Print Download PDF Send Feedback

Previous

Next

Check Point Software Compatibility

ClusterXL Compatibility with IPS

The following IPS features are supported by ClusterXL, with the limitations listed in the notes.

IPS Feature

Load Sharing

High Availability

Fragment Sanity Check

Yes (1, 3)

Yes (1)

Pattern Matching

Yes (2, 3)

Yes (2)

Sequence Verifier

Yes (2, 4)

Yes (2)

FTP, HTTP and SMTP Security Servers

Yes (2, 5)

Yes (2)

Notes:

  1. If there is a cluster failover when fragments are being received, the packet will be lost.
  2. Does not survive cluster failover.
  3. Requires unidirectional stickiness. This means that the same Cluster Member must receive all external packets, and the same Cluster Member must receive all internal packets, but the same Cluster Member does not have to receive both internal and external packets.
  4. Requires bidirectional connection stickiness.
  5. Uses the cluster Forwarding Layer.

ClusterXL Compatibility (Excluding IPS)

The following table presents ClusterXL Load Sharing and High Availability compatibility. Some Check Point products and features are not supported, or are only partially supported for use with ClusterXL.

Feature or Product

Feature

LS

HA

Security Management

 

No

No

Security Gateway

 

Yes

Yes

Firewall

Authentication / Security Servers

Yes (1)

Yes (1)

Firewall

ACE servers and SecurID

Yes

Yes

Firewall

Application Intelligence protocol inspection (2)

Yes (3)

Yes

Firewall

Sequence Verifier

Yes (4)

Yes (1)

Firewall

UDP encapsulation

Yes

Yes

Firewall

Suspicious Activity Monitoring (SAM)

Yes

Yes

Firewall

ISP Redundancy

Yes

Yes

VPN

Third party VPN peers

Yes

Yes

Endpoint Security Client

Software Distribution Server (SDS)

No

No

Endpoint Security Client

IP per user in Office Mode

Yes

Yes

SecureXL

 

Yes

Yes

QoS

 

Yes (4, 5)

Yes

SmartProvisioning

SmartLSM Security Gateway

No

No

Notes:

  1. If there is a cluster failover when fragments are being received, the packet will be lost.
  2. Does not survive cluster failover.
  3. Requires unidirectional stickiness. This means that the same Cluster Member must receive all external packets, and the same Cluster Member must receive all internal packets, but the same Cluster Member does not have to receive both internal and external packets.
  4. Requires bidirectional connection stickiness.
  5. Uses the cluster Forwarding Layer.

Example Configuration of a Cisco Catalyst Routing Switch

The following examples show how to perform the configuration needed to support ClusterXL on a Cisco Catalyst 6500 Series routing switch. For more details, or instructions for other networking devices, always refer to the device vendor documentation.

To disable IGMP snooping:

Cisco(config)# no ip igmp snooping

To disable multicast limits:

Cisco(config)# no storm-control multicast level

To define Static CAM entries:

To determine the MAC addresses that must be set:

  1. On a network that has a Cluster Virtual IP address of x.y.z.w:
    • If y<=127, the multicast MAC address would be 01:00:5e:y:z:w

      For example: 01:00:5e:5A:0A:64 for 192.90.10.100

    • If y>127, the multicast MAC address would be 01:00:5e:(y-128):z:w

      For example: 01:00:5e:28:0A:64 for 192.168.10.100 (168 - 128 = 40 in dec = 28 in hex)

  2. For a network x.y.z.0 that does not have a Cluster Virtual IP address, such as the Sync, you use the same procedure and substitute fa instead of 0 for the last octet of the MAC address.
    • For example: 01:00:5e:00:00:fa for the 10.0.0.X network

To add a permanent CAM entry for the multicast MAC address for module 1 - port 1, and module 2 - ports 1, 3, and 8 through 12:

Cisco> (enable) set cam permanent 01-40-5e-28-0a-64 1/1,2/1,2/3,2/8-12
Permanent multicast entry added to CAM table.
Cisco> (enable)

To prevent multicast packets from reaching the router:

  1. Determine the MAC addresses that must be set (see above).
  2. Define a static CAM entry (entry will remain in the CAM table until the switch is reset). Run:

    Cisco> (enable) set cam static <MAC address> module/port
    Static unicast entry added to CAM table.
    Cisco> (enable)

To define a static ARP entry:

  1. Determine the MAC addresses that must be set (see above).
  2. Define a static ARP entry. Run:

    Cisco(config)# arp <MAC address> arpa