Check Point Software Compatibility

ClusterXL Compatibility with IPS

The following IPS features are supported by ClusterXL, with the limitations listed in the notes.

IPS Feature	Load Sharing	High Availability
Fragment Sanity Check	Yes (1, 3)	Yes (1)
Pattern Matching	Yes (2, 3)	Yes (2)
Sequence Verifier	Yes (2, 4)	Yes (2)
FTP, HTTP and SMTP Security Servers	Yes (2, 5)	Yes (2)

Notes:

If there is a cluster failover when fragments are being received, the packet will be lost.
Does not survive cluster failover.
Requires unidirectional stickiness. This means that the same Cluster Member must receive all external packets, and the same Cluster Member must receive all internal packets, but the same Cluster Member does not have to receive both internal and external packets.
Requires bidirectional connection stickiness.
Uses the cluster Forwarding Layer.

ClusterXL Compatibility (Excluding IPS)

The following table presents ClusterXL Load Sharing and High Availability compatibility. Some Check Point products and features are not supported, or are only partially supported for use with ClusterXL.

Feature or Product	Feature	LS	HA
Security Management		No	No
Security Gateway		Yes	Yes
Firewall	Authentication / Security Servers	Yes (1)	Yes (1)
Firewall	ACE servers and SecurID	Yes	Yes
Firewall	Application Intelligence protocol inspection (2)	Yes (3)	Yes
Firewall	Sequence Verifier	Yes (4)	Yes (1)
Firewall	UDP encapsulation	Yes	Yes
Firewall	Suspicious Activity Monitoring (SAM)	Yes	Yes
Firewall	ISP Redundancy	Yes	Yes
VPN	Third party VPN peers	Yes	Yes
Endpoint Security Client	Software Distribution Server (SDS)	No	No
Endpoint Security Client	IP per user in Office Mode	Yes	Yes
SecureXL		Yes	Yes
QoS		Yes (4, 5)	Yes
SmartProvisioning	SmartLSM Security Gateway	No	No

Notes:

If there is a cluster failover when fragments are being received, the packet will be lost.
Does not survive cluster failover.
Requires unidirectional stickiness. This means that the same Cluster Member must receive all external packets, and the same Cluster Member must receive all internal packets, but the same Cluster Member does not have to receive both internal and external packets.
Requires bidirectional connection stickiness.
Uses the cluster Forwarding Layer.

Example Configuration of a Cisco Catalyst Routing Switch

The following examples show how to perform the configuration needed to support ClusterXL on a Cisco Catalyst 6500 Series routing switch. For more details, or instructions for other networking devices, always refer to the device vendor documentation.

To disable IGMP snooping:

Cisco(config)# no ip igmp snooping

To disable multicast limits:

Cisco(config)# no storm-control multicast level

To define Static CAM entries:

To determine the MAC addresses that must be set:

On a network that has a Cluster Virtual IP address of x.y.z.w:
- If y<=127, the multicast MAC address would be 01:00:5e:y:z:w
  For example: 01:00:5e:5A:0A:64 for 192.90.10.100
- If y>127, the multicast MAC address would be 01:00:5e:(y-128):z:w
  For example: 01:00:5e:28:0A:64 for 192.168.10.100 (168 - 128 = 40 in dec = 28 in hex)
For a network x.y.z.0 that does not have a Cluster Virtual IP address, such as the Sync, you use the same procedure and substitute fa instead of 0 for the last octet of the MAC address.
- For example: 01:00:5e:00:00:fa for the 10.0.0.X network

To add a permanent CAM entry for the multicast MAC address for module 1 - port 1, and module 2 - ports 1, 3, and 8 through 12:

Cisco> (enable) set cam permanent 01-40-5e-28-0a-64 1/1,2/1,2/3,2/8-12
Permanent multicast entry added to CAM table.
Cisco> (enable)

To prevent multicast packets from reaching the router:

Determine the MAC addresses that must be set (see above).
Define a static CAM entry (entry will remain in the CAM table until the switch is reset). Run:
Cisco> (enable) set cam static <MAC address> module/port
Static unicast entry added to CAM table.
Cisco> (enable)

To define a static ARP entry:

Determine the MAC addresses that must be set (see above).
Define a static ARP entry. Run:
Cisco(config)# arp <MAC address> arpa