Using the Manual Configuration

The Cluster Gateway Properties window contains many different ClusterXL properties, as well as other properties related to Security Gateway and Software Blades functionality. This section includes only the properties and procedures directly related to ClusterXL.

Configuration Steps Configuring General Properties Adding a New Cluster Member to the Cluster Object Adding an Existing Security Gateway as a Cluster Member to the Cluster Object Deleting a Cluster Member from Cluster Object Working with Cluster Topology Completing the Cluster Definition Changing the Synchronization Interface

Configuring General Properties

To configure the general properties of a cluster:

1. In the Name field, enter a unique name for this cluster object.
2. In the IPv4 Address field, enter the unique Cluster Virtual IPv4 addresses for this cluster.

   This is the main IPv4 address of the cluster object.

3. In the Cluster IPv6 Address field, enter the unique Cluster Virtual IPv6 addresses for this cluster.

   This is the main IPv6 address of the cluster object.

   Important - You must define a corresponding IPv4 address for every IPv6 address. This release does not support pure IPv6 addresses.

4. In the Hardware field, select the correct hardware platform.
5. In the Version field, select the correct Check Point version.
6. In the OS field, select the correct operating system.
7. Configure the desired cluster type:
   • To work with ClusterXL or with VRRP on Gaia, select ClusterXL.

     Go to the ClusterXL and VRRP pane and configure the applicable settings.

   • To work with any other cluster mode, clear ClusterXL.

     Go to the 3rd Party Configuration pane and configure the applicable settings.

8. Enable other Network Security Software Blades as necessary.

Adding a New Cluster Member to the Cluster Object

To add a new Cluster Member to the Cluster object:

1. In SmartConsole, open the cluster object.
2. Go to the Cluster Members page.
3. Click Add > New Cluster Member.

   The Cluster Members Properties window opens.

4. Click the General tab.
5. In the Name field, enter a Cluster Member name.
6. In the IPv4 Address field, enter a physical IPv4 addresses.

   The Management Server must be able to connect to the Cluster Member at this IPv4 address. This IPv4 address can be an internal, or external. You can use a dedicated management interface on the Cluster Member.

   Important - You must define a corresponding IPv4 address for every IPv6 address. This release does not support the configuration of only IPv6 addresses.

7. In the IPv6 Address field, enter a physical IPv6 address, if you need to use IPv6.

   The Management Server must be able to connect to the Cluster Member at this IPv6 address. This IPv6 address can be an internal, or external. You can use a dedicated management interface on the Cluster Member.

   Important - You must define a corresponding IPv4 address for every IPv6 address. This release does not support the configuration of only IPv6 addresses.

8. Click Communication, and initialize Secure Internal Communication (SIC) trust.

   Enter the same key you entered during First Time Configuration Wizard on each Cluster Member.

9. Click the NAT tab to configure the applicable NAT settings.
10. Click the VPN tab to configure the applicable VPN settings.
11. Click OK.

Adding an Existing Security Gateway as a Cluster Member to the Cluster Object

To add an existing Security Gateway as a Cluster Member to the Cluster object:

Before doing these steps, we recommend exporting a complete management database with migrate export command.

1. In SmartConsole, open the cluster object.
2. Go to the Cluster Members page.
3. Click Add > Add Existing Gateway.
4. Select a Security Gateway from the list and click OK.
5. Read the warning is displayed and click Yes:

   If you add <Name_of_Security_Gateway_object> to the cluster, it will be converted to a cluster member. Some settings will be lost. The following settings will still remain: -SIC -VPN -NAT (except for IP Pools) In order to revert the conversion, session must be discarded. Are you sure you want to continue?

6. In the list of Cluster Members, select the new Cluster Member and click Edit.
7. Click the NAT tab to configure the applicable NAT settings.
8. Click the VPN tab to configure the applicable VPN settings.
9. Click OK.

Deleting a Cluster Member from Cluster Object

To delete an existing Cluster Member:

Before doing these steps, we recommend exporting a complete management database with migrate export command.

1. In SmartConsole, open the cluster object.
2. Go to the Cluster Members page.
3. Click Remove > Delete Cluster Member.
4. Click OK.

   Important - This Cluster Member object will be deleted from the cluster object and from the management database.

Working with Cluster Topology

IPv6 Considerations

To activate IPv6 functionality for an interface, define an IPv6 address for the applicable interface on each Cluster Member and in the cluster object. All interfaces configured with an IPv6 address must also have a corresponding IPv4 address. If an interface does not require IPv6, only the IPv4 definition address is necessary.

Note - You must configure synchronization interfaces with IPv4 addresses only. This is because the synchronization mechanism works using IPv4 only. All IPv6 information and states are synchronized using this interface.

1. In SmartConsole, open the cluster object.
2. Go to Network Management page.
3. Select a cluster interface and click Edit.
4. From the left navigation tree, click General page:
   1. In the General section, configure these settings for Cluster Virtual Interface:
      • Network Type - one of these: Cluster, Sync, Cluster + Sync, Private

      The available network types (network objectives) are:

      Network Type	Description
      Cluster	An interface that connects to an internal or external network.
      Cluster + Sync	A cluster interface that also works as a Synchronization interface. We do not recommend this configuration because it adds the Delta Sync traffic to the interface.
      Sync	An interface used exclusively for cluster state synchronization.
      Private	An interface that is not part of the cluster. ClusterXL does not monitor the state of this interface. As a result, there is no cluster failover if a fault occurs with this interface. This option is recommended for the management interface.

      • Virtual IPv4 - Virtual IPv4 address assigned to this Cluster Virtual Interface
      • Virtual IPv6 - Virtual IPv6 address assigned to this Cluster Virtual Interface

      Important - You must define a corresponding IPv4 address for every IPv6 address. This release does not support the configuration of only IPv6 addresses.

   2. In the Member IPs section, click Modify and configure these settings:
      • Physical IPv4 address and Mask Length assigned to the applicable physical interface on each Cluster Member
      • Physical IPv6 address and Mask Length assigned to the applicable physical interface on each Cluster Member

      Important - You must define a corresponding IPv4 address for every IPv6 address. This release does not support the configuration of only IPv6 addresses.

      See also: Configuring Cluster Addresses on Different Subnets.

   3. In the Topology section, click Modify and configure these settings:
      • Leads To - one of these: Internet (External), This Network (Internal)
      • Security Zone - one of these: User defined, According to topology (ExternalZone, InternalZone)
      • Anti-Spoofing - whether to perform the Anti-Spoofing, and how to do it (Detect, Prevent)
5. From the left navigation tree, click QoS page:
   1. In the Bandwidth section, configure these settings:
      • Inbound Active - rate limit for inbound traffic
      • Outbound Active - rate limit for outbound traffic
   2. In the DiffServ and Low Latency classes section, configure the applicable classes.
6. From the left navigation tree, click Advanced page:
   1. In the Multicast Restrictions section, configure the applicable settings for dropping multicast packets
   2. In the Interfaces Names section, configure the names of applicable interfaces
7. Click OK.

Completing the Cluster Definition

1. Configure other Software Blades and options in the cluster object as required (NAT, VPN, Remote Access, and other advanced options).
2. Install the Access Control Policy on this cluster object.

Changing the Synchronization Interface

Important - Schedule a maintenance window, because changing the synchronization interface can impact the traffic.

To change the IPv4 address on the synchronization interface on Cluster Members:

1. On each Cluster Member, change the IPv4 address on the Sync interface.

   Use Gaia Portal, or Gaia Clish.

2. In SmartConsole, open the cluster object.
3. In the Gateway Cluster Properties window, click Network Management page.
4. Click Get Interfaces > Get Interfaces With Topology.
5. Make sure the settings are correct.
6. Select the Sync interface and click Edit.
7. From the left navigation tree, click General page.
8. In the General section, in the Network Type field, select Sync.
9. Click OK.
10. In SmartConsole, install the Access Control Policy on this cluster object.

To change the synchronization interface on Cluster Members to a new interface:

1. On each Cluster Member, configure a new interface that you will use as a new Sync interface.

   Use Gaia Portal, or Gaia Clish.

2. On each Cluster Member, delete the IPv4 address from the old Sync interface.
3. Use Gaia Portal, or Gaia Clish.
4. In SmartConsole, open the cluster object.
5. In the Gateway Cluster Properties window, click Network Management page.
6. Click Get Interfaces > Get Interfaces With Topology.
7. Make sure the settings are correct.
8. Right-click on the old Sync interface and click Delete Interface.
9. Select the new interface and click Edit.
10. From the left navigation tree, click General page.
11. In the General section, in the Network Type field, select Sync.
12. Click OK.
13. In SmartConsole, install the Access Control Policy on this cluster object.