Modifying a Cluster Definition

Once you create a cluster using the wizard, you can modify the topology and other parameters using the VSX Cluster Properties window. This window also allows you to configure many advanced features not available with the wizard.

To work with a VSX cluster definition, double-click on the cluster object in the SmartDashboard Network Object tree. The VSX Cluster Properties window opens, showing the General Properties page.

Most cluster objects and properties can be defined using the SmartDashboard GUI. Several definitions, however, require CLI commands, while others may be performed using either method.

A brief explanation for each of the definition pages follows. More detailed explanations for features that are not specific to VSX (NAT, IPS, VPN, etc.) are available in the online help or in the appropriate product Administration Guide.

Included Topics General Properties Cluster Members ClusterXL Creation Templates Physical Interfaces Synchronization Topology NAT VSX Bridge Configuration Cooperative Enforcement Changing the Cluster Management IP and/or Subnet Changing the Internal Communication Network IP

General Properties

See the General Properties page to view general properties and to activate Check Point products for use with this cluster and its members.

You can modify the following properties:

• Comment: Free text comment that appears in the Object List and elsewhere
• Color: Color of the object icon as it appears in the Network Object tree
• Network Security: Select Check Point products and Software Blades active on this cluster and its members

Cluster Members

The Cluster Members page lets you view and modify several properties for individual cluster members, including IP addresses for members and the internal communication network. You can also view where cluster and member objects in the object database are used.

Gateway Cluster Member List

The Cluster Members page shows all the VSX cluster members on the VSX Gateway.

To edit a cluster member:

From the Cluster Member page, select a member and click Edit.

The Cluster Member Properties window opens. These are the settings that you can edit:

• General Tab:
  • Comment: Free text comment that appears in the Object List and elsewhere
  • Color: Color of the object icon as it appears in the Object Tree
  • Secure Internal Communication: Check and reset SIC trust
• Topology Tab: Displays the member IP address and net mask for each interface. Double click on an interface to displays its properties.
• NAT Tab: Define NAT rules for cluster members connected to a Virtual Router.
• VPN Tab: Contains a variety of configuration properties for site-to-site VPN deployments.

  This window is only available if the Check Point VPN product is enabled on the General Properties page.

Where Used

Click Where used to show information about the selected member in the objects database.

• Name: Cluster name.
• Table: Name of the table in the database under which the selected object is listed.
• Is removable: Specifies whether or not you are allowed to remove the selected object. If the object is not removable and nevertheless you choose to remove it, it will impact the database or Rule Base.
• Refresh: Click to update the window display if you make changes.
• Context: Where the object is used.

Internal IP Address and Net Mask

VSX creates an internal communication network and automatically assigns it an IP address and net mask from a predefined pool. You can change this IP address here if you have not yet defined a Virtual System. Although traffic from this address is never sent to any networks, you must ensure that this IP address is unique and not in use anywhere on your defined network.

ClusterXL

To manage state synchronization, open the ClusterXL window, or run the vsx_util command.

• Enable or disable state synchronization.
• Select tracking options for cluster member state changes.

All other ClusterXL configuration properties are disabled.

Creation Templates

The Creation Templates page displays the creation template used to create Virtual Systems. You can change from the current creation template to the Custom Configuration template and change the shared physical interface if the Shared Interface template is active.

• Select the Custom Configuration option to change from the Shared Interfaces or Separate Interfaces templates.

  You cannot change back from the Custom Configuration template once you have completed the definition and saved it to the configuration to cluster.

• To change the shared interface, click Settings and select an interface from the list that appears.

Physical Interfaces

The Physical Interfaces page allows you to add or delete a physical interface on the VSX Gateway, and to define interfaces to be used as VLAN trunks.

• To add a new physical interface, click Add and enter the interface name in the appropriate field.
• To define an interface as a VLAN trunk, select the desired interface and enable the VLAN Trunk option. To disable a VLAN trunk, clear the option.

Synchronization

The Synchronization window displays the state synchronization network. There are no configurable properties.

Topology

The Topology page contains interface and routing definitions.

Interfaces

The Interfaces section defines interfaces and links to devices. You can add new interfaces as well as delete and modify existing interfaces.

To add an interface:

1. Click New and select one of these options:
   • Regular - Create a new interface
   • State Synchronization
   • Leads to Virtual Router
   • Leads to Virtual Switch

   The Interface Properties window opens.

   Click Actions > Copy to Clipboard to copy the Interfaces table in CSV format.

2. Define the appropriate properties.
3. Click OK.

To change an interface:

1. Double-click an interface.

   The Interface Properties window opens.

2. Change the parameters for the interface.
3. Click OK.

To delete an interface:

1. From the Topology page, select the interface and click Delete.
2. Click OK.

Routes

The Routes section of the Topology window defines routes between network devices, network addresses, and Virtual Devices. Some routes are defined automatically based on the interface definitions. You can add, change, and delete routes.

To add a default route to the routing table:

1. Click Add Default Route.

   The Default Gateway window opens.

2. Enter the default route IP address or select the default Virtual Router.
3. Click OK.

   The default route is added to the routing table.

4. Select the default route and click Edit.

   The Route Configuration window opens.

5. Configure the settings for the default route and click OK.

To add a new route to the routing table:

1. Click Add.

   The Route Configuration window opens.

2. Configure the Destination IP address and netmask.
3. Configure the next hop IP address or Virtual Router.
4. Optional: Select Propagate route to adjacent Virtual Devices to "advertise" the route to neighboring Virtual Devices, and enable connectivity between them.
5. Click OK.

To change a route:

1. Select the route.
2. Click Edit.

   The Route Configuration window opens.

3. Change the settings.
4. Click OK.

To delete a route:

1. Select the route.
2. Click Remove.

   A confirmation window opens.

3. Click OK.

Calculating Topology Automatically Based on Routing Information

Enable this option to allow VSX to automatically calculate the network topology based on interface and routing definitions (enabled by default). VSX creates automatic links, or connectivity cloud objects linked to existing internal or external networks.

• This option is not available in Bridge mode.
• When employing dynamic routing, it is recommended to disable this option.

VPN Domain

The VPN Domain section in the Topology page defines the set of hosts that use a VPN tunnel to communicate with peer Virtual Systems.

Define a VPN Domain to include a Virtual Device as part of the VPN connection. The domain defines the Virtual System interfaces that are in the VPN. You can define a VPN Domain in different ways:

• All IP Addresses behind Cluster Members are based on topology information: Includes all hosts not located behind an external gateway cluster interface.
• Manually Defined: Includes all hosts in the selected network or group.
• Remote Access Communities: Define an alternative VPN domain for Remote Access Community traffic.

To specify the VPN domain:

1. Click Set domain for Remote Access Community.

   The VPN Domain per Remote Access Community window opens.

2. Double-click a Remote Access Community.

   The Set VPN Domain window opens.

3. Select a VPN domain from the list, or click New, to define a new domain.
4. Click OK.

NAT

The NAT > Advanced page lets you configure NAT rules for packets originating from a Virtual System.

To enable and configure NAT for a Virtual System:

1. Select Add Automatic Address Translation.
2. Select a translation method:
   • Hide: Hide NAT only allows connections originating from the internal network. Internal hosts can access internal destinations, the Internet and other external networks. External sources cannot initiate a connection to internal network addresses.
   • Static: Static NAT translates each private address to a corresponding public address.
3. If you select Hide, select one of these options:
   • Hide behind Gateway hides the real IP address behind the Virtual System external interface IP address,

     or

   • Hide behind IP Address hides the real address behind a virtual IP address, which is a routable, public IP address that does not belongs to any real machine.
4. If you selected Static NAT, enter the static IP address in the appropriate field.
5. Select the VSX Gateway from the Install on Gateway list.

VSX Bridge Configuration

The VSX Bridge Configuration page allows you to specify the loop detection algorithm when working in the Bridge mode.

Enable the Check Point ClusterXL option to enable the Active/Standby Bridge Mode loop detection algorithms contained in ClusterXL.

Enable the Standard Layer-2 Loop Detection Protocols to use standard loop detection protocols, such as STP or PVST+.

Cooperative Enforcement

Cooperative Enforcement works with Check Point Endpoint Security servers. This feature utilizes the Endpoint Security server compliance capability to verify connections arriving from various hosts across the internal network. The Cooperative Enforcement window contains several configuration properties for defining this feature. For more information, please refer to the online help and the R77 Security Gateway Technical Administration Guide.

Changing the Cluster Management IP and/or Subnet

To add, change or delete the cluster management IP address and/or subnet, run the vsx_util change_mgmt_ip and vsx_util change_mgmt_subnet commands.

Changing the Internal Communication Network IP

You can change the internal communication network IP address by using the vsx_util change_private_net command.