Working with VSX Clusters

In This Section:

Creating VSX Clusters

Creating a New Cluster

This section describes how to create a new VSX cluster using the VSX Cluster Wizard. The wizard guides you through the following steps to configure a VSX cluster.

After completing the VSX Cluster Wizard, you can modify most cluster and member properties directly from SmartDashboard.

To create a new cluster:

Open SmartDashboard.
If you are using Multi-Domain Security Management, open SmartDashboard from the Domain Management Server in which you are creating the cluster.
From the Network Objects tree, right-click Check Point and select VSX > Cluster.
The General Properties page of the VSX Cluster Wizard opens.

Defining Cluster General Properties

The Cluster General Properties page contains basic identification properties for VSX clusters.

This window contains the following properties:

VSX Cluster Name: Unique, alphanumeric name for the cluster. The name cannot contain spaces or special characters except the underscore.
VSX Cluster IP Address: Management interface IP address.
VSX Cluster Version: VSX version to use for this cluster.
VSX Cluster Platform: Platform type hosting the cluster members.
- To create a HA cluster, select Check Point SecurePlatform (ClusterXL) from the list
- To create a Load Sharing (VSLS) cluster, Check Point ClusterXL Virtual System Load Sharing select from the list.

Note - All cluster members must use the type of platform, with the same specifications and configuration.

Selecting Virtual Systems Creation Templates

The Virtual Systems Creation Templates allows you to select a Virtual System Creation Template that automatically applies predefined, default topology and routing definitions to Virtual Systems when they are first created. This feature ensures consistency among Virtual Systems and speeds up the provisioning process.

You always have the option of overriding the default creation template when creating or modifying a Virtual System

The available creation templates are as follows:

Shared Interface: All Virtual Systems share a single external interface, but maintain separate internal interfaces.
Separate Interfaces: All Virtual Systems use their own separate internal and external interfaces. This template creates a Dedicated Management Interface (DMI) by default.
Custom Configuration: You manually create a custom configuration without any template.

Adding Members

The VSX Cluster Members window defines the members of the new cluster. You must define at least two cluster members, and up to as many as eight members. You can add new members later.

To add a new cluster member:

In the VSX Cluster Members window, click Add.
The Member Properties window opens.
Enter the name and its IP address for the cluster member.
Enter and confirm the activation key to initialize SIC trust between the cluster member and the management server.
Do these steps again for all the cluster members.

Defining Cluster Interfaces

The VSX Cluster Interfaces window lets you define physical interfaces as VLAN trunks. The list displayed contains all interfaces currently defined on the gateway machine or cluster.

To configure a VLAN trunk:

Select an interface to define it as a VLAN trunk. You can clear an interface to remove the VLAN trunk assignment.

Important - You cannot define the management interface as a VLAN trunk. To use a VLAN as the management interface, you must define the VLAN on the Security Gateway before you use SmartDashboard to create the VSX Gateway.

Configuring Cluster Members

If you selected the custom configuration option, the VSX Cluster Members window appears. In this window, you define the synchronization IP address for each member.

To configure the cluster members:

Select the synchronization interface from the list.
Enter the synchronization interface IP address and net mask for each member.

To use a VLAN as a synchronization interface:

Define the VLAN on the Security Gateway.
Open SmartDashboard and create the VSX Gateway.
On the VSX Gateway, from the CLI open fwkern.conf and add this line:
fwha_monitor_all_vlan=1

Cluster Management

The VSX Gateway Management page allows you to define several security policy rules that protect the cluster itself. This policy is installed automatically on the new VSX cluster.

Note - This policy applies only to traffic destined for the cluster. Traffic destined for Virtual Systems, other Virtual Devices, external networks, and internal networks is not affected by this policy.

The security policy consists of predefined rules covering the following services:

UDP: SNMP requests
TCP: SSH traffic
ICMP: Echo-request (ping)
TCP: HTTPS (secure HTTP) traffic

Configuring the Cluster Security Policy

Allow: Enable a rule to allow traffic for those services for which you wish to allow traffic. Clear a rule to block traffic. By default, all services are blocked.
For example, you may wish to allow UDP echo-request traffic in order to be able to ping cluster members from the management server.
Source: Click the arrow and select a Source Object from the list. The default value is *Any.
Click New Source Object to define a new source.

For more about security policies, see the R77 Security Management Administration Guide.

Completing the Wizard

To complete the VSX Cluster Wizard:

Click Next to continue and then click Finish to complete the VSX Cluster wizard.
It can take several minutes to complete. A message appears indicating successful or unsuccessful completion of the process.

If the process ends unsuccessfully, click View Report to view the error messages. See to the troubleshooting steps for more information
In SmartConsole, double-click the new VSX Cluster object.
Click ClusterXL and make sure that the Use State Synchronization option is enabled.