Print Download PDF Send Feedback

Previous

Next

Configuring ClusterXL in Bridge Mode - Active/Standby with Two Switches

Notes:

The Bridge Active/Standby mode is the preferred mode in topologies that support it.

In the Bridge Active/Standby mode, ClusterXL works in High Availability mode. For more information, see the R80.30 ClusterXL Administration Guide.

Example:

Item

Description

1

Network, which an administrator needs to divide into two Layer 2 segments.

The ClusterXL in Bridge Mode connects between these segments.

2

First network segment.

3

Switch that connects the first network segment to one bridged slave interface (4) on the ClusterXL in Bridge Mode.

4

One bridged slave interface (for example, eth1) on the Cluster Members in Bridge Mode.

5

Dedicated Gaia Management Interface (for example, eth0) on the Cluster Members.

6

First Cluster Member in Bridge Mode (for example, in the Active cluster state).

7

Network that connects dedicated synchronization interfaces (for example, eth3) on the ClusterXL in Bridge Mode.

8

Second Cluster Member in Bridge Mode (for example, in the Standby cluster state).

9

Another bridged slave interface (for example, eth2) on the Cluster Members in Bridge Mode.

10

Switch that connects the second network segment to the other bridged slave interface (9) on the ClusterXL in Bridge Mode.

11

Second network segment.

Workflow:

  1. Install the two Cluster Members.
  2. Configure the ClusterXL in High Availability mode in SmartConsole - in Wizard Mode, or Classic Mode.
  3. Configure the applicable policy for the ClusterXL Cluster in SmartConsole.
  4. Enable the Bridge Active/Standby mode on both Cluster Members.

Best practice - If you configure Bridge Active/Standby mode, disable STP, RSTP, and MSTP on the adjacent switches. See the applicable documentation for your switches.

Step 1 of 4: Install the two Cluster Members

Step

Description

1

Install the Gaia Operating System:

  • Installing the Gaia Operating System on a Check Point Appliance
  • Installing the Gaia Operating System on an Open Server

2

Run the Gaia First Time Configuration Wizard.

3

During the First Time Configuration Wizard, you must configure these settings:

  • In the Installation Type window, select Security Gateway and/or Security Management.
  • In the Products window:
    1. In the Products section, select Security Gateway only.
    2. In the Clustering section, select these two options:
      • Unit is a part of a cluster
      • ClusterXL
  • In the Secure Internal Communication window, enter the desired Activation Key (between 4 and 127 characters long).

Step 2 of 4: Configure the ClusterXL in High Availability mode in SmartConsole - Wizard Mode

Step

Description

1

Connect with SmartConsole to the Security Management Server or Domain Management Server that should manage this ClusterXL.

2

From the left navigation panel, click Gateways & Servers.

3

Create a new Cluster object in one of these ways:

  • From the top toolbar, click the New (Star icon) > Cluster > Cluster.
  • In the top left corner, click Objects menu > More object types > Network Object > Gateways and Servers > Cluster > New Cluster.
  • In the top right corner, click Objects Pane > New > More > Network Object > Gateways and Servers > Cluster > Cluster.

4

In the Check Point Security Gateway Cluster Creation window, click Wizard Mode.

5

On the Cluster General Properties page:

  1. In the Cluster Name field, enter the desired name for this ClusterXL object.
  2. Configure the main Virtual IP address(es) for this ClusterXL object.

    In the Cluster IPv4 Address section, enter the main Virtual IPv4 address for this ClusterXL object.

    In the Cluster IPv6 Address section, enter the main Virtual IPv6 address for this ClusterXL object.

  3. In the Choose the Cluster's Solution field, select Check Point ClusterXL and High Availability.
  4. Click Next.

6

On the Cluster members' properties page, add the objects for the Cluster Members.

  1. Click Add > New Cluster Member.

    The Cluster Member Properties window opens.

  2. In the Name field, enter the desired name for this Cluster Member object.
  3. Configure the main physical IP address(es) for this Cluster Member object.

    In the IPv4 Address and IPv6 Address fields, configure the same IPv4 and IPv6 addresses that you configured on the Management Connection page of the Cluster Member's First Time Configuration Wizard. Make sure the Security Management Server or Multi-Domain Server can connect to these IP addresses.

  4. In the Activation Key and Confirm Activation Key fields, enter the same Activation Key you entered during the Cluster Member's First Time Configuration Wizard.
  5. Click Initialize.
  6. Click OK.
  7. Repeat Steps a-f to add the second Cluster Member, and so on.

 

If the Trust State field does not show Established, perform these steps:

  1. Connect to the command line on the Cluster Member.
  2. Make sure there is a physical connectivity between the Cluster Member and the Management Server (for example, pings can pass).
  3. Run: cpconfig
  4. Enter the number of this option: Secure Internal Communication.
  5. Follow the instructions on the screen to change the Activation Key.
  6. In the SmartConsole, click Reset.
  7. Enter the same Activation Key you entered in the cpconfig menu.
  8. Click Initialize.

7

On the Cluster Topology pages, configure the roles of the cluster interfaces:

  1. Examine the IPv4 Network Address at the top of the page.
  2. Select the applicable role:
    • For cluster traffic interfaces, select Representing a cluster interface and configure the Cluster Virtual IPv4 address and its Net Mask.
    • For cluster synchronization interfaces, select Cluster Synchronization and select Primary only. Check Point cluster supports only one synchronization network.
    • For interfaces that do not pass the traffic between the connected networks, select Private use of each member (don't monitor members interfaces).
  3. Click Next.

8

On the Cluster Definition Wizard Complete page:

  1. Examine the Configuration Summary.
  2. Select Edit Cluster's Properties.
  3. Click Finish.

The Gateway Cluster Properties window opens.

9

On the General Properties page > Machine section:

  1. In the Name field, make sure you see the configured desired name for this ClusterXL object.
  2. In the IPv4 Address and IPv6 Address fields, make sure you see the configured IP addresses.

10

On the General Properties page > Platform section, select the correct options:

  1. In the Hardware field:

    If you install the Cluster Members on Check Point Appliances, select the correct appliances series.

    If you install the Cluster Members on Open Servers, select Open server.

  2. In the Version field, select R80.30.
  3. In the OS field, select Gaia.

11

On the General Properties page > Network Security tab:

  1. Make sure the ClusterXL Software Blade is selected.
  2. Enable the additional desired Software Blades.

Important:

  • See the Supported Software Blades in Bridge Mode and Limitations in Bridge Mode.
  • Do not select anything on the Management tab.

12

On the Cluster Members page:

  1. Click Add > New Cluster Member.

    The Cluster Member Properties window opens.

  2. In the Name field, enter the desired name for this Cluster Member object.
  3. Configure the main physical IP address(es) for this Cluster Member object.

    In the IPv4 Address and IPv6 Address fields, configure the same IPv4 and IPv6 addresses that you configured on the Management Connection page of the Cluster Member's First Time Configuration Wizard. Make sure the Security Management Server or Multi-Domain Server can connect to these IP addresses.

  4. Click Communication.
  5. In the One-time password and Confirm one-time password fields, enter the same Activation Key you entered during the Cluster Member's First Time Configuration Wizard.
  6. Click Initialize.
  7. Click Close.
  8. Click OK.
  9. Repeat Steps a-h to add the second Cluster Member, and so on.

 

If the Trust State field does not show Established, perform these steps:

  1. Connect to the command line on the Cluster Member.
  2. Make sure there is a physical connectivity between the Cluster Member and the Management Server (for example, pings can pass).
  3. Run: cpconfig
  4. Enter the number of this option: Secure Internal Communication.
  5. Follow the instructions on the screen to change the Activation Key.
  6. In the SmartConsole, click Reset.
  7. Enter the same Activation Key you entered in the cpconfig menu.
  8. Click Initialize.

13

On the ClusterXL and VRRP page:

  1. In the Select the cluster mode and configuration section, select High Availability and ClusterXL.
  2. In the Tracking section, select the desired option.
  3. In the Advanced Settings section:
    • Optional: Select Use State Synchronization. We recommend to select this option.
    • Optional: Select Use Virtual MAC (for more information, see sk50840).
    • Select the High Availability recovery - Maintain current active Cluster Member, or Switch to higher priority Cluster Member.

14

On the Network Management page:

  1. Select each interface and click Edit. The Network: <Name of Interface> window opens.
  2. From the left navigation tree, click the General page.
  3. In the General section, in the Network Type field, select the applicable type:
    • For cluster traffic interfaces, select Cluster. Make sure the Cluster Virtual IPv4 address and its Net Mask are correct.
    • For cluster synchronization interfaces, select Sync or Cluster+Sync (we do not recommend this configuration). Check Point cluster supports only one synchronization network.
    • For interfaces that do not pass the traffic between the connected networks, select Private.
  4. In the Member IPs section, make sure the IPv4 address and its Net Mask are correct on each Cluster Member.

    Note - For cluster traffic interfaces, you can configure the Cluster Virtual IP address to be on a different network than the physical IP addresses of the Cluster Members. In this case, you must configure the required static routes on the Cluster Members.

  5. In the Topology section:
    • Make sure the settings are correct in the Leads To and Security Zone fields.
    • Make sure to enable the Anti-Spoofing.

Important:

  • Make sure the Bridge interface and Bridge slave interfaces are not in the Topology.
  • You cannot define the Topology of the Bridge interface. It is External by default.

15

Click OK.

16

Publish the SmartConsole session.

Step 2 of 4: Configure the ClusterXL in High Availability mode in SmartConsole - Classic Mode

Step

Description

1

Connect with SmartConsole to the Security Management Server or Domain Management Server that should manage this ClusterXL.

2

From the left navigation panel, click Gateways & Servers.

3

Create a new Cluster object in one of these ways:

  • From the top toolbar, click the New (Star icon) > Cluster > Cluster.
  • In the top left corner, click Objects menu > More object types > Network Object > Gateways and Servers > Cluster > New Cluster.
  • In the top right corner, click Objects Pane > New > More > Network Object > Gateways and Servers > Cluster > Cluster.

4

In the Check Point Security Gateway Creation window, click Classic Mode.

The Gateway Cluster Properties window opens.

5

On the General Properties page > Machine section:

  1. In the Name field, enter the desired name for this ClusterXL object.
  2. In the IPv4 Address and IPv6 Address fields, configure the same IPv4 and IPv6 addresses that you configured on the Management Connection page of the Cluster Member's First Time Configuration Wizard. Make sure the Security Management Server or Multi-Domain Server can connect to these IP addresses.

6

On the General Properties page > Platform section, select the correct options:

  1. In the Hardware field:

    If you install the Cluster Members on Check Point Appliances, select the correct appliances series.

    If you install the Cluster Members on Open Servers, select Open server.

  2. In the Version field, select R80.30.
  3. In the OS field, select Gaia.

7

On the General Properties page > Network Security tab:

  1. Make sure the ClusterXL Software Blade is selected.
  2. Enable the additional desired Software Blades.

Important:

  • See the Supported Software Blades in Bridge Mode and Limitations in Bridge Mode.
  • Do not select anything on the Management tab.

8

On the Cluster Members page:

  1. Click Add > New Cluster Member.

    The Cluster Member Properties window opens.

  2. In the Name field, enter the desired name for this Cluster Member object.
  3. Configure the main physical IP address(es) for this Cluster Member object.

    In the IPv4 Address and IPv6 Address fields, configure the same IPv4 and IPv6 addresses that you configured on the Management Connection page of the Cluster Member's First Time Configuration Wizard. Make sure the Security Management Server or Multi-Domain Server can connect to these IP addresses.

  4. Click Communication.
  5. In the One-time password and Confirm one-time password fields, enter the same Activation Key you entered during the Cluster Member's First Time Configuration Wizard.
  6. Click Initialize.
  7. Click Close.
  8. Click OK.
  9. Repeat Steps a-h to add the second Cluster Member, and so on.

 

If the Trust State field does not show Established, perform these steps:

  1. Connect to the command line on the Cluster Member.
  2. Make sure there is a physical connectivity between the Cluster Member and the Management Server (for example, pings can pass).
  3. Run: cpconfig
  4. Enter the number of this option: Secure Internal Communication.
  5. Follow the instructions on the screen to change the Activation Key.
  6. In the SmartConsole, click Reset.
  7. Enter the same Activation Key you entered in the cpconfig menu.
  8. Click Initialize.

9

On the ClusterXL and VRRP page:

  1. In the Select the cluster mode and configuration section, select High Availability and ClusterXL.
  2. In the Tracking section, select the desired option.
  3. In the Advanced Settings section:
    • Optional: Select Use State Synchronization. We recommend to select this option.
    • Optional: Select Use Virtual MAC (for more information, see sk50840).
    • Select the High Availability recovery - Maintain current active Cluster Member, or Switch to higher priority Cluster Member.

10

On the Network Management page:

  1. Select each interface and click Edit. The Network: <Name of Interface> window opens.
  2. From the left navigation tree, click the General page.
  3. In the General section, in the Network Type field, select the applicable type:
    • For cluster traffic interfaces, select Cluster. Make sure the Cluster Virtual IPv4 address and its Net Mask are correct.
    • For cluster synchronization interfaces, select Sync or Cluster+Sync (we do not recommend this configuration). Check Point cluster supports only one synchronization network.
    • For interfaces that do not pass the traffic between the connected networks, select Private.
  4. In the Member IPs section, make sure the IPv4 address and its Net Mask are correct on each Cluster Member.

    Note - For cluster traffic interfaces, you can configure the Cluster Virtual IP address to be on a different network than the physical IP addresses of the Cluster Members. In this case, you must configure the required static routes on the Cluster Members.

  5. In the Topology section:
    • Make sure the settings are correct in the Leads To and Security Zone fields.
    • Make sure to enable the Anti-Spoofing.

Important:

  • Make sure the Bridge interface and Bridge slave interfaces are not in the Topology.
  • You cannot define the Topology of the Bridge interface. It is External by default.

11

Click OK.

12

Publish the SmartConsole session.

Step 3 of 4: Configure the applicable policy for the ClusterXL in SmartConsole

Step

Description

1

Connect with SmartConsole to the Security Management Server or Domain Management Server that manages this ClusterXL.

2

From the left navigation panel, click Security Policies.

3

Create a new policy and configure the applicable layers:

  1. At the top, click the + tab (or press CTRL T).
  2. On the Manage Policies tab, click Manage policies and layers.
  3. In the Manage policies and layers window, create a new policy and configure the applicable layers.
  4. Click Close.
  5. On the Manage Policies tab, click the new policy you created.

4

Create the applicable Access Control rules.

Important - See the Supported Software Blades in Bridge Mode and Limitations in Bridge Mode.

5

Install the Access Control Policy on the ClusterXL Cluster object.

6

Examine the cluster configuration:

  1. Connect to the command line on each Cluster Member.
  2. Run:
  • In Gaia Clish:

    show cluster state

  • In Expert mode:

    cphaprob state

Step 4 of 4: Enable the Bridge Active/Standby mode on both Cluster Members

Item

Description

1

Connect to the command line on each Cluster Member.

2

Run: cpconfig

3

Select Enable Check Point ClusterXL for Bridge Active/Standby.

4

Enter y to confirm.

5

Reboot the Cluster Member.

6

Connect with SmartConsole to the Security Management Server or Domain Management Server that manages this ClusterXL.

7

In SmartConsole, install the Access Control Policy on this cluster object.

8

Examine the cluster configuration on each Cluster Member.

  • In Gaia Clish, run:

    show cluster state

  • In Expert mode, run:

    cphaprob state

Example output:

Cluster Mode: High Availability (Active Up, Bridge Mode) with IGMP Membership

Number Unique Address Firewall State (*)

1 (local) 2.2.2.3 Active

2 2.2.2.2 Standby