The following IPS features are supported by ClusterXL, with the limitations listed in the notes.
IPS Feature |
Load Sharing |
High Availability |
---|---|---|
Fragment Sanity Check |
Yes (1, 3) |
Yes (1) |
Pattern Matching |
Yes (2, 3) |
Yes (2) |
Sequence Verifier |
Yes (2, 4) |
Yes (2) |
FTP, HTTP and SMTP Security Servers |
Yes (2, 5) |
Yes (2) |
Notes:
The following table presents ClusterXL Load Sharing and High Availability compatibility. Some Check Point products and features are not supported, or are only partially supported for use with ClusterXL.
Feature or Product |
Feature |
LS |
HA |
---|---|---|---|
Security Management |
|
No |
No |
Security Gateway |
|
Yes |
Yes |
Firewall |
Authentication / Security Servers |
Yes (1) |
Yes (1) |
Firewall |
ACE servers and SecurID |
Yes |
Yes |
Firewall |
Application Intelligence protocol inspection (2) |
Yes (3) |
Yes |
Firewall |
Sequence Verifier |
Yes (4) |
Yes (1) |
Firewall |
UDP encapsulation |
Yes |
Yes |
Firewall |
Suspicious Activity Monitoring (SAM) |
Yes |
Yes |
Firewall |
ISP Redundancy |
Yes |
Yes |
VPN |
Third party VPN peers |
Yes |
Yes |
Endpoint Security Client |
Software Distribution Server (SDS) |
No |
No |
Endpoint Security Client |
IP per user in Office Mode |
Yes |
Yes |
SecureXL |
|
Yes |
Yes |
QoS |
|
Yes (4, 5) |
Yes |
SmartProvisioning |
SmartLSM Security Gateway |
No |
No |
Notes:
The following examples show how to perform the configuration needed to support ClusterXL on a Cisco Catalyst 6500 Series routing switch. For more details, or instructions for other networking devices, always refer to the device vendor documentation.
To disable IGMP snooping:
Cisco(config)# no ip igmp snooping
To disable multicast limits:
Cisco(config)# no storm-control multicast level
To define Static CAM entries:
To determine the MAC addresses that must be set:
x.y.z.w
:y<=127
, the multicast MAC address would be 01:00:5e:y:z:wFor example: 01:00:5e:5A:0A:64 for 192.90.10.100
y>127
, the multicast MAC address would be 01:00:5e:(y-128):z:wFor example: 01:00:5e:28:0A:64 for 192.168.10.100 (168 - 128 = 40 in dec = 28 in hex)
x.y.z.0
that does not have a Cluster Virtual IP address, such as the Sync, you use the same procedure and substitute fa instead of 0 for the last octet of the MAC address.To add a permanent CAM entry for the multicast MAC address for module 1 - port 1, and module 2 - ports 1, 3, and 8 through 12:
Cisco> (enable) set cam permanent 01-40-5e-28-0a-64 1/1,2/1,2/3,2/8-12
Permanent multicast entry added to CAM table.
Cisco> (enable)
To prevent multicast packets from reaching the router:
Cisco> (enable) set cam static <MAC address> module/port
Static unicast entry added to CAM table.
Cisco> (enable)
To define a static ARP entry:
Cisco(config)# arp <MAC address> arpa