system (Gaia, SecurePlatform or Windows).
   2. Configure the primary Security Management Server:
      • Gaia: Use the First Time Configuration Wizard.
      • SecurePlatform: Use cpconfig.
      • Windows: when choosing installation options.
2. Install and configure the secondary Security Management Server:
   1. Open server only: Install the operating system (Gaia, SecurePlatform or Windows).
   2. Configure the secondary Security Management Server:
      • Gaia: Use the First Time Configuration Wizard.
      • SecurePlatform: Use cpconfig.
      • Windows: when choosing installation options.

For instructions on installing and configuring the primary and secondary Security Management Server see the applicable section:

• Installing Standalone on Open Servers
• Installing Security Management Server on Appliances
• Installing Security Management Server on Open Servers

To learn how to synchronize the databases of the Security Management Servers and make one Active and the other(s) Standby, see the R77 Security Management Administration Guide.