High Availability

In This Section:

VRRP

Virtual Routing Redundancy Protocol (VRRP) is a high-availability solution, where two Gaia Security Gateways can provide backup for each other. Gaia offers two ways to configure VRRP:

Monitored Circuit/Simplified VRRP - All the VRRP interfaces automatically monitor other VRRP interfaces
Advanced VRRP - Every VRRP interface must be explicitly configured to monitor every other VRRP interface

Important - You cannot have a standalone deployment (Security Gateway and Security Management Server on the same computer) in a Gaia VRRP cluster.

Understanding VRRP

Virtual Router Redundancy Protocol (VRRP) provides dynamic failover of IP addresses from one router to another in the event of failure. This increases the availability and reliability of routing paths via gateway selections on an IP network. Each VRRP router has a unique identifier known as the Virtual Router Identifier (VRID), which is associated with at least one Virtual IP Address (VIP). Neighboring network nodes connect to the VIP as a next hop in a route or as a final destination. Gaia supports VRRP as defined in RFC 3768.

On Gaia, VRRP can be used with and without ClusterXL enabled.

With ClusterXL enabled, which is the most common use case, VRRP supports a maximum of one VRID with one Virtual IP Address (VIP) for each interface. In addition, only Active/Backup environments are supported. You must configure VRRP so that the same node is the VRRP Master for all VRIDs. Therefore, you must configure each VRID to monitor every other VRRP-enabled interface. You must also configure priority deltas to allow a failover to the VRRP Backup node, when the VRID on any on interface fails over.

With ClusterXL disabled, Active/Active environments can be deployed. You can configure two VRIDs on the same interface, with one VIP for each VRID. Only Static Routes are supported on the VRRP interfaces. In addition, you must disable VRRP monitoring of the Check Point Firewall.

Terminology

The conceptual information and procedures in this chapter use standard VRRP terminology. This glossary contains basic VRRP terminology and a reference to related Check Point ClusterXL terms.

VRRP Term	ClusterXL Term	Definition
VRRP Cluster	Cluster	A group of Security Gateways that provides redundancy.
VRRP Router	Member	A Security Gateway using the VRRP protocol that is a member of one or more Virtual Router. In this guide, a VRRP Router is commonly called a Security Gateway.
Master	Active	The Security Gateway (Security Gateway) that handles traffic to and from a Virtual Router. The Master is the Security Gateway with the highest priority in a group. The Master inspects traffic and enforces the security policy.
Backup	Standby	A redundant Security Gateway (Security Gateway) that is available to take over for the Master in the event of a failure.
VRID	Cluster name	Unique Virtual Router identifier The VRID is the also last byte of the MAC address.
VIP	Cluster IP address	Virtual IP address assigned to a Virtual Router. VIPs are routable from internal and/or external network resources. The VIP is called Backup Address in the Gaia Portal.
VMAC	VMAC	Virtual MAC address assigned to a Virtual Router.
VRRP Transition	Failover	Automatic change over to a backup Security Gateway when the primary Security Gateway fails or is unavailable. The term 'failover' is used frequently in this guide.

VRRP Configuration Methods

You can configure VRRP using one of these methods:

Method	Description
Monitored Circuit/Simplified VRRP	This method contains all of the basic parameters, and is applicable for most environments. It makes possible a complete node failover by automatically monitoring all VRRP-enabled interfaces. You can configure only one VRID, which is automatically added to all the VRRP interfaces. If the VRID on any of the VRRP-enabled interfaces fails, the configured priority delta is decremented on the other VRRP-enabled interfaces to allow the VRRP Backup node to take over as the new VRRP Master. To configure Monitored Circuit/Simplified VRRP in the Gaia Portal, click High Availability > VRRP.
Advanced VRRP	This method allows configuration of different VRIDs on different interfaces. With ClusterXL enabled, you must configure each VRID to monitor every other VRRP interface. You must also configure priority deltas that allow complete node failover. Advanced VRRP also makes it possible for a VRID to monitor interfaces that do not run VRRP. With ClusterXL disabled, active/active deployments are possible, and you can configure two VRIDs on each interface, with one VIP for each VRID. To configure Advanced VRRP in the Gaia Portal, click High Availability > Advanced VRRP.

Method

Description

Monitored Circuit/Simplified VRRP

This method contains all of the basic parameters, and is applicable for most environments. It makes possible a complete node failover by automatically monitoring all VRRP-enabled interfaces.

You can configure only one VRID, which is automatically added to all the VRRP interfaces.

If the VRID on any of the VRRP-enabled interfaces fails, the configured priority delta is decremented on the other VRRP-enabled interfaces to allow the VRRP Backup node to take over as the new VRRP Master.

To configure Monitored Circuit/Simplified VRRP in the Gaia Portal, click High Availability > VRRP.

Advanced VRRP

This method allows configuration of different VRIDs on different interfaces.

With ClusterXL enabled, you must configure each VRID to monitor every other VRRP interface. You must also configure priority deltas that allow complete node failover.

Advanced VRRP also makes it possible for a VRID to monitor interfaces that do not run VRRP.

With ClusterXL disabled, active/active deployments are possible, and you can configure two VRIDs on each interface, with one VIP for each VRID.

To configure Advanced VRRP in the Gaia Portal, click High Availability > Advanced VRRP.

Note - You cannot use the Monitored Circuit/Simplified VRRP and Advanced VRRP types together on the same Cluster Member.

How VRRP Failover Works

Each Virtual Router (VRRP Group) is identified by a unique Virtual Router ID (VRID). A Virtual Router contains one VRRP Master Security Gateway and at least one VRRP Backup Security Gateway.

The VRRP Master sends periodic VRRP advertisements (known as VRRP Hello messages) to the VRRP Backups. VRRP advertisements broadcast the operational status of the VRRP Master to the VRRP Backups. Gaia uses dynamic routing protocols to advertise the VIP of the Virtual Router (Virtual IP address or Backup IP address).

Notes:

Gaia supports OSPF on VPN tunnels that terminate at a VRRP group.
Active/Backup VRRP environments are supported with ClusterXL enabled. If ClusterXL is disabled, Active/Active environments can be deployed.
Active/Active environments support only static routes. In addition, you must disable the monitoring of the Check Point Firewall by VRRP.

If the VRRP Master fails, or its VRRP-enabled interfaces fail, VRRP uses a priority algorithm to make the decision if failover to a VRRP Backup is necessary. Initially, the VRRP Master is the Security Gateway that has the highest defined priority value. You define a priority for each Security Gateway when you create a Virtual Router or change its configuration. If two Security Gateways have same priority value, the platform that comes online and broadcasts its VRRP advertisements first becomes the VRRP Master.

Gaia also uses priorities to select a VRRP Backup Security Gateway upon failover (when there is more than one VRRP Backup available). In the event of failover, the Virtual Router priority value is decreased by a predefined Priority Delta value to calculate an Effective Priority value. The Virtual Router with the highest effective priority becomes the new VRRP Master. The Priority Delta value is a Check Point proprietary parameter that you define when configuring a Virtual Router. If you configure your system correctly, the effective priority will be lower than the VRRP Backup Security Gateway priority in the other Virtual Routers. This causes the problematic VRRP Master to fail over for the other Virtual Routers as well.

Note - If the effective priority for the current VRRP Master and VRRP Backup are the same, the Security Gateway with the highest IP address becomes the VRRP Master.

Understanding VRRP

In simplified Monitored Circuit VRRP , you configure each Virtual Router as one unit. Monitored-circuit VRRP automatically monitors all VRRP interfaces. The same VRID is configured on all interfaces.

In Advanced VRRP, the VRID is configured on each interface individually. In addition, each VRRP-enabled interface must be monitored by each VRID together with an appropriate priority delta. This ensures that when one interface fails, all the other VRIDs can transition to VRRP Backup state.

The monitoring of all VRRP-enabled interfaces by all VRIDs is important to avoid connection issues with asymmetric routes. For example, when an external interface fails, the VRRP Master fails over only for the external Virtual Router. The VRRP Master for the internal Virtual Router does not fail over. This can cause connectivity problems when the internal Virtual Router accepts traffic and is unable to connect to the new external VRRP Master.

Another tool for avoiding asymmetric issues during transitions is the VRRP interface delay setting. Configure this when the Preempt Mode of VRRP was turned off. This VRRP global setting is useful when the VRRP node with a higher priority is rebooted, but must not preempt the existing VRRP Master that handles the traffic, but is configured with a lower priority. Sometimes, interfaces that come up, take longer than the VRRP timeout to process incoming VRRP Hello packets. The interface delay extends the time that VRRP waits to receive VRRP Hello packets from the existing VRRP Master.

Typical VRRP Use Cases

This section shows examples of some use case VRRP environments.

Internal Network High Availability

This is a simple VRRP use case, where Security Gateway 1 is the VRRP Master, and Security Gateway 2 is the VRRP Backup. Virtual Router redundancy is available only for connections to and from the internal network. There is no redundancy for external network traffic.

Item	Description
1	VRRP Master Security Gateway
2	VRRP Backup Security Gateway
3	Virtual Router VRID 5 - Virtual IP Address (Backup Address) is 192.168.2.5
4	Internal Network and hosts

Internal and External Network High Availability

This use case shows an example of an environment, where there is redundancy for internal and external connections. Here, you can use Virtual Routers for the two Security Gateways - for internal and for external connections. The internal and external interfaces must be on different subnets. Define one Security Gateway as the VRRP Master and one Security Gateway as the VRRP Backup.

Item	Description
1	Virtual Router VRID 5 - External Virtual IP Address (Backup Address) is 192.168.2.5
2	VRRP Master Security Gateway
3	VRRP Backup Security Gateway
4	Virtual Router VRID 5 - Internal Virtual IP Address (Backup Address) is 192.168.3.5
5	Internal network and hosts

Internal Network Load Sharing

This use case shows an example of an Active/Active Load Sharing environment for internal network traffic. This environment gives load balancing, as well as full redundancy.

This configuration is supported with ClusterXL disabled. Only Static Routes are supported. The monitoring of the Check Point Firewall by VRRP must be disabled (it is enabled by default). A maximum of two VRIDs is supported per interface.

Security Gateway 1 is the VRRP Master for VRID 5, and Security Gateway 2 is the VRRP Backup.

Security Gateway 2 is the VRRP Master for VRID 7, and Security Gateway 1 is the VRRP Backup.

The two Security Gateways are configured to back each other up. If one fails, the other takes over its VRID and IP addresses.

Item	Description
1	VRRP Master Security Gateway for VRID 5 and VRRP Backup for VRID 7
2	VRRP Backup Security Gateway for VRID 5 and VRRP Master for VRID7
3	Virtual Router, VRID 5 Virtual IP Address (Backup Address) is 192.168.2.5
4	Virtual Router, VRID 7 Virtual IP Address (Backup Address) is 192.168.2.7
5	Internal network and hosts