Advanced Features and Procedures

In This Section: Working with VPNs and Clusters Working with NAT and Clusters Working with VLANS and Clusters Monitoring the Interface Link State Bonding and Clusters Advanced Cluster Configuration Defining Non-Monitored Interfaces Configuring Policy Update Timeout Enhanced 3-Way TCP Handshake Enforcement Cluster IP Addresses on Different Subnets Converting a Security Gateway to a ClusterXL Adding Another Member to an Existing Cluster Removing a Member from an Existing Cluster Configuring ISP Redundancy on a Cluster Enabling Dynamic Routing Protocols in a Cluster Deployment

Working with VPNs and Clusters

Configuring VPN and Clusters

Configuring a cluster using SmartConsole is very similar to configuring a single Security Gateway. All attributes of the VPN are defined in the Cluster object, except for two attributes that are defined per Cluster Member.

1. In SmartConsole, open the cluster object.
2. In the left navigation tree, go to Cluster Members page.
3. Select each Cluster Member and click Edit.

   The Cluster Member Properties window opens.

4. Go the VPN tab:
   • In the Office Mode for Remote access section:

     If you wish to use Office Mode for Remote Access, select Offer Manual Office Mode and define the IP pool allocated to each Cluster Member.

   • In the Certificate List with keys stored on the Security Gateway section:

     If your Cluster Member supports hardware storage for IKE certificates, define the certificate properties. In that case, Management Server directs the Cluster Member to create the keys and supply only the required material for creation of the certificate request. The certificate is downloaded to the Cluster Member during policy installation.

5. Click OK to close the Cluster Member Properties window.
6. In the left navigation tree, go to ClusterXL and VRRP page.
7. Make sure to select Use State Synchronization.

   This is required to synchronize IKE keys.

8. In the left navigation tree, go to Network Management > VPN Domain page.
9. Define the encryption domain of the cluster.

   Select one of the two possible settings:

   • All IP addresses behind Cluster Members based on Topology information. This is the default option.
   • Manually defined. Use this option if the cluster IP address is not on the member network, in other words, if the cluster virtual IP address is on a different subnet than the Cluster Member interfaces. In that case, select a network or group of networks, which must include the virtual IP address of the cluster, and the network or group of networks behind the cluster.
10. Click OK to close the Gateway Cluster Properties window.
11. Install the Access Control Policy on this cluster object.

Defining VPN Peer Clusters with Separate Management Servers

When working with a VPN peer that is a Check Point Cluster, and the VPN peer is managed by a different Management Server, do NOT define another cluster object. Instead, do the following:

1. In SmartConsole, go to Objects menu > More object types > Network Object > Gateways and Servers > More > New Externally Managed VPN Gateway.

   The Externally Managed Check Point Gateway window opens.

2. In the General Properties page, configure the name and the IP address.
3. In the Topology page, click New to add the external and internal cluster interfaces on the VPN peer.
4. In the VPN Domain section of the Topology page, define the encryption domain of the externally managed Security Gateway to be behind the internal Virtual IP address of the Security Gateway.

   If the encryption domain is just one subnet, select All IP addresses behind Gateway based on Topology information.

   If the encryption domain includes more than one subnet, select Manually defined.

5. Click OK.
6. Install the Access Control Policy on this cluster object.