Cloning Groups

A Cloning Group is a collection of Gaia Security Gateways that synchronize their OS configurations and settings for a number of shared features, for example DNS or ARP. A configuration change in one of the members is automatically propagated to other members. This is useful in ClusterXL. If the ClusterXL members are also members of a Cloning Group, static routes can be synchronized.

You can:

Manually define an independent Cloning Group through the Gaia Portal. To do this, use Manual mode. In manual mode, the administrator creates the Cloning Group and separately adds each member.
Configure a ClusterXL cluster as a Gaia Cloning Group. To do this, use ClusterXL mode. All the ClusterXL members become members of the same Cloning Group.
Note - A VRRP cluster has to be manually defined.

Important: Synchronization between members of a Cloning Group requires TCP Port 1129 to be open and communication through the port allowed by the firewall. When the Security Gateways are part of a cluster in SmartConsole, an implied rule in the rule base allows this connection. When the Security Gateways are not part of the same Cluster, the implied rule does not apply. If the Security Gateways are not part of the same cluster object in SmartConsole, make sure there is a rule that allows connections on TCP port 1129.

Configuring Cloning Groups - Gaia Portal

Cloning Groups are configured from the Security Gateway Portal.

To create a new Cloning Group:

In your web browser, connect to the Gaia Portal on a Security Gateway.
In System Management > Cloning Group, click Start Cloning Group Creation Wizard.
The Cloning Group Creation Wizard opens.
Select Create a new Cloning Group.
The New Gaia Cloning Group window opens.
- Enter a name for the Cloning Group
- Select an IP address for synchronizing settings between member Security Gateways. Select an address on a secure internal network.
- Enter a password for the administration account (cadmin). This password is necessary to:
  - Manage the Cloning Group
  - Add other Security Gateways to the Cloning Group
  - Create encrypted traffic between members of the Cloning Group

In the Shared Features screen, select features to clone to other members of the group.

Pay attention to the features you want to clone. For example, you might not want to clone static routes to Security Gateways that are members of a cluster.

You can select any of these:

Shared Feature	Description
SNMP	Configure SNMP.
Banner Messages	Configure banner messages.
Job Scheduler	Schedule automated tasks that perform actions at a specific time.
DNS	Configure DNS servers.
System Logging	Configure system logging settings.
Host Access Control	Configure which hosts are allowed to connect to the cluster devices.
Proxy Settings	Configure proxy settings.
Host Address Assignment	Configure known hosts.
NTP	Configure Network Time Protocol for synchronizing the system's clock over a network.
Password Policy	Configure password and account policies.
Time	Configure the time and date of the system.
Network Access	Configure network access to Gaia.
Display Format	Configure how the system displays time, date and netmask.
Mail Notification	Configure email address, to which Gaia sends mail notifications.
Inactivity timeout	Configure session parameters, such as inactivity timeout.
Users and Roles	Configure users and roles settings.
Static Routes	Configure static routes.
DHCP Relay	Configure relay of DHCP and BOOTP messages between clients and servers on different IPv4 Networks.
IPv6 DHCP Relay	Configure relay of DHCPv6 messages between clients and servers on different IPv6 Networks.
BGP	Configure dynamic routing via the Border Gateway Protocol.
IGMP	Establish multicast group memberships via the Internet Group Management Protocol.
PIM	Configure Protocol-Independent Multicast.
Static Multicast Routes	Configure static multicast routes.
RIP	Configure IPv4 dynamic routing via the Routing Information Protocol.
RIPng	Configure IPv6 dynamic routing via the Routing Information Protocol.
OSPF	Configure IPv4 dynamic routing via the Open Shortest-Path First v2 protocol.
IPv6 OSPF	Configure IPv6 dynamic routing via the Open Shortest-Path First v3 protocol.
Route Aggregation	Create a supernet network from the combination of networks with a common routing prefix.
Inbound Route Filters	Configure Inbound Route Filters for RIP, OSPFv2, BGP, and OSPFv3 (supports IPv4 and IPv6).
Route Redistribution	Configure advertisement of routing information from one protocol to another (supports IPv4 and IPv6).
Route Map	Configure dynamic routing route maps.
Routing Options	Configure protocol ranks and trace (debug) options.
Policy Based Routing	Configure policy based routing (PBR) priority rules and action tables.
Scheduled Backups	Configure Gaia scheduled backups.

Click Next for the Wizard Summary and then click Finish.

To manage the Cloning Group:

Sign out of the Gaia Portal.
Sign in to the same Gaia Portal using the cadmin account and password.
(Alternatively, log in to the Gaia Portal on the Security Gateway using the cadmin credentials.)

Important - No unique URL or IP address is needed to access the Cloning Group Portal or Clish command line. Use the URL or IP address of the member Security Gateway.
In System Management > Cloning Group, select features from the Shared Features.
Click Set Shared Features.
The shared features are propagated to all members of the group. If, for example, you then configure a primary DNS server on one member of the Cloning Group, and DNS is one of the Shared Features, then the DNS settings are propagated to all members of the group. The DNS settings in the Portal of each member are grayed out.

A user that gets cloning group administration privileges (CloningGroupManagement RBA role), can manage specific Cloning Groups features granted by the administrator and grant Cloning Group capabilities to other users, including remote users. When these privileges are assigned, the Group Mode button shows in Portal.

To manage a Cloning Group as an assigned administrator:

In your web browser, connect to the Gaia Portal on a Cloning Group member Security Gateway.
Click Group Mode.
The Security Gateway switches to Cloning Group management mode.

To join a Cloning Group:

In your web browser, connect to the Gaia Portal on a Security Gateway.
In System Management > Cloning Group, click Start Cloning Group Creation Wizard.
The Cloning Group Wizard opens.
Select Join an existing Cloning Group.
The Join Existing Cloning Group window opens.
- Enter the IP address of a remote member of the Cloning Group.
- Select an IP address for synchronizing the settings between Security Gateways. Select a secure internal address.
- Enter the password of the Cloning Group administration account (cadmin). (The same password you entered when creating the group.) The cadmin password:
  - Lets you log in to the cadmin account
  - Is used to create authentication credentials for members during synchronization
Click Next for the Wizard Summary and then click Finish.

To create a Cloning Group that follows ClusterXL:

Select this option if the gateway is a member of a ClusterXL.

Note - If you select this option, you have to select it for all the members of the cluster.

In your web browser, connect to the Gaia Portal on a Security Gateway.
In System Management > Cloning Group, click Start Cloning Group Creation Wizard.
The Cloning Group Creation Wizard opens.
Select Cloning Group follows ClusterXL.
- Enter the Cloning Group name.
- Enter a password for the Cloning Group administration account (cadmin).
Click Next for the Wizard Summary and then click Finish.
Repeat Steps 1-4 for all members of the cluster.

Configuring Cloning Groups - Gaia Clish

Cloning Groups can also be managed in Gaia Clish. When run from the cadmin account, these commands apply to all members of the Gaia group.

You can create Cloning Groups in manual, or in ClusterXL mode.

To create the first Cloning Group member in Manual mode:

Set the cloning group mode to manual
Set the cloning group local IP address
Set the cloning group password
Set the cloning group state to on
Optional: Set a name for the Cloning Group

To add other Security Gateways to the Cloning Group in Manual mode:

On each of those Security Gateways:

Set the cloning group mode to manual
Set the cloning group local IP address
Set the cloning group password
Run the join cloning group command to join the Cloning Group

To create Cloning Group members in ClusterXL mode:

On all member Security Gateways:

Set the cloning group mode to ClusterXL
Set the cloning group password
Set the cloning group state to on

To create a Cloning Group:

set cloning-group

local-ip <IPv4_address>

mode {manual | cluster-xl}

name <Cloning Group name>

password <Password>

state {on | off}

Parameter	Description
`local-ip` <IPv4 address>	The IPv4 address used to synchronize shared features between members of the Cloning Group.
`mode {manual \| cluster-xl}`	The mode determines whether the Cloning Group is defined manually, or through ClusterXL.
`name <`Cloning Group name`>`	Name of the Cloning Group.
`password <`password`>`	Password for the administrator's (cadmin) account, used to access the Cloning Group configuration in the Gaia Portal, or Gaia Clish. When prompted, enter and confirm the password.
`state {on \| off}`	Turns the Cloning Group feature on or off. If you select `off`, the Security Gateway is removed from the Cloning Group.

To add Shared Features:

add cloning-group shared-feature <Feature>

Parameter	Description
<feature>	The name of the feature to be synchronized between the members of the Cloning Group.

Where:

Name of Shared Feature	Description
`aggregate`	Configure route aggregation - create a supernet network from the combination of networks with a common routing prefix.
`bgp`	Configure dynamic routing via the Border Gateway Protocol.
`bootp`	Configure IPv4 DHCP Relay - relay of DHCP and BOOTP messages between clients and servers on different IPv4 Networks.
`cron`	Configure job scheduler - schedule automated tasks that perform actions at a specific time.
`dhcp6relay`	Configure IPv6 DHCP Relay - relay of DHCPv6 messages between clients and servers on different IPv6 Networks.
`dns`	Configure DNS servers.
`hosts`	Configure known hosts.
`igmp`	Establish multicast group memberships via the Internet Group Management Protocol.
`inboundfilters`	Configure Inbound Route Filters for RIP, OSPFv2, BGP, and OSPFv3 (supports IPv4 and IPv6).
`time`	Configure the time and date of the system.
`ntp`	Configure Network Time Protocol (NTP) for synchronizing the system's clock over a network.
`message`	Configure banner messages.
`ospf`	Configure IPv4 dynamic routing via the Open Shortest-Path First v2 protocol.
`ospf3`	Configure IPv6 dynamic routing via the Open Shortest-Path First v3 protocol.
`password-controls`	Configure password and account policies.
`mailrelay`	Configure email address, to which Gaia sends mail notifications.
`display-format`	Configure how the system displays time, date and netmask.
`http`	Configure session parameters, such as inactivity timeout.
`net-access`	Configure network access to Gaia.
`users-and-roles`	Configure users and roles settings.
`syslog`	Configure system logging settings.
`proxy`	Configure proxy settings.
`host-access`	Configure which hosts are allowed to connect to the cluster devices.
`pbr`	Configure policy based routing (PBR) priority rules and action tables.
`pim`	Configure Protocol-Independent Multicast.
`redistribution`	Configure route redistribution - advertisement of routing information from one protocol to another (supports IPv4 and IPv6).
`rip`	Configure IPv4 dynamic routing via the Routing Information Protocol.
`ripng`	Configure IPv6 dynamic routing via the Routing Information Protocol.
`routemap`	Configure dynamic routing route maps.
`routingoptions`	Configure protocol ranks and trace (debug) options.
`static`	Configure static routes.
`static-mroute`	Configure static multicast routes.
`snmp`	Configure SNMP.
`backup`	Configure Gaia scheduled backups.

To delete Shared Features:

delete cloning-group shared-feature <Feature>

Parameter	Description
<feature>	The name of the feature to be deleted from the list of shared features. To see the list of the enabled Shared Features, enter: `delete cloning-group shared-feature`<SPACE><TAB>

Parameter

Description

<feature>

The name of the feature to be deleted from the list of shared features.

To see the list of the enabled Shared Features, enter:

delete cloning-group shared-feature<SPACE><TAB>

To join a Cloning Group:

join cloning-group remote-ip <Cloning Group IPv4 address>

Parameter	Description
`<`Cloning Group IPv4 address`>`	The IPv4 address of the Cloning Group member, to which you join. Note - This option is not available if you are logged into the cadmin account.

Parameter

Description

<Cloning Group IPv4 address>

The IPv4 address of the Cloning Group member, to which you join.

Note - This option is not available if you are logged into the cadmin account.

To remove a member from a Cloning Group:

leave cloning-group

To remove an inaccessible Cloning Group member:

delete cloning-group disconnected-member <IPv4 address of Member>

Parameter	Description
<IPv4 address of Member>	The IPv4 address of the Cloning Group member that became inaccessible.

Use this command only for troubleshooting purposes, when the remote Cloning Group member is not accessible. A normal way to remove a member from a Cloning Group is to run the leave cloning-group command on that member.

Notes:

The Cloning Group configuration on the remote member itself does not change, and as soon as the device regains connectivity, it joins the Cloning Group again.
This command can only be run if the Cloning Group is in Manual mode.

To view Cloning Group configuration:

show cloning-group

local-ip

members

mode

name

shared-feature

state

status

Parameter	Description
`local-ip`	The IPv4 address used to synchronize shared features between the members of the Cloning Group.
`members`	Shows the members of the Cloning Group.
`mode`	Shows the Cloning Group mode - `Manual`, or `Cluster XL`
`name`	Shows the name of the Cloning Group
`shared-feature`	Lists the shared features that are enabled to be used by all members of the Cloning Group.
`state`	Shows the Cloning Group state - enabled, or disabled.
`status`	Shows the status of the Cloning Group member. Note - This option is not available if you are logged into the cadmin account.

To re-synchronize a Cloning Group:

re-synch cloning-group

When a user (local or remote) receives Cloning Group management privileges, he can turn the Cloning Group management mode on, to create, delete, and edit Cloning Groups.

To turn on the Cloning Group management mode:

set cloning-group-management {on | off}

Parameter	Description
`on`	Enables the Cloning Group management mode.
`off`	Disables the Cloning Group management mode.