Preparing a VRRP Cluster

Do these steps before you start to define a Virtual Router (VRRP Group):

Step	Description
1	Synchronize the system time on all Security Gateways to be included in this Virtual Router. Best Practice - We recommend that you enable NTP (Network Time Protocol) on all Security Gateways. You can also manually change the time and time zone on each Security Gateway to match the other members. In this case, you must synchronize member times to within a few seconds.
2	Optional: Add host names and IP address pairs to the host table on each Security Gateway. This lets you use host names as an alternative to IP addresses or DNS servers.

Step

Description

Synchronize the system time on all Security Gateways to be included in this Virtual Router.

Best Practice - We recommend that you enable NTP (Network Time Protocol) on all Security Gateways.

You can also manually change the time and time zone on each Security Gateway to match the other members.
In this case, you must synchronize member times to within a few seconds.

Optional: Add host names and IP address pairs to the host table on each Security Gateway.

This lets you use host names as an alternative to IP addresses or DNS servers.

Configuring Network Switches

Best Practice - If you use the Spanning Tree protocol on Cisco switches connected to Check Point VRRP clusters, we recommend that you enable PortFast. PortFast sets interfaces to the Spanning Tree forwarding state, which prevents them from waiting for the standard forward-time interval.

If you use switches from a different vendor, we recommend that you use the equivalent feature for that vendor. If you use the Spanning Tree protocol without PortFast, or its equivalent, you may see delays during VRRP failover.

Enabling Virtual Routers

When you log into Gaia for the first time after installation, you must use the First Time Configuration Wizard to the initial configuration steps. To use VRRP Virtual Routers (clusters), you must first enable VRRP clustering in the First Time Configuration Wizard.

To enable VRRP clustering:

Install Gaia using the instructions in the R80.10 Installation and Upgrade Guide.
On the First Time Configuration Wizard Products page, select Security Gateway.
Do not select Security Management. The standalone environment (Security Gateway and Security Management Server) is not supported for VRRP.
Select Unit is part of a cluster.
Select VRRP Cluster from the list.
Continue with the next steps in the wizard.
When prompted to reboot the Security Gateway, click Cancel.
Do not reboot.
Do one of these steps:
- Run cpconfig on the Security Gateway. Select Enable cluster membership for this gateway to enable State synchronization.
  Note - This is the most common use and does not support active/active mode. You must configure VRRP so that the same cluster member is the VRRP master on all interfaces. Dynamic routing configuration must match on each cluster member.
  
  OR:
- Do not enable ClusterXL.
  Note - This is useful when each cluster member is required to be the VRRP master at the same time. You can configure two VRRP Virtual Routers on the same interface. Each cluster member can be the VRRP master for a different VRID on the same interface while it backs up the other. This configuration can also help run VRRP in a High-Availability pair with a device from another vendor. Disable the VRRP monitoring of the Firewall when you use this configuration. It is enabled by default but, but not supported with this configuration. In addition, only Static Routes are supported with this configuration.
Enter y when prompted.
Reboot the Security Gateway.

Do this procedure for each Virtual Router member.

When you complete this procedure for each VRRP member, do these steps in the Gaia Portal:

In the navigation tree, click High Availability > VRRP.
Refer to the VRRP Global Settings section.
If the Disable All Virtual Routers option is currently selected, clear it.
Click Apply Global Settings.

When you complete these procedures, define your Virtual Routers using the Gaia Portal or the Gaia Clish.

Configuring Global Settings for VRRP

This section includes shows you how to configure the global settings. Global settings apply to all Virtual Routers.

Configure these VRRP global settings:

Step	Description
1	In the navigation tree, click one of these: High Availability > VRRP. High Availability >Advanced VRRP.
2	In the VRRP Global Settings section: Cold Start Delay - Configures the delay period in seconds before a Security Gateway joins a Virtual Router. Default = 0. Interface Delay - Configure this when the Preempt Mode of VRRP was turned off. This is useful when the VRRP node with a higher priority is rebooted, but must not preempt the existing VRRP Master that is handling the traffic, but is configured with a lower priority. Sometimes interfaces that come up take longer than the VRRP timeout to process incoming VRRP Hello packets. The Interface Delay extends the time that VRRP waits to receive Hello packets from the existing VRRP Master. Disable All Virtual Routers - Select this option to disable all Virtual Routers defined on this Gaia system. Clear this option to enable all Virtual Routers. By default, all Virtual Routers are enabled. Monitor Firewall State - Select this option to let VRRP monitor the Security Gateway and automatically take appropriate action. This is enabled by default, which is the recommended setting when using VRRP with ClusterXL enabled. This must be disabled when using VRRP with ClusterXL disabled. Important - If you disable Monitor Firewall State, VRRP can assign VRRP Master status to a Security Gateway before it completes the boot process. This can cause more than one Security Gateway in a Virtual Router to have VRRP Master status.
3	Click Apply Global Settings.

Step

Description

In the navigation tree, click one of these:

High Availability > VRRP.
High Availability >Advanced VRRP.

In the VRRP Global Settings section:

Cold Start Delay - Configures the delay period in seconds before a Security Gateway joins a Virtual Router. Default = 0.
Interface Delay - Configure this when the Preempt Mode of VRRP was turned off. This is useful when the VRRP node with a higher priority is rebooted, but must not preempt the existing VRRP Master that is handling the traffic, but is configured with a lower priority. Sometimes interfaces that come up take longer than the VRRP timeout to process incoming VRRP Hello packets. The Interface Delay extends the time that VRRP waits to receive Hello packets from the existing VRRP Master.
Disable All Virtual Routers - Select this option to disable all Virtual Routers defined on this Gaia system. Clear this option to enable all Virtual Routers. By default, all Virtual Routers are enabled.
Monitor Firewall State - Select this option to let VRRP monitor the Security Gateway and automatically take appropriate action. This is enabled by default, which is the recommended setting when using VRRP with ClusterXL enabled. This must be disabled when using VRRP with ClusterXL disabled.
Important - If you disable Monitor Firewall State, VRRP can assign VRRP Master status to a Security Gateway before it completes the boot process. This can cause more than one Security Gateway in a Virtual Router to have VRRP Master status.

Click Apply Global Settings.

Configuration Notes:

Gaia starts to monitor the firewall after the cold start delay completes. This can cause some problems:

If all the Security Gateway (member) interfaces in a Virtual Router fail, all Security Gateways become VRRP Backups. None of the Security Gateways can become the VRRP Master and no traffic is allowed.
If you change the time on any of the Security Gateways (member), a failover occurs automatically.
In certain situations, installing a firewall policy causes a failover. This can happen if it takes a long time to install the policy.