Configuring the Cluster Object and Members

Overview

You can use one of these procedures to define a cluster object and its members:

• Simple Mode (Wizard) - Lets you quickly create a new cluster and configure some basic cluster properties:
  • Cluster properties and Virtual IP addresses
  • Properties and Topology of Cluster Members
  • Synchronization interfaces and IP addresses
• Classic Mode - Opens the Cluster Gateway Properties window, where you manually create a cluster and configure its properties.

The Cluster Gateway Properties window lets you:

• Manually create a new cluster
• Enable and configure Software Blades for the cluster
• Configure other cluster properties that you cannot configure with the wizards
• Change the properties of an existing cluster

Using the Wizard Mode

This version includes two wizards:

• Check Point Appliances and Open Servers
• Check Point Small Office Appliances

Wizard for Check Point Appliances or Open Servers

The Cluster Wizard is recommended for all Check Point Appliances (for example, 23800) except Small Office, and for Open Server platforms.

To create a new cluster using Wizard Mode:

1. In SmartConsole, click Objects menu > More object types > Network Object > Gateways and Servers > Cluster > New Cluster.
2. In Check Point Security Gateway Cluster Creation window, click Wizard Mode.
3. In the Cluster General Properties window:
   1. In the Cluster Name field, enter unique name for the cluster object.
   2. In the Cluster IPv4 Address, enter the unique Cluster Virtual IPv4 addresses for this cluster. This is the main IPv4 address of the cluster object.
   3. In the Cluster IPv6 Address, enter the unique Cluster Virtual IPv6 addresses for this cluster. This is the main IPv6 address of the cluster object.

      Important - You must define a corresponding IPv4 address for every IPv6 address. This release does not support pure IPv6 addresses.

   4. In the Choose the Cluster's Solution field, select the applicable option and click Next:
      • Check Point ClusterXL and then select High Availability or Load Sharing
      • Gaia VRRP
4. In the Cluster member's properties window do these steps for each Cluster Member and click Next:

   We assume you create a new cluster object from the scratch.

   1. Click Add > New Cluster Member to configure each Cluster Member.
   2. In the Cluster Name field, enter unique name for the Cluster Member object.
   3. In the Cluster IPv4 Address, enter the unique Cluster Virtual IPv4 addresses for this Cluster Member. This is the main IPv4 address of the Cluster Member object.
   4. In the Cluster IPv6 Address, enter the unique Cluster Virtual IPv6 addresses for this Cluster Member. This is the main IPv6 address of the Cluster Member object.

      Important - You must define a corresponding IPv4 address for every IPv6 address. This release does not support pure IPv6 addresses.

   5. In the Activation Key and Confirm Activation Key fields, enter a one-time password that you entered in First Time Configuration Wizard during the installation of this Cluster Member.
   6. Click Initialize.

      Management Server will try to establish SIC with each Cluster Member. The Trust State field should show Trust established.

   7. Click OK.
5. In the Cluster Topology window, define a network type (network role) for each cluster interface and define the Cluster Virtual IP addresses.

   The wizard automatically calculates the subnet for each cluster network and assigns it to the applicable interface on each Cluster Member. The calculated subnet shows in the upper section of the window.

   The available network objectives are:

   • Cluster Interface - A cluster interface that connects to an internal or external network. Enter the Cluster Virtual IP addresses for each network (internal or external). Also see Cluster IP Addresses on Different Subnets.
   • Cluster Sync Interface - A cluster Synchronization interface. In Load Sharing mode, you must define a synchronization interface.
     • For Check Point Appliances (for example, 23800) or Open Servers: The Synchronization Network is supported only on the lowest VLAN tag of a VLAN interface.
     • For Small Office appliances (for example, 1100, 1200R, 1400): You can only select 1st sync and only for the LAN2/SYNC interface. You cannot configure VLANs on the Synchronization interface.

     Important Note - Make sure that you do not define IPv6 address for sync interfaces. The wizard does not let you define an interface with an IPv6 address as a sync interface.

   • Private - An interface that is not part of the cluster. Cluster does not monitor this interface. Cluster failover does not occur if a fault occurs on this interface. This option is recommended for the dedicated management interface.

   Click Next.

6. In the Cluster Definition Wizard Complete window, click Finish.

After you complete the wizard, we recommend that you open the cluster object and complete the configuration:

• Define Anti-Spoofing properties for each interface
• Change the Topology settings for each interface, if necessary
• Define the Network Type
• Configure other Software Blades, features and properties as necessary

Wizard for Small Office Appliances

The Small Office Cluster wizard is recommended for these Centrally Managed Check Point appliances:

• 1100 appliances
• 1200R appliances
• 1400 appliances

To create a new Small Office cluster using Wizard Mode:

1. In SmartConsole, click Objects menu > More object types > Network Object > Gateways and Servers > Cluster > New Small Office Cluster.
2. In Check Point Security Gateway Cluster Creation window, click Wizard Mode.
3. In the Cluster General Properties window:
   1. Enter a unique name for the cluster object.
   2. Select the correct hardware type.
   3. Click Next.
4. In the Cluster Members window:
   1. Enter the member name and IPv4 addresses for each Cluster Member.
   2. Enter the one-time password for SIC trust.
   3. Click Next.
   4. Management Server will try to establish SIC with the Primary Cluster Member.
5. In the Configure WAN Interface page, configure the Cluster Virtual IPv4 address.
6. Define the Cluster Virtual IPv4 addresses for the other cluster interfaces.
7. Click Next, and then Finish to complete the wizard.

After you complete the wizard, we recommend that you open the cluster object and complete the configuration:

• Define Anti-Spoofing properties for each interface
• Change the Topology settings for each interface, if necessary
• Define the Network Type
• Configure other Software Blades, features and properties as necessary

Using the Manual Configuration

The Cluster Gateway Properties window contains many different ClusterXL properties, as well as other properties related to Security Gateway and Software Blades functionality. This section includes only the properties and procedures directly related to ClusterXL.

Configuration Steps Configuring General Properties Adding a New Cluster Member to the Cluster Object Working with Cluster Topology Completing the Cluster Definition Changing the Synchronization Interface

Configuring General Properties

To configure the general properties of a cluster:

1. In the Name field, enter a unique name for this cluster object.
2. In the IPv4 Address field, enter the unique Cluster Virtual IPv4 addresses for this cluster.

   This is the main IPv4 address of the cluster object.

3. In the Cluster IPv6 Address field, enter the unique Cluster Virtual IPv6 addresses for this cluster.

   This is the main IPv6 address of the cluster object.

   Important - You must define a corresponding IPv4 address for every IPv6 address. This release does not support pure IPv6 addresses.

4. In the Hardware field, select the correct hardware platform.
5. In the Version field, select the correct Check Point version.
6. In the OS field, select the correct operating system.
7. Configure the desired cluster type:
   • To work with ClusterXL or with VRRP on Gaia, select ClusterXL.

     Go to the ClusterXL and VRRP pane and configure the applicable settings.

   • To work with any other cluster mode, clear ClusterXL.

     Go to the 3rd Party Configuration pane and configure the applicable settings.

8. Enable other Network Security Software Blades as necessary.

Adding a New Cluster Member to the Cluster Object

To add a new Cluster Member to the Cluster object:

1. In SmartConsole, open the cluster object.
2. Go to the Cluster Members page.
3. Click Add > New Cluster Member.

   The Cluster Members Properties window opens.

4. Click the General tab.
5. In the Name field, enter a Cluster Member name.
6. In the IPv4 Address field, enter a physical IPv4 addresses.

   The Management Server must be able to connect to the Cluster Member at this IPv4 address. This IPv4 address can be an internal, or external. You can use a dedicated management interface on the Cluster Member.

   Important - You must define a corresponding IPv4 address for every IPv6 address. This release does not support the configuration of only IPv6 addresses.

7. In the IPv6 Address field, enter a physical IPv6 address, if you need to use IPv6.

   The Management Server must be able to connect to the Cluster Member at this IPv6 address. This IPv6 address can be an internal, or external. You can use a dedicated management interface on the Cluster Member.

   Important - You must define a corresponding IPv4 address for every IPv6 address. This release does not support the configuration of only IPv6 addresses.

8. Click Communication, and initialize Secure Internal Communication (SIC) trust.

   Enter the same key you entered during First Time Configuration Wizard on each Cluster Member.

9. Click the NAT tab to configure the applicable NAT settings.
10. Click the VPN tab to configure the applicable VPN settings.
11. Click OK.

Adding an Existing Security Gateway as a Cluster Member to the Cluster Object

To add an existing Security Gateway as a Cluster Member to the Cluster object:

Before doing these steps, we recommend exporting a complete management database with migrate export command.

1. In SmartConsole, open the cluster object.
2. Go to the Cluster Members page.
3. Click Add > Add Existing Gateway.
4. Select a Security Gateway from the list and click OK.
5. Read the warning is displayed and click Yes:

   If you add <Name_of_Security_Gateway_object> to the cluster, it will be converted to a cluster member. Some settings will be lost. The following settings will still remain: -SIC -VPN -NAT (except for IP Pools) In order to revert the conversion, session must be discarded. Are you sure you want to continue?

6. In the list of Cluster Members, select the new Cluster Member and click Edit.
7. Click the NAT tab to configure the applicable NAT settings.
8. Click the VPN tab to configure the applicable VPN settings.
9. Click OK.

Deleting a Cluster Member from Cluster Object

To delete an existing Cluster Member:

Before doing these steps, we recommend exporting a complete management database with migrate export command.

1. In SmartConsole, open the cluster object.
2. Go to the Cluster Members page.
3. Click Remove > Delete Cluster Member.
4. Click OK.

   Important - This Cluster Member object will be deleted from the cluster object and from the management database.

Working with Cluster Topology

IPv6 Considerations

To activate IPv6 functionality for an interface, define an IPv6 address for the applicable interface on each Cluster Member and in the cluster object. All interfaces configured with an IPv6 address must also have a corresponding IPv4 address. If an interface does not require IPv6, only the IPv4 definition address is necessary.

Note - You must configure synchronization interfaces with IPv4 addresses only. This is because the synchronization mechanism works using IPv4 only. All IPv6 information and states are synchronized using this interface.

1. In SmartConsole, open the cluster object.
2. Go to Network Management page.
3. Select a cluster interface and click Edit.
4. From the left navigation tree, click General page:
   1. In the General section, configure these settings for Cluster Virtual Interface:
      • Network Type - one of these: Cluster, Sync, Cluster + Sync, Private

      The available network types (network objectives) are:

      Network Type	Description
      Cluster	An interface that connects to an internal or external network.
      Cluster + Sync	A cluster interface that also works as a Synchronization interface. We do not recommend this configuration because it adds the Delta Sync traffic to the interface.
      Sync	An interface used exclusively for cluster state synchronization.
      Private	An interface that is not part of the cluster. ClusterXL does not monitor the state of this interface. As a result, there is no cluster failover if a fault occurs with this interface. This option is recommended for the management interface.

      • Virtual IPv4 - Virtual IPv4 address assigned to this Cluster Virtual Interface
      • Virtual IPv6 - Virtual IPv6 address assigned to this Cluster Virtual Interface

      Important - You must define a corresponding IPv4 address for every IPv6 address. This release does not support the configuration of only IPv6 addresses.

   2. In the Member IPs section, click Modify and configure these settings:
      • Physical IPv4 address and Mask Length assigned to the applicable physical interface on each Cluster Member
      • Physical IPv6 address and Mask Length assigned to the applicable physical interface on each Cluster Member

      Important - You must define a corresponding IPv4 address for every IPv6 address. This release does not support the configuration of only IPv6 addresses.

      See also: Configuring Cluster Addresses on Different Subnets.

   3. In the Topology section, click Modify and configure these settings:
      • Leads To - one of these: Internet (External), This Network (Internal)
      • Security Zone - one of these: User defined, According to topology (ExternalZone, InternalZone)
      • Anti-Spoofing - whether to perform the Anti-Spoofing, and how to do it (Detect, Prevent)
5. From the left navigation tree, click QoS page:
   1. In the Bandwidth section, configure these settings:
      • Inbound Active - rate limit for inbound traffic
      • Outbound Active - rate limit for outbound traffic
   2. In the DiffServ and Low Latency classes section, configure the applicable classes.
6. From the left navigation tree, click Advanced page:
   1. In the Multicast Restrictions section, configure the applicable settings for dropping multicast packets
   2. In the Interfaces Names section, configure the names of applicable interfaces
7. Click OK.

Completing the Cluster Definition

1. Configure other Software Blades and options in the cluster object as required (NAT, VPN, Remote Access, and other advanced options).
2. Install the Access Control Policy on this cluster object.

Changing the Synchronization Interface

Important - Schedule a maintenance window, because changing the synchronization interface can impact the traffic.

To change the IPv4 address on the synchronization interface on Cluster Members:

1. On each Cluster Member, change the IPv4 address on the Sync interface.

   Use Gaia Portal, or Gaia Clish.

2. In SmartConsole, open the cluster object.
3. In the Gateway Cluster Properties window, click Network Management page.
4. Click Get Interfaces > Get Interfaces With Topology.
5. Make sure the settings are correct.
6. Select the Sync interface and click Edit.
7. From the left navigation tree, click General page.
8. In the General section, in the Network Type field, select Sync.
9. Click OK.
10. In SmartConsole, install the Access Control Policy on this cluster object.

To change the synchronization interface on Cluster Members to a new interface:

1. On each Cluster Member, configure a new interface that you will use as a new Sync interface.

   Use Gaia Portal, or Gaia Clish.

2. On each Cluster Member, delete the IPv4 address from the old Sync interface.
3. Use Gaia Portal, or Gaia Clish.
4. In SmartConsole, open the cluster object.
5. In the Gateway Cluster Properties window, click Network Management page.
6. Click Get Interfaces > Get Interfaces With Topology.
7. Make sure the settings are correct.
8. Right-click on the old Sync interface and click Delete Interface.
9. Select the new interface and click Edit.
10. From the left navigation tree, click General page.
11. In the General section, in the Network Type field, select Sync.
12. Click OK.
13. In SmartConsole, install the Access Control Policy on this cluster object.