1

Network, which an administrator needs to divide into two Layer 2 segments.

The ClusterXL in Bridge Mode connects between these segments.

2

First network segment.

3

Switch that connects the first network segment to one bridged slave interface (4) on the ClusterXL in Bridge Mode.

4

One bridged slave interface (for example, eth1) on the Cluster Members in Bridge Mode.

5

Dedicated Gaia Management Interface (for example, eth0) on the Cluster Members.

6

First Cluster Member in Bridge Mode (in the Active cluster state).

7

Network that connects dedicated synchronization interfaces (for example, eth3) on the ClusterXL in Bridge Mode.

8

Second Cluster Member in Bridge Mode (in the Active cluster state).

9

Another bridged slave interface (for example, eth2) on the Cluster Members in Bridge Mode.

10

Switch that connects the second network segment to the other bridged slave interface (9) on the ClusterXL in Bridge Mode.

11

Second network segment.

1

Install the Gaia Operating System:

• Installing the Gaia Operating System on a Check Point Appliance
• Installing the Gaia Operating System on an Open Server

2

Run the Gaia First Time Configuration Wizard.

3

During the First Time Configuration Wizard, you must configure these settings:

• In the Installation Type window, select Security Gateway and/or Security Management.
• In the Products window:
  1. In the Products section, select Security Gateway only.
  2. In the Clustering section, select these two options:
     • Unit is a part of a cluster
     • ClusterXL
• In the Secure Internal Communication window, enter the desired Activation Key (between 4 and 127 characters long).

1

In your web browser, connect to the Gaia Portal on the Security Gateway.

2

In the left navigation tree, click Network Management > Network Interfaces.

3

Make sure that the slave interfaces, which you wish to add to the Bridge interface, do not have IP addresses.

4

Click Add > Bridge.

To configure an existing Bridge interface, select the Bridge interface and click Edit.

5

On the Bridge tab, enter or select a Bridge Group ID (unique integer between 1 and 1024).

6

Select the interfaces from the Available Interfaces list and then click Add.

Notes:

• A Bridge interface in Gaia can contain only two slave interfaces.
• Do not select the interface that you configured as Gaia Management Interface.

7

On the IPv4 tab, do not enter the IPv4 address.

8

On the IPv6 tab (optional), do not enter the IPv6 address.

9

Click OK.

1

Connect to the command line on the Security Gateway.

2

Log in to Gaia Clish.

3

Make sure that the slave interfaces, which you wish to add to the Bridge interface, do not have IP addresses. Run:

show interface <Name of Interface> ipv4-address

show interface <Name of Interface> ipv6-address

4

Add a new bridging group. Run:

add bridging group <Bridge Group ID 0 - 1024>

5

Add a slave interfaces to the new bridging group:

add bridging group <Bridge Group ID> interface <Name of First Slave Interface>

add bridging group <Bridge Group ID> interface <Name of Second Slave Interface>

6

Do not assign an IP address to the bridging group.

7

Save the configuration. Run:

save config

1

Connect with SmartConsole to the Security Management Server or Domain Management Server that should manage this ClusterXL.

2

From the left navigation panel, click Gateways & Servers.

3

Create a new Cluster object in one of these ways:

• From the top toolbar, click the New () > Cluster > Cluster.
• In the top left corner, click Objects menu > More object types > Network Object > Gateways and Servers > Cluster > New Cluster.
• In the top right corner, click Objects Pane > New > More > Network Object > Gateways and Servers > Cluster > Cluster.

4

In the Check Point Security Gateway Cluster Creation window, click Wizard Mode.

5

On the Cluster General Properties page:

1. In the Cluster Name field, enter the desired name for this ClusterXL object.
2. Configure the main Virtual IP address(es) for this ClusterXL object.

   In the Cluster IPv4 Address section, enter the main Virtual IPv4 address for this ClusterXL object.

   In the Cluster IPv6 Address section, enter the main Virtual IPv6 address for this ClusterXL object.

3. In the Choose the Cluster's Solution field, select Check Point ClusterXL and High Availability.
4. Click Next.

6

On the Cluster members' properties page, add the objects for the Cluster Members.

1. Click Add > New Cluster Member.

   The Cluster Member Properties window opens.

2. In the Name field, enter the desired name for this Cluster Member object.
3. Configure the main physical IP address(es) for this Cluster Member object.

   In the IPv4 Address and IPv6 Address fields, configure the same IPv4 and IPv6 addresses that you configured on the Management Connection page of the Cluster Member's First Time Configuration Wizard. Make sure the Security Management Server or Multi-Domain Server can connect to these IP addresses.

4. In the Activation Key and Confirm Activation Key fields, enter the same Activation Key you entered during the Cluster Member's First Time Configuration Wizard.
5. Click Initialize.
6. Click OK.
7. Repeat Steps a-f to add the second Cluster Member, and so on.

If the Trust State field does not show Established, perform these steps:

1. Connect to the command line on the Cluster Member.
2. Make sure there is a physical connectivity between the Cluster Member and the Management Server (for example, pings can pass).
3. Run: cpconfig
4. Enter the number of this option: Secure Internal Communication.
5. Follow the instructions on the screen to change the Activation Key.
6. In the SmartConsole, click Reset.
7. Enter the same Activation Key you entered in the cpconfig menu.
8. Click Initialize.

7

On the Cluster Topology page, configure the roles of the cluster interfaces:

1. Examine the IPv4 Network Address at the top of the page.
2. Select the applicable role:
   • For cluster traffic interfaces, select Representing a cluster interface and configure the Cluster Virtual IPv4 address and its Net Mask.
   • For cluster synchronization interfaces, select Cluster Synchronization and select Primary only. Check Point cluster supports only one synchronization network.
   • For interfaces that do not pass the traffic between the connected networks, select Private use of each member (don't monitor members interfaces).
3. Click Next.

8

On the Cluster Definition Wizard Complete page:

1. Examine the Configuration Summary.
2. Select Edit Cluster's Properties.
3. Click Finish.

The Gateway Cluster Properties window opens.

9

On the General Properties page > Machine section:

1. In the Name field, make sure you see the configured desired name for this ClusterXL object.
2. In the IPv4 Address and IPv6 Address fields, make sure you see the configured IP addresses.

10

On the General Properties page > Platform section, select the correct options:

1. In the Hardware field:

   If you install the Cluster Members on Check Point Appliances, select the correct appliances series.

   If you install the Cluster Members on Open Servers, select Open server.

2. In the Version field, select R80.30.
3. In the OS field, select Gaia.

11

On the General Properties page > Network Security tab:

1. Make sure the ClusterXL Software Blade is selected.
2. Enable the additional desired Software Blades.

Important:

• See the Supported Software Blades in Bridge Mode and Limitations in Bridge Mode.
• Do not select anything on the Management tab.

12

On the Cluster Members page:

1. Click Add > New Cluster Member.

   The Cluster Member Properties window opens.

2. In the Name field, enter the desired name for this Cluster Member object.
3. Configure the main physical IP address(es) for this Cluster Member object.

   In the IPv4 Address and IPv6 Address fields, configure the same IPv4 and IPv6 addresses that you configured on the Management Connection page of the Cluster Member's First Time Configuration Wizard. Make sure the Security Management Server or Multi-Domain Server can connect to these IP addresses.

4. Click Communication.
5. In the One-time password and Confirm one-time password fields, enter the same Activation Key you entered during the Cluster Member's First Time Configuration Wizard.
6. Click Initialize.
7. Click Close.
8. Click OK.
9. Repeat Steps a-h to add the second Cluster Member, and so on.

If the Trust State field does not show Established, perform these steps:

1. Connect to the command line on the Cluster Member.
2. Make sure there is a physical connectivity between the Cluster Member and the Management Server (for example, pings can pass).
3. Run: cpconfig
4. Enter the number of this option: Secure Internal Communication.
5. Follow the instructions on the screen to change the Activation Key.
6. In the SmartConsole, click Reset.
7. Enter the same Activation Key you entered in the cpconfig menu.
8. Click Initialize.

13

On the ClusterXL and VRRP page:

1. In the Select the cluster mode and configuration section, select High Availability and ClusterXL.
2. In the Tracking section, select the desired option.
3. In the Advanced Settings section:
   • Optional: Select Use State Synchronization. We recommend to select this option.
   • Optional: Select Use Virtual MAC (for more information, see sk50840).
   • Select the High Availability recovery - Maintain current active Cluster Member, or Switch to higher priority Cluster Member.

14

On the Network Management page:

1. Select each interface and click Edit. The Network: <Name of Interface> window opens.
2. From the left navigation tree, click the General page.
3. In the General section, in the Network Type field, select the applicable type:
   • For cluster traffic interfaces, select Cluster. Make sure the Cluster Virtual IPv4 address and its Net Mask are correct.
   • For cluster synchronization interfaces, select Sync or Cluster+Sync (we do not recommend this configuration). Check Point cluster supports only one synchronization network.
   • For interfaces that do not pass the traffic between the connected networks, select Private.
4. In the Member IPs section, make sure the IPv4 address and its Net Mask are correct on each Cluster Member.

   Note - For cluster traffic interfaces, you can configure the Cluster Virtual IP address to be on a different network than the physical IP addresses of the Cluster Members. In this case, you must configure the required static routes on the Cluster Members.

5. In the Topology section:
   • Make sure the settings are correct in the Leads To and Security Zone fields.
   • Make sure to enable the Anti-Spoofing.

Important:

• Make sure the Bridge interface and Bridge slave interfaces are not in the Topology.
• You cannot define the Topology of the Bridge interface. It is External by default.

15

Click OK.

16

Publish the SmartConsole session.

1

Connect with SmartConsole to the Security Management Server or Domain Management Server that should manage this ClusterXL.

2

From the left navigation panel, click Gateways & Servers.

3

Create a new Cluster object in one of these ways:

• From the top toolbar, click the New () > Cluster > Cluster.
• In the top left corner, click Objects menu > More object types > Network Object > Gateways and Servers > Cluster > New Cluster.
• In the top right corner, click Objects Pane > New > More > Network Object > Gateways and Servers > Cluster > Cluster.

4

In the Check Point Security Gateway Creation window, click Classic Mode.

The Gateway Cluster Properties window opens.

5

On the General Properties page > Machine section:

1. In the Name field, enter the desired name for this ClusterXL object.
2. In the IPv4 Address and IPv6 Address fields, configure the same IPv4 and IPv6 addresses that you configured on the Management Connection page of the Cluster Member's First Time Configuration Wizard. Make sure the Security Management Server or Multi-Domain Server can connect to these IP addresses.

6

On the General Properties page > Platform section, select the correct options:

1. In the Hardware field:

   If you install the Cluster Members on Check Point Appliances, select the correct appliances series.

   If you install the Cluster Members on Open Servers, select Open server.

2. In the Version field, select R80.30.
3. In the OS field, select Gaia.

7

On the General Properties page > Network Security tab:

1. Make sure the ClusterXL Software Blade is selected.
2. Enable the additional desired Software Blades.

Important:

• See the Supported Software Blades in Bridge Mode and Limitations in Bridge Mode.
• Do not select anything on the Management tab.

8

On the Cluster Members page:

1. Click Add > New Cluster Member.

   The Cluster Member Properties window opens.

2. In the Name field, enter the desired name for this Cluster Member object.
3. Configure the main physical IP address(es) for this Cluster Member object.

   In the IPv4 Address and IPv6 Address fields, configure the same IPv4 and IPv6 addresses that you configured on the Management Connection page of the Cluster Member's First Time Configuration Wizard. Make sure the Security Management Server or Multi-Domain Server can connect to these IP addresses.

4. Click Communication.
5. In the One-time password and Confirm one-time password fields, enter the same Activation Key you entered during the Cluster Member's First Time Configuration Wizard.
6. Click Initialize.
7. Click Close.
8. Click OK.
9. Repeat Steps a-h to add the second Cluster Member, and so on.

If the Trust State field does not show Established, perform these steps:

1. Connect to the command line on the Cluster Member.
2. Make sure there is a physical connectivity between the Cluster Member and the Management Server (for example, pings can pass).
3. Run: cpconfig
4. Enter the number of this option: Secure Internal Communication.
5. Follow the instructions on the screen to change the Activation Key.
6. In the SmartConsole, click Reset.
7. Enter the same Activation Key you entered in the cpconfig menu.
8. Click Initialize.

9

On the ClusterXL and VRRP page:

1. In the Select the cluster mode and configuration section, select High Availability and ClusterXL.
2. In the Tracking section, select the desired option.
3. In the Advanced Settings section:
   • Optional: Select Use State Synchronization. We recommend to select this option.
   • Optional: Select Use Virtual MAC (for more information, see sk50840).
   • Select the High Availability recovery - Maintain current active Cluster Member, or Switch to higher priority Cluster Member.

10

On the Network Management page:

1. Select each interface and click Edit. The Network: <Name of Interface> window opens.
2. From the left navigation tree, click the General page.
3. In the General section, in the Network Type field, select the applicable type:
   • For cluster traffic interfaces, select Cluster. Make sure the Cluster Virtual IPv4 address and its Net Mask are correct.
   • For cluster synchronization interfaces, select Sync or Cluster+Sync (we do not recommend this configuration). Check Point cluster supports only one synchronization network.
   • For interfaces that do not pass the traffic between the connected networks, select Private.
4. In the Member IPs section, make sure the IPv4 address and its Net Mask are correct on each Cluster Member.

   Note - For cluster traffic interfaces, you can configure the Cluster Virtual IP address to be on a different network than the physical IP addresses of the Cluster Members. In this case, you must configure the required static routes on the Cluster Members.

5. In the Topology section:
   • Make sure the settings are correct in the Leads To and Security Zone fields.
   • Make sure to enable the Anti-Spoofing.

Important:

• Make sure the Bridge interface and Bridge slave interfaces are not in the Topology.
• You cannot define the Topology of the Bridge interface. It is External by default.

11

Click OK.

12

Publish the SmartConsole session.

1

Connect with SmartConsole to the Security Management Server or Domain Management Server that manages this ClusterXL.

2

From the left navigation panel, click Security Policies.

3

Create a new policy and configure the applicable layers:

1. At the top, click the + tab (or press CTRL T).
2. On the Manage Policies tab, click Manage policies and layers.
3. In the Manage policies and layers window, create a new policy and configure the applicable layers.
4. Click Close.
5. On the Manage Policies tab, click the new policy you created.

4

Create the applicable Access Control rules.

Important - See the Supported Software Blades in Bridge Mode and Limitations in Bridge Mode.

5

Install the Access Control Policy on the ClusterXL Cluster object.

6

Examine the cluster configuration:

1. Connect to the command line on each Cluster Member.
2. Run:

   In Gaia Clish:

   show cluster state

   In Expert mode:

   cphaprob state

Example output:

Cluster Mode: High Availability (Active Up, Bridge Mode) with IGMP Membership

Number Unique Address Firewall State (*)

1 (local) 2.2.2.3 Active

2 2.2.2.2 Active