Print Download PDF Send Feedback

Previous

Next

Configuring the CCP Encryption on the Cluster Members

Introduction

From R80.30, you can configure the Cluster Members to encrypt the Cluster Control Protocol (CCP) traffic they send to each other.

The CCP Encryption introduces new cluster security layer by encrypting the payload of all CCP packets. This eliminates the need to provide a trusted network for the State Synchronization (Delta Sync) traffic.

The CCP Encryption provides secure cluster communication over Layer 3 networks. ClusterXL encrypts the payload of CCP packets (header remains clear) using AES-GCM for efficient authenticated encryption and minimal CPU performance impact.

Notes:

Syntax

These commands apply only to the Cluster Member, on which you run them.

In Gaia Clish:

Command

Description

show cluster members ccpenc

Shows the CCP Encryption mode.

set cluster member ccpenc {on | off}

Enables (on) and Disables (off) the CCP Encryption.

In Expert mode:

Command

Description

cphaprob ccp_encrypt

Shows the CCP Encryption mode.

cphaprob ccp_encrypt_key

Shows the CCP Encryption Key and how it was configured - manually, or automatically.

cphaconf ccp_encrypt {on | off}

Enables (on) and Disables (off) the CCP Encryption.

cphaconf ccp_encrypt_key <Key String>

Configures the CCP Encryption Key.

For SHA-256, the key must be a string 32 characters long.

For SHA-128, the key must be a string 16 characters long.

Note - Use this command for debug purposes only.

Enabling the CCP Encryption

To enable the CCP Encryption on each Cluster Member:

Step

Description

1

Connect to the command line.

2

Examine the cluster state and the failover counter:

  • In Gaia Clish:

    show cluster state

  • In Expert mode:

    cphaprob state

3

Examine the CCP Encryption state (by default, it is OFF):

  • In Gaia Clish:

    show cluster members ccpenc

  • In Expert mode:

    cphaprob ccp_encrypt

4

Enable the CCP Encryption:

  • In Gaia Clish:

    set cluster member ccpenc on

    save config

  • In Expert mode:

    cphaconf ccp_encrypt on

5

Examine the CCP Encryption state again (must be ON):

  • In Gaia Clish:

    show cluster members ccpenc

  • In Expert mode:

    cphaprob ccp_encrypt

6

Examine the cluster state and the failover counter again:

Note - There should be no change in the output from Step 2.

  • In Gaia Clish:

    show cluster state

  • In Expert mode:

    cphaprob state

7

Examine the CCP Encryption Key:

Note - The key must be the same on all Cluster Members.

  • In Gaia Clish:

    show cluster state

  • In Expert mode:

    cphaprob ccp_encrypt_key

8

In SmartConsole, install the Access Control Policy on the cluster object.

Make sure to install the policy on all Cluster Members at the same time:

  1. Click Install Policy.

    The Install Policy window opens.

  2. In the Policy field, select the applicable Access Control Policy.
  3. In the Install Mode section, select these two options:
    • Install on each selected gateway independently.
    • For gateway clusters, if installation on a cluster member fails, do not install on that cluster.
  4. Click Install.

9

Examine the CCP Encryption Key again:

Note - The key must change and must be the same on all Cluster Members.

  • In Gaia Clish:

    show cluster state

  • In Expert mode:

    cphaprob ccp_encrypt_key

10

Examine the cluster state and the failover counter again:

Note - There should be no change in the output from Step 2.

  • In Gaia Clish:

    show cluster state

  • In Expert mode:

    cphaprob state

Example:

[Expert@MyClusterMemberA:0]# cphaprob state

... ...

[Expert@MyClusterMemberA:0]#

 

[Expert@MyClusterMemberA:0]# cphaprob ccp_encrypt

OFF

[Expert@MyClusterMemberA:0]#

 

[Expert@MyClusterMemberA:0]# cphaconf ccp_encrypt on

[Expert@MyClusterMemberA:0]#

 

[Expert@MyClusterMemberA:0]# cphaprob ccp_encrypt

ON

[Expert@MyClusterMemberA:0]#

 

[Expert@MyClusterMemberA:0]# cphaprob state

... ...

[Expert@MyClusterMemberA:0]#

 

[Expert@MyClusterMemberA:0]# cphaprob ccp_encrypt_key

[Mon Feb 11 17:20:43 2019] SHA-256 1234567812345678123456781234567812345678123456781234567812345678 set automatically

[Expert@MyClusterMemberA:0]#

 

Install Policy

 

[Expert@MyClusterMemberA:0]# cphaprob ccp_encrypt_key

[Mon Feb 11 17:25:14 2019] SHA-256 8765432187654321876543218765432187654321876543218765432187654321 set automatically

[Expert@MyClusterMemberA:0]#

 

[Expert@MyClusterMemberA:0]# cphaprob state

... ...

[Expert@MyClusterMemberA:0]#

Disabling the CCP Encryption

To disable the CCP Encryption on each Cluster Member:

Step

Description

1

Connect to the command line.

2

Examine the cluster state and the failover counter:

  • In Gaia Clish:

    show cluster state

  • In Expert mode:

    cphaprob state

3

Examine the CCP Encryption state (must be ON):

  • In Gaia Clish:

    show cluster members ccpenc

  • In Expert mode:

    cphaprob ccp_encrypt

4

Disable the CCP Encryption:

  • In Gaia Clish:

    set cluster member ccpenc off

    save config

  • In Expert mode:

    cphaconf ccp_encrypt off

5

Examine the CCP Encryption state again (must be OFF):

  • In Gaia Clish:

    show cluster members ccpenc

  • In Expert mode:

    cphaprob ccp_encrypt

6

Examine the cluster state and the failover counter again:

Note - There should be no change in the output from Step 2.

  • In Gaia Clish:

    show cluster state

  • In Expert mode:

    cphaprob state

Example:

[Expert@MyClusterMemberA:0]# cphaprob state

... ...

[Expert@MyClusterMemberA:0]#

 

[Expert@MyClusterMemberA:0]# cphaprob ccp_encrypt

ON

[Expert@MyClusterMemberA:0]#

 

[Expert@MyClusterMemberA:0]# cphaconf ccp_encrypt off

[Expert@MyClusterMemberA:0]#

 

[Expert@MyClusterMemberA:0]# cphaprob ccp_encrypt

OFF

[Expert@MyClusterMemberA:0]#

 

[Expert@MyClusterMemberA:0]# cphaprob state

... ...

[Expert@MyClusterMemberA:0]#

Troubleshooting

Symptom

Description

Next Step

Cluster Member fails to enable the CCP Encryption:

CCP Encryption key has not been configured, cannot turn on encryption

The encryption key is not configured.

Do one of these:

  • Run the cphastart command on the Cluster Member
  • In SmartConsole, install the Access Control Policy on all Cluster Members at the same time.

    In the Install Policy window, select these two options:

    • Install on each selected gateway independently.
    • For gateway clusters, if installation on a cluster member fails, do not install on that cluster.

All Cluster Members are in the ACTIVE state.

Each Cluster Member might have a different encryption key.

Update the encryption key:

  1. Disable the CCP Encryption on each Cluster Member.
  2. Examine the cluster state on each Cluster Member.
  3. In SmartConsole, install the Access Control Policy on the cluster
  4. Enable the CCP Encryption on each Cluster Member.

State of Cluster Members is not stable.

Decryption of CCP packets fails.

Examine the Encryption Key on each Cluster Member.

  • If the Encryption Key is not the same on all Cluster Members, then update the encryption key as described above.
  • If the Encryption Key is the same on all Cluster Members, then these CCP packets are not authentic.

In case of CCP encryption failure or authentication failure:

Examine the /var/log/messages files on the Cluster Member for decryption status logs.

To debug the Encryption Key replacement mechanism, run this kernel debug on the Cluster Members during policy installation:

fw ctl zdebug -m cluster + conf

To see the CCP Encryption mechanism in action, run this kernel debug on the Cluster Member:

fw ctl set int fwha_dprint_io 1

fw ctl zdebug -m cluster + ccp

15 March 2020
Was this helpful?
Incorrect information Not what I'm looking for Too much information Confusing information
© 2020 Check Point Software Technologies Ltd. All rights reserved.