Configuring a VSX Cluster

In This Section:

An Example VSX cluster

Step 1 - Creating a VSX Cluster

Step 2 - Creating a Virtual Switch

Step 3 - Creating Virtual System 1

Step 4 - Creating a New Virtual System 2

Step 5 - Configuring the Policy on the Virtual Systems

An Example VSX cluster

Here we show how to configure a VSX cluster.

Use SmartDashboard for these basic cluster configurations.

In this example, we will:

Step 1: Create a VSX cluster with Virtual System Load Sharing (item 7 in the diagram)

Step 2: Create Virtual Switch (item 9)

Step 3: Create Virtual System 1 (item 11)

Step 4: Create Virtual System 2 (item 12)

Step 5: Configure the Policy and enable features on the Virtual Systems

You will need the command line interface to add more members, remove members, and upgrade members. Many advanced cluster management procedures require the command line.

Item	Description	Item	Description
1	Internet	8	Security Management Server
2	Router	9	Virtual Switch
3	Physical interface	10	Warp interface
4	VLAN Switch	11	Virtual System 1
5	Network 1	12	Virtual System 2
6	Network 2	13	VLAN Interface
7	VSX Gateway	14	VLAN Trunk

Step 1 - Creating a VSX Cluster

This section describes how to create a new VSX cluster using the VSX Cluster Wizard. The wizard guides you through the steps to configure a VSX cluster.

After completing the VSX Cluster Wizard, you can modify most cluster and member properties directly from SmartDashboard.

To create a new cluster:

Open SmartConsole.
If you are using Multi-Domain Security Management, open SmartDashboard from the Domain Management Server in which you are creating the cluster.
From the click New and then select VSX > Cluster.
The VSX Cluster Wizard > General Properties opens.

Defining Cluster General Properties

The Cluster General Properties page contains basic identification properties for VSX clusters.

VSX Cluster Name: Unique, alphanumeric name for the cluster. The name cannot contain spaces or special characters except the underscore.
VSX Cluster IP Address: IP address of the cluster. (In R80, use IPv4.)
VSX Cluster Version: VSX version to use for this cluster.
VSX Cluster Platform: Platform type hosting the cluster members.
- To create a HA cluster, select Check Point SecurePlatform (ClusterXL) from the list
- To create a Load Sharing (VSLS) cluster, Check Point ClusterXL Virtual System Load Sharing select from the list.

Note - All cluster members must use the type of platform, with the same specifications and configuration.

Selecting Creation Templates

Select Custom Configuration. You manually create a custom configuration without any template.

Adding Members

The VSX Cluster Members window defines the members of the new cluster. You must define at least two cluster members, and up to as many as eight members. You can add new members later.

To add a new cluster member:

In the VSX Cluster Members window, click Add.
The Member Properties window opens.
Enter the name and IP addresses for the cluster member.
Note: If you define an IPv6 IP address you must also have an IPv4 address.
Enter and confirm the activation key to initialize SIC trust between the cluster member and the management server.
Follow these steps for all cluster members.
Click Next to continue.

Defining Cluster Interfaces

The VSX Cluster Interfaces window lets you define physical interfaces as VLAN trunks. The list shows all interfaces currently defined on the VSX Gateway or cluster object.

To configure a VLAN trunk:

Select one or more interfaces to define them as VLAN trunks. You can clear an interface to remove the VLAN trunk assignment.

Important - You cannot define the management interface as a VLAN trunk. To use a VLAN as the management interface, you must define the VLAN on the Security Gateway before you use SmartDashboard to create the VSX Gateway.

Configuring Cluster Members

If you selected the custom configuration option, the VSX Cluster Members window appears. In this window, you define the synchronization IP address for each member.

To configure the cluster members:

Select the synchronization interface from the list.
Enter the synchronization interface addresses and net mask for each member.

Cluster Management

The VSX Gateway Management page allows you to define several security policy rules that protect the cluster itself. This policy is installed automatically on the new VSX cluster.

Note - This policy applies only to traffic destined for the cluster. Traffic destined for Virtual Systems, other virtual devices, external networks, and internal networks is not affected by this policy.

The security policy consists of predefined rules covering the following services:

UDP: SNMP requests
TCP: SSH traffic
ICMP: Echo-request (ping)
TCP: HTTPS (secure HTTP) traffic

Configuring the Cluster Security Policy

Allow: Enable a rule to allow traffic for those services for which you wish to allow traffic. Clear a rule to block traffic. By default, all services are blocked.
For example, you may wish to allow UDP echo-request traffic in order to be able to ping cluster members from the management server.
Source: Click the arrow and select a Source Object from the list. The default value is *Any.
Click New Source Object to define a new source.

Completing the Wizard

To complete the VSX Cluster Wizard:

Click Next to continue and then click Finish to complete the VSX Cluster wizard.
It can take several minutes to complete. A message appears indicating successful or unsuccessful completion of the process.

If the process ends unsuccessfully, click View Report to view the error messages. Refer to the troubleshooting steps for more information
In SmartConsole, double-click the new VSX Cluster object.

Step 2 - Creating a Virtual Switch

Use the Virtual Switch Wizard to create a new Virtual Switch. You can modify the initial definition and configure advanced options after completing the wizard.

To create a new Virtual Switch:

Open SmartConsole.
From the Objects Bar (F11), click New > More > Network Object > Gateways and Servers > VSX > Virtual Switch.
The General Properties page of the Virtual Switch Wizard opens.
Enter the name of the Virtual Switch.
Select the VSX Gateway or cluster to which the Virtual Switch connects.
Click Next.
Click Add.
The Add Interface window opens.
In the Add Interface window, configure the interface on the Virtual Switch.
Click OK and then click Next.
Click Finish.

Step 3 - Creating Virtual System 1

You use the Virtual Systems Wizard to create a new Virtual System.

In this example configuration, create Virtual System 1.

You can modify the initial definition and configure advanced options after you complete the wizard.

To start the Virtual System wizard:

Open SmartDashboard.
Right-click the VSX Gateway and select VSX > Virtual System.
The Virtual System Wizard opens.

Defining General Properties

The General Properties wizard page defines the Virtual System object and the hosting VSX Gateway.

These are the parameters in this page:

Name: Unique, alphanumeric for the Virtual System. The name cannot contain spaces or special characters except the underscore.
VSX Cluster / Gateway: Select the VSX Gateway that is hosting the Virtual System.
Bridge Mode: Select this option to create a Virtual System in the Bridge Mode.
Override Creation Template: Select this option to override the creation template that was used for the initial configuration of the VSX Gateway.

Defining Network Configuration

The Virtual System Network Configuration page allows you to define internal and external interfaces as well as the IP address topology located behind the internal interface.

To configure the external and internal interfaces:

In the Interface table, define the external and internal interfaces, and links to devices.
You can add new interfaces and delete and change existing interfaces.

To add an interface, click Add. The Interface Properties window opens. Select an interface from the list and define is properties. Click Help for details regarding the various properties and options.

For this example, add two interfaces for each Virtual System:
- One external interface that leads to the Virtual System.
- One internal interface that leads to an available interface with a VLAN tag.
Select the Main IP Address from the list.
This IP address is usually assigned to the external interface and specifies the Virtual System address used with NAT or VPN connections.

To make an external IP address routable, select the external interface IP address as the main IP address.
Define network routing for your deployment.
Some routes are automatically defined by the interface definitions. For example, you define a default gateway route leading to an external Virtual Router or to the Virtual System external interface.

To manually add a default route to the Routes table, click Add Default Routes. Enter the default route IP address, or select the default Virtual Router. The Route Configuration window opens.
Complete the definition.

Completing the Definition

Click Next and then Finish to create the Virtual System. Please note that this may take several minutes to complete. A message appears indicating successful or unsuccessful completion of the process.

If the process ends unsuccessfully, click View Report to view the error messages.

After you create a Virtual System using the Virtual System Wizard, you can modify the topology and all other parameters (except the name of the Virtual System) using the Virtual System Properties window.

Step 4 - Creating a New Virtual System 2

Use the Virtual Systems Wizard to create a new Virtual System.

In this example configuration, create Virtual System 2.

Follow the instructions in Step 3 - Creating Virtual Systems 1.

Step 5 - Configuring the Policy on the Virtual Systems

Define the Policy and enable features on the Virtual Systems. The procedures for this are the same as on a Security Gateway.

For more about Security Policies, see the R80.10 Security Management Administration Guide.

To Learn More About VSX

To learn more about simplifying security for private clouds using VSX, see the R80.10 VSX Administration Guide.