Print Download PDF Send Feedback

Previous

Next

Example 2: VSX Cluster managed by Multi-Domain Server

This example shows:

Related documentation:

Topology

Topology of the VSX Cluster:

Topology of the Virtual Systems in the cluster:

Multi-Domain Server and managed objects:

Interfaces and IP addresses:

Computer

Interface

IP Address / Net Mask

Description

VSX
Member 1

eth0

10.20.30.1/24

Main Cluster VIP 10.20.30.100/24

Dedicated Management Interface (DMI)

 

eth1

none

External physical interface

 

wrpX

192.168.10.1/24

Cluster VIP 192.168.10.100/24

External warp interface on Virtual System 1

Note - Interface name is generated automatically

 

wrpY

192.168.20.1/24

VIP 192.168.20.100/24

External warp interface on Virtual System 2

Note - Interface name is generated automatically

 

eth2

none

Internal physical interface - VLAN Trunk

 

eth2.11

172.30.10.1/24

Cluster VIP 172.30.10.100/24

Internal VLAN interface on Virtual System 1

 

eth2.22

172.30.20.1/24

Cluster VIP 172.30.10.100/24

Internal VLAN interface on Virtual System 2

 

eth3

192.168.200.1/24

Cluster Sync physical interface

VSX
Member 2

eth0

10.20.30.2/24

Cluster VIP 10.20.30.100/24

Dedicated Management Interface (DMI)

 

eth1

none

External physical interface

 

wrpX

192.168.10.2/24

Cluster VIP 192.168.10.100/24

External warp interface on Virtual System 1

Note - Interface name is generated automatically

 

wrpY

192.168.20.2/24

Cluster VIP 192.168.20.100/24

External warp interface on Virtual System 2

Note - Interface name is generated automatically

 

eth2

none

Internal physical interface - VLAN Trunk

 

eth2.11

172.30.10.2/24

Cluster VIP 172.30.10.100/24

Internal VLAN interface on Virtual System 1

 

eth2.22

172.30.10.2/24

Cluster VIP 172.30.10.100/24

Internal VLAN interface on Virtual System 2

 

eth3

192.168.200.2/24

Cluster Sync physical interface

Multi-
Domain
Server

eth0

10.20.30.200/24

Leading Interface that belongs to the Multi-Domain Server

 

eth0:1

10.20.30.210/24

Virtual interface that belongs to the Main Domain Management Server (DMS 1), which manages the VSX Cluster and Virtual Switch

 

eth0:2

10.20.30.211/24

Virtual interface that belongs to the Target Domain Management Server (DMS 2), which manages the Virtual System 1

 

eth0:3

10.20.30.212/24

Virtual interface that belongs to the Target Domain Management Server (DMS 3), which manages the Virtual System 2

Action Plan

  1. Install the Multi-Domain Server.
  2. Create the Main Domain Management Server in SmartConsole to manage the VSX Cluster and Virtual Switch.
  3. Create the Target Domain Management Server in SmartConsole to manage the Virtual System 1.
  4. Create the Target Domain Management Server in SmartConsole to manage the Virtual System 2.
  5. Install the VSX Cluster Member 1.
  6. Install the VSX Cluster Member 2.
  7. Create the VSX Cluster object with VSX Cluster Members in SmartConsole.
  8. Configure the VSX Cluster object in SmartConsole.
  9. Create the Virtual Switch object in SmartConsole.
  10. Create the first Virtual System object in SmartConsole.
  11. Configure the first Virtual System object in SmartConsole.
  12. Create the second Virtual System object in SmartConsole.
  13. Configure the second Virtual System object in SmartConsole.

Step 1: Install the Multi-Domain Server

Step

Description

1

Install a Check Point appliance or Open Server.

2

Install Gaia OS.

3

Run the Gaia First Time Configuration Wizard.

These settings are specific to the Multi-Domain Server:

  1. On the Management Connection page, select the applicable interface and configure the applicable IPv4 address.

    In our example: eth0, 10.20.30.200/24

  2. On the first Installation Type page, select Multi-Domain Server.
  3. On the second Installation Type page, select Primary Multi-Domain Server.
  4. On the Leading VIP Interfaces Configuration page, select the applicable interface.

    In our example: eth0

4

Install the applicable licenses.

5

Configure the applicable settings:

  1. Connect with SmartConsole to the Multi-Domain Server.
  2. Configure the applicable settings.
  3. Publish the session.

Step 2: Create the Main Domain Management Server that manages the VSX Cluster and Virtual Switch

Step

Description

1

Connect with SmartConsole to the Multi-Domain Server.

2

Create a new Domain and Domain Server.

In our example:

  • Name: DMS1
  • IPv4: 10.20.30.210/24

3

Publish the session.

4

Configure the Main Domain Management Server:

  1. Connect with SmartConsole to the Main Domain Management Server (DMS1).
  2. Configure the applicable Management Software Blades and settings:
  3. Publish the session.

Step 3: Create the Target Domain Management Server that manages the Virtual System 1

Step

Description

1

Connect with SmartConsole to the Multi-Domain Server.

2

Create a new Domain and Domain Server.

In our example:

  • Name: DMS2
  • IPv4: 10.20.30.211/24

3

Publish the session.

4

Configure the Target Domain Management Server:

  1. Connect with SmartConsole to the Target Domain Management Server (DMS2).
  2. Configure the applicable Management Software Blades and settings:
  3. Publish the session.

Step 4: Create the Target Domain Management Server that manages the Virtual System 2

Step

Description

1

Connect with SmartConsole to the Multi-Domain Server.

2

Create a new Domain and Domain Server.

In our example:

  • Name: DMS3
  • IPv4: 10.20.30.212/24

3

Publish the session.

4

Configure the Target Domain Management Server:

  1. Connect with SmartConsole to the Target Domain Management Server (DMS3).
  2. Configure the applicable Management Software Blades and settings:
  3. Publish the session.

Step 5: Install the VSX Cluster Member 1

Step

Description

1

Install a Check Point appliance or Open Server.

2

Make sure you have enough physical interfaces for your VSX topology.

3

Install Gaia OS.

4

Run the Gaia First Time Configuration Wizard.

These settings are specific to the VSX Cluster Member 1:

  1. On the Management Connection page, select the interface for the DMI management connection and configure the applicable IPv4 address.

    In our example: eth0, 10.20.30.1/24

  2. On the Internet Connection page, do not configure IP addresses on physical interfaces, to which your Virtual Systems connect directly.
  3. On the Installation Type page, select Security Gateway and/or Security Management.
  4. On the Products page, select Security Gateway.
  5. On the Dynamically Assigned IP page, select No.

5

Make sure to enable the applicable physical interfaces:

To enable a physical interface in Gaia Portal

  1. Connect to the Gaia Portal in your web browser.

    In our example: https://10.20.30.1

  2. Click Network Management > Network Interfaces.
  3. In the upper left corner, click the lock icon to obtain the configuration lock.
  4. Select the applicable physical interface > click Edit.
  5. Select Enable.
  6. Click OK.

To enable a physical interface in Gaia Clish, run:

  1. set interface <Name of Physical Interface> state on
  2. save config

6

Install the applicable licenses.

Step 6: Install the VSX Cluster Member 2

Step

Description

1

Install a Check Point appliance or Open Server.

2

Make sure you have enough physical interfaces for your VSX topology.

3

Install Gaia OS.

4

Run the Gaia First Time Configuration Wizard.

These settings are specific to the VSX Cluster Member 1:

  1. On the Management Connection page, select the interface for the DMI management connection and configure the applicable IPv4 address.

    In our example: eth0, 10.20.30.2/24

  2. On the Internet Connection page, do not configure IP addresses on physical interfaces, to which your Virtual Systems connect directly.
  3. On the Installation Type page, select Security Gateway and/or Security Management.
  4. On the Products page, select Security Gateway.
  5. On the Dynamically Assigned IP page, select No.

5

Make sure to enable the applicable physical interfaces:

To enable a physical interface in Gaia Portal

  1. Connect to the Gaia Portal in your web browser.

    In our example: https://10.20.30.2

  2. Click Network Management > Network Interfaces.
  3. In the upper left corner, click the lock icon to obtain the configuration lock.
  4. Select the applicable physical interface > click Edit.
  5. Select Enable.
  6. Click OK.

To enable a physical interface in Gaia Clish, run:

  1. set interface <Name of Physical Interface> state on
  2. save config

6

Install the applicable licenses.

Step 7: Create the VSX Cluster object with Cluster Members

See Introduction to VSX Clusters and Creating VSX Clusters.

Step

Description

1

Connect with SmartConsole to the Main Domain Management Server that manages the objects of the VSX Cluster and Virtual Switch.

In our example: DMS1

2

At the top, click Objects > More object types > Network Object > Gateways and Servers > VSX > New Cluster.

3

On the VSX Cluster General Properties (Specify the object's basic settings) page:

  1. In the Enter the VSX Cluster Name field, enter the desired name for this object.

    In our example: MyVsxCluster

  2. In the Enter the VSX Cluster IPv4 field, enter the Cluster Virtual IPv4 address that is configured on the Dedicated Management Interfaces (DMI).

    In our example: 10.20.30.100

  3. In the Enter the VSX Cluster IPv6 field, enter the Cluster Virtual IPv6 address that is configured on the Dedicated Management Interfaces (DMI).
  4. In the Select the VSX Cluster Version field, select the applicable Check Point version.

    In our example: R80.20

  5. In the Select the VSX Cluster Platform field, select the applicable VSX Cluster mode:

    In our example: ClusterXL

  6. Click Next.

4

On the Virtual Systems Creation Templates (Select the Creation Template most suitable for your VSX deployment) page:

  1. Select the applicable template.
  2. Click Next.

5

On the VSX Cluster Members (Define the members of this VSX Cluster) page:

Add the first VSX Cluster Member:

  1. Click Add.
  2. In the Cluster Member Name field, enter the desired name for this object.

    In our example: MyVsxMember1

  3. In the Cluster Member IPv4 Address field, enter the IPv4 address of the Dedicated Management Interface (DMI).

    In our example: eth0, 10.20.30.1

  4. In the Enter the VSX Gateway IPv6 field, enter the applicable IPv6 address.
  5. In the Activation Key field, enter the same Activation Key you entered during the First Time Configuration Wizard of this VSX Cluster Member.
  6. In the Confirm Activation Key field, enter the same Activation Key again.
  7. Click Initialize.
  8. Click OK.
  9. e Activation Key you entered in the cpconfig menu.
  10. Click Initialize.

 

If the Trust State field does not show Trust established, perform these steps:

  1. Connect to the command line on the VSX Cluster Member.
  2. Make sure there is a physical connectivity between the VSX Cluster Member and the Management Server (for example, pings can pass).
  3. Run: cpconfig
  4. Enter the number of this option: Secure Internal Communication
  5. Follow the instructions on the screen to change the Activation Key.
  6. On the VSX Cluster General Properties page, click Reset.
  7. Enter the same Activation Key you entered in the cpconfig menu.
  8. Click Initialize.

6

On the VSX Cluster Members (Define the members of this VSX Cluster) page:

Add the second VSX Cluster Member:

  1. Click Add.
  2. In the Cluster Member Name field, enter the desired name for this object.

    In our example: MyVsxMember2

  3. In the Cluster Member IPv4 Address field, enter the IPv4 address of the Dedicated Management Interface (DMI).

    In our example: eth0, 10.20.30.2

  4. In the Enter the VSX Gateway IPv6 field, enter the applicable IPv6 address.
  5. In the Activation Key field, enter the same Activation Key you entered during the First Time Configuration Wizard of this VSX Cluster Member.
  6. In the Confirm Activation Key field, enter the same Activation Key again.
  7. Click Initialize.
  8. Click OK.
  9. Click Next.

 

If the Trust State field does not show Trust established, perform these steps:

  1. Connect to the command line on the VSX Cluster Member.
  2. Make sure there is a physical connectivity between the VSX Cluster Member and the Management Server (for example, pings can pass).
  3. Run: cpconfig
  4. Enter the number of this option: Secure Internal Communication
  5. Follow the instructions on the screen to change the Activation Key.
  6. On the VSX Cluster General Properties page, click Reset.
  7. Enter the same Activation Key you entered in the cpconfig menu.
  8. Click Initialize.

7

On the VSX Cluster Interfaces (Physical Interfaces Usage) page:

  1. Examine the list of the interfaces - it must show all the physical interfaces on the VSX Gateway.
  2. If you plan to connect more than one Virtual System directly to same physical interface, you must select VLAN Trunk for that physical interface.

    In our example: eth2

  3. Click Next.

8

On the VSX Cluster members (Synchronization Network) page:

  1. Select the interface that will be used for state synchronization.

    In our example: eth3

  2. Configure the IPv4 addresses for the Sync interfaces on each VSX Cluster Member.

    In our example:

    MyVsxMember1 - 192.168.200.1 / 255.255.255.0

    MyVsxMember2 - 192.168.200.2 / 255.255.255.0

  3. Click Next.

9

On the Virtual Network Device Configuration (Specify the object's basic settings) page:

  1. You can select Create a Virtual Network Device and configure the first desired Virtual Network Device at this time (we recommend to do this later) - Virtual Switch or Virtual Router.
  2. Click Next.

10

On the VSX Gateway Management (Specify the management access rules) page:

  1. Examine the default access rules.
  2. Select the applicable default access rules.
  3. Configure the applicable source objects, if needed.
  4. Click Next.

Important - These access rules apply only to the VSX Gateway (context of VS0), which is not intended to pass any "production" traffic.

11

On the VSX Gateway Creation Finalization page:

  1. Click Finish and wait for the operation to finish.
  2. Click View Report for more information.
  3. Click Close.

12

Examine the VSX configuration:

  1. Connect to the command line on each VSX Cluster Member.
  2. Log in to Gaia Clish, or Expert mode.
  3. Run: vsx stat -v

Step 8: Configure the VSX Cluster object

See Working with VSX Clusters.

Step

Description

1

From the left navigation toolbar, click Gateways & Servers.

2

Open the VSX Cluster object.

In our example: MyVsxCluster

3

Enable the applicable Software Blades.

Refer to:

4

Configure other applicable settings.

5

Click OK to push the updated VSX Configuration.

Click View Report for more information.

6

Install policy on the VSX Cluster object:

  1. Click Install Policy.
  2. In the Policy field, select the default policy for this VSX Cluster object.

    This policy is called: <Name of VSX Cluster object>_VSX.

    In our example: MyVsxCluster_VSX

  3. Click Install.

7

Examine the VSX configuration:

  1. Connect to the command line on each VSX Cluster Member.
  2. Log in to Gaia Clish, or Expert mode.
  3. Run: vsx stat -v

Step 9: Create the Virtual Switch object

Step

Description

1

Connect with SmartConsole to the Main Domain Management Server that manages the objects of the VSX Cluster and Virtual Switch.

In our example: DMS1

2

Create the Virtual Switch object:

At the top, click Objects > More object types > Network Object > Gateways and Servers > VSX > New Virtual Switch.

3

On the VSX Switch General Properties (Define the object name and the hosting VSX) page:

  1. In the Name field, enter the desired name for this object.

    In our example: MyVsw

  2. In the VSX Gateway / Cluster field, select the applicable VSX Gateway or VSX Cluster object.

    In our example: MyVsxCluster

  3. Click Next.

4

On the VSX Switch Network Configuration (Define Virtual Switch Interfaces) page:

  1. Click Add.
  2. In the Interface field, select the applicable physical interface.

    In our example: eth2

  3. Click OK.
  4. Click Next.

5

On the VSX Switch Cluster Creation Finalization page:

  1. Click Finish and wait for the operation to finish.
  2. Click View Report for more information.
  3. Click Close.

6

Examine the VSX configuration:

  1. Connect to the command line on each VSX Cluster Member.
  2. Log in to Gaia Clish, or Expert mode.
  3. Run: vsx stat -v

Step 10: Create the first Virtual System object

Step

Description

1

Connect with SmartConsole to the Target Domain Management Server that manages the object of the first Virtual System.

In our example: DMS2

2

In SmartConsole, create the first Virtual System object:

See Creating a New Virtual System.

At the top, click Objects > More object types > Network Object > Gateways and Servers > VSX > New Virtual System.

3

On the VSX System General Properties (Define the object name and the hosting VSX) page:

  1. In the Name field, enter the desired name for this object.

    In our example: MyVs1

  2. In the VSX Gateway / Cluster field, select the applicable VSX Gateway or VSX Cluster object.

    In our example: MyVsxCluster

  3. You can select Override Creation Template (Create Custom VS), if you need to override the creation template that was used for the initial configuration of the VSX Cluster object.
  4. Click Next.

4

On the Virtual System Network Configuration (Define Virtual System Interfaces and Routes) page:

In our example, this Virtual System connects to the Virtual Switch ("external") and to the physical VLAN Trunk interface ("internal") on the VSX Cluster Members.

In the Interfaces section, add the "external" interface:

  1. Click Add > Leads to Virtual Switch.

    Add Interface window opens.

  2. In the Leads to field, select the Virtual Switch your created earlier.

    In our example: MyVsxVsw

  3. In the IPv4 Configuration section, enter the applicable IP Address and Net Mask.

    In our example: 192.168.10.1/24

  4. In the IPv6 Configuration section, enter the applicable IPv6 Address and Prefix.
  5. Click OK.

 

In the Interfaces section, add the "internal" interface:

  1. Click Add > Regular.
  2. In the Interface field, select the applicable physical interface - this is the "internal" interface.

    In our example: eth2 (that is marked as VLAN Trunk)

  3. In the VLAN tag field, enter the applicable number between 2 and 4094.

    In our example: 11 (to configure eth2.11)

  4. In the IPv4 Configuration section, enter the applicable IP Address and Net Mask.

    In our example: 172.30.10.1/24

    You can select Propagate route to adjacent Virtual Devices (IPv4) to "advertise" this Virtual System to neighboring Virtual Devices. This enables IPv4 connectivity between the neighboring Virtual Devices.

  5. In the IPv6 Configuration section, enter the applicable IPv6 Address and Prefix.

    You can select Propagate route to adjacent Virtual Devices (IPv6) to "advertise" this Virtual System to neighboring Virtual Devices. This enables IPv6 connectivity between the neighboring Virtual Devices.

  6. Click OK.

In the Routes section, click Add to configure the applicable static routes and the Default Route.

Click Next.

5

On the Virtual System Cluster Creation Finalization page:

  1. Click Finish and wait for the operation to finish.
  2. Click View Report for more information.
  3. Click Close.

6

Examine the VSX configuration:

  1. Connect to the command line on each VSX Cluster Member.
  2. Log in to Gaia Clish, or Expert mode.
  3. Run: vsx stat -v

Step 11: Configure the first Virtual System object

See Modifying a Virtual System.

Step

Description

1

From the left navigation toolbar, click Gateways & Servers.

2

Open the first Virtual System object.

In our example: MyVs1

3

Enable the applicable Software Blades.

In our example: IPsec VPN blade

Refer to:

4

Configure other applicable settings.

5

Click OK to push the updated VSX Configuration.

6

Configure and install the applicable policy on the first Virtual System object.

7

Examine the VSX configuration:

  1. Connect to the command line on each VSX Cluster Member.
  2. Log in to Gaia Clish, or Expert mode.
  3. Run: vsx stat -v

Step 12: Create the second Virtual System object

Step

Description

1

Connect with SmartConsole to the Target Domain Management Server that manages the object of the first Virtual System.

In our example: DMS3

2

In SmartConsole, create the first Virtual System object:

See Creating a New Virtual System.

At the top, click Objects > More object types > Network Object > Gateways and Servers > VSX > New Virtual System.

3

On the VSX System General Properties (Define the object name and the hosting VSX) page:

  1. In the Name field, enter the desired name for this object.

    In our example: MyVs2

  2. In the VSX Gateway / Cluster field, select the applicable VSX Gateway or VSX Cluster object.

    In our example: MyVsxCluster

  3. You can select Override Creation Template (Create Custom VS), if you need to override the creation template that was used for the initial configuration of the VSX Cluster object.
  4. Click Next.

4

On the Virtual System Network Configuration (Define Virtual System Interfaces and Routes) page:

In our example, this Virtual System connects to the Virtual Switch ("external") and to the physical VLAN Trunk interface ("internal") on the VSX Cluster Members.

In the Interfaces section, add the "external" interface:

  1. Click Add > Leads to Virtual Switch.
  2. In the Leads to field, select the Virtual Switch your created earlier.

    In our example: MyVsxVsw

  3. In the IPv4 Configuration section, enter the applicable IP Address and Net Mask.

    In our example: 192.168.20.1/24

  4. In the IPv6 Configuration section, enter the applicable IPv6 Address and Prefix.
  5. Click OK.

 

In the Interfaces section, add the "internal" interface:

  1. Click Add > Regular.
  2. In the Interface field, select the applicable physical interface - this is the "internal" interface.

    In our example: eth2 (that is marked as VLAN Trunk)

  3. In the VLAN tag field, enter the applicable number between 2 and 4094.

    In our example: 22 (to configure eth2.22)

  4. In the IPv4 Configuration section, enter the applicable IP Address and Net Mask.

    In our example: 172.30.20.1/24

    You can select Propagate route to adjacent Virtual Devices (IPv4) to "advertise" this Virtual System to neighboring Virtual Devices. This enables IPv4 connectivity between the neighboring Virtual Devices.

  5. In the IPv6 Configuration section, enter the applicable IPv6 Address and Prefix.

    You can select Propagate route to adjacent Virtual Devices (IPv6) to "advertise" this Virtual System to neighboring Virtual Devices. This enables IPv6 connectivity between the neighboring Virtual Devices.

  6. Click OK.

In the Routes section, click Add to configure the applicable static routes and the Default Route.

Click Next.

5

On the Virtual System Cluster Creation Finalization page:

  1. Click Finish and wait for the operation to finish.
  2. Click View Report for more information.
  3. Click Close.

6

Examine the VSX configuration:

  1. Connect to the command line on each VSX Cluster Member.
  2. Log in to Gaia Clish, or Expert mode.
  3. Run: vsx stat -v

Step 13: Configure the second Virtual System object

See Modifying a Virtual System.

Step

Description

1

From the left navigation toolbar, click Gateways & Servers.

2

Open the second Virtual System object.

In our example: MyVs2

3

Enable the applicable Software Blades.

In our example: Mobile Access blade

Refer to:

4

Configure other applicable settings.

5

Click OK to push the updated VSX Configuration.

6

Configure and install the applicable policy on the second Virtual System object.

7

Examine the VSX configuration:

  1. Connect to the command line on each VSX Cluster Member.
  2. Log in to Gaia Clish, or Expert mode.
  3. Run: vsx stat -v
05 November 2019
Was this helpful?
Incorrect information Not what I'm looking for Too much information Confusing information
© 2019 Check Point Software Technologies Ltd. All rights reserved.