Print Download PDF Send Feedback

Previous

Next

Configuring ClusterXL

In This Section:

Installing Cluster Members

Configuring Routing for Client Computers

Configuring the CCP Transport Mode on the Cluster Members

Configuring the CCP Encryption on the Cluster Members

Configuring the Cluster Object and Members

Configuring a ClusterXL in Bridge Mode

This procedure describes how to configure the Load Sharing Multicast, Load Sharing Unicast, and High Availability modes from scratch.

Their configuration is identical, apart from the mode selection in SmartConsole Cluster object or Cluster creation wizard.

Important:

  • Load Sharing modes are only supported with the required R80.30 Jumbo Hotfix Accumulator. For instructions, see sk162637.
  • To upgrade a ClusterXL that works in a Load Sharing mode from a lower version to R80.30, follow these steps in the same maintenance window:
    1. Upgrade the ClusterXL to R80.30.
    2. Install the required R80.30 Jumbo Hotfix Accumulator. For instructions, see sk162637.

Installing Cluster Members

Important - See Hardware Requirements for Cluster Members and Software Requirements for Cluster Members.

To install new Cluster Members for ClusterXL:

  1. Install and configure Check Point Security Gateways that will be configured as Cluster Members.
    • For installation and initial configuration procedures, see the R80.30 Installation and Upgrade Guide.
    • During the Gaia First Time Configuration Wizard, enable ClusterXL.
    • You must run cpconfig from the command line and select Enable cluster membership for this gateway. This change requires reboot.
  2. Using Gaia Portal or Gaia Clish, define an IP address on each interface on all Cluster Members.

    Note - Do not define IPv6 addresses for synchronization interfaces.

  3. On Cluster Members that will participate in a VPN community, you must synchronize clocks accurately to within one second of each other. If these Cluster Members are constantly up and running, it is usually enough to set the time once. More reliable synchronization can be achieved using NTP or some other time synchronization services supplied by the operating system.
  4. Connect the Cluster Members to each other and to the networks through switches. For the synchronization interfaces, you can use a cross cable, or a dedicated switch. Make sure that each network (internal, external, synchronization, DMZ, and so on) is configured on a separate VLAN, or network segment.

Note - You can also perform synchronization over a WAN.

Configuring Routing for Client Computers

Example topology:

[internal network 10.10.2.0/24] --- (VIP 10.10.2.100/24) [Cluster] (VIP 192.168.2.100/24) --- [external network 192.168.2.0/24]

To configure routing for client computers:

  1. Computers on the internal network 10.10.2.0/24 should be configured with Default Gateway IP 10.10.2.100
  2. Computers on the external network 192.168.2.0/24 should be configured with Default Gateway IP 192.168.2.100
  3. For Proxy ARP configuration, see sk30197
  4. Also see Configuring Cluster Addresses on Different Subnets