Preparing a VRRP Cluster

Do these steps before you start to define a Virtual Router (VRRP Group):

Step	Description
1	Synchronize the system time on all Security Gateways to be included in this Virtual Router. Best Practice - We recommend that you enable NTP (Network Time Protocol) on all Security Gateways. You can also manually change the time and time zone on each Security Gateway to match the other members. In this case, you must synchronize member times to within a few seconds.
2	Optional: Add host names and IP address pairs to the host table on each Security Gateway. This lets you use host names as an alternative to IP addresses or DNS servers.

Step

Description

Synchronize the system time on all Security Gateways to be included in this Virtual Router.

Best Practice - We recommend that you enable NTP (Network Time Protocol) on all Security Gateways.

You can also manually change the time and time zone on each Security Gateway to match the other members.
In this case, you must synchronize member times to within a few seconds.

Optional: Add host names and IP address pairs to the host table on each Security Gateway.

This lets you use host names as an alternative to IP addresses or DNS servers.

Configuring Network Switches

Best Practice - If you use the Spanning Tree protocol on Cisco switches connected to Check Point VRRP clusters, we recommend that you enable PortFast. PortFast sets interfaces to the Spanning Tree forwarding state, which prevents them from waiting for the standard forward-time interval.

If you use switches from a different vendor, we recommend that you use the equivalent feature for that vendor. If you use the Spanning Tree protocol without PortFast, or its equivalent, you may see delays during VRRP failover.

Enabling Virtual Routers

When you log into Gaia for the first time after installation, you must use the First Time Configuration Wizard to the initial configuration steps. To use VRRP Virtual Routers (clusters), you must first enable VRRP clustering in the First Time Configuration Wizard.

To enable VRRP clustering:

Install Gaia using the instructions in the R80.30 Installation and Upgrade Guide
On the First Time Configuration Wizard Products page, select Security Gateway.
Do not select Security Management. The standalone environment (Security Gateway and Security Management Server) is not supported for VRRP.
Select Unit is part of a cluster.
Select VRRP Cluster from the list.
Continue with the next steps in the wizard.
When prompted to reboot the Security Gateway, click Cancel.
Do not reboot.
Do one of these steps:
- Run cpconfig on the Security Gateway. Select Enable cluster membership for this gateway to enable Firewall synchronization.
  Note - This is the most common use and does not support active/active mode. You must configure VRRP so that the same cluster member is the VRRP master on all interfaces. Dynamic routing configuration must match on each cluster member.
  
  OR:
- Do not enable ClusterXL.
  Note - This is useful when each cluster member is required to be the VRRP master at the same time. You can configure two VRRP Virtual Routers on the same interface. Each cluster member can be the VRRP master for a different VRID on the same interface while it backs up the other. This configuration can also help run VRRP in a High-Availability pair with a device from another vendor. Disable the VRRP monitoring of the Firewall when you use this configuration. It is enabled by default but not supported with this configuration. Also, only Static Routes are supported with this configuration.
Enter y when prompted.
Reboot the Security Gateway.

Do this procedure for each Virtual Router member.

When you complete this procedure for each VRRP member, do these steps in the Gaia Portal:

In the navigation tree, click High Availability > VRRP.
Refer to the VRRP Global Settings section.
If the Disable All Virtual Routers option is currently selected, clear it.
Click Apply Global Settings.

When you complete these procedures, define your Virtual Routers using the Gaia Portal or the Gaia Clish.

Configuring Global Settings for VRRP

This section includes shows you how to configure the global settings. Global settings apply to all Virtual Routers.

Configure these VRRP global settings:

Step	Description
1	In the navigation tree, click one of these: High Availability > VRRP. High Availability >Advanced VRRP.
2	In the VRRP Global Settings section: Cold Start Delay - Configures the delay period in seconds before a Security Gateway joins a Virtual Router. Default = 0. Interface Delay - Configure this when the Preempt Mode of VRRP was turned off. This is useful when the VRRP node with a higher priority is rebooted, but must not preempt the existing VRRP Master that is handling the traffic, but is configured with a lower priority. Sometimes interfaces that come up take longer than the VRRP timeout to process incoming VRRP Hello packets. The Interface Delay extends the time that VRRP waits to receive Hello packets from the existing VRRP Master. Disable All Virtual Routers - Select this option to disable all Virtual Routers defined on this Gaia system. Clear this option to enable all Virtual Routers. By default, all Virtual Routers are enabled. Monitor Firewall State - Select this option to let VRRP monitor the Security Gateway and automatically take appropriate action. This is enabled by default, which is the recommended setting when using VRRP with ClusterXL enabled. This must be disabled when using VRRP with ClusterXL disabled. Important - If you disable Monitor Firewall State, VRRP can assign VRRP Master status to a Security Gateway before it completes the boot process. This can cause more than one Security Gateway in a Virtual Router to have VRRP Master status.
3	Click Apply Global Settings.

Step

Description

In the navigation tree, click one of these:

High Availability > VRRP.
High Availability >Advanced VRRP.

In the VRRP Global Settings section:

Cold Start Delay - Configures the delay period in seconds before a Security Gateway joins a Virtual Router. Default = 0.
Interface Delay - Configure this when the Preempt Mode of VRRP was turned off. This is useful when the VRRP node with a higher priority is rebooted, but must not preempt the existing VRRP Master that is handling the traffic, but is configured with a lower priority. Sometimes interfaces that come up take longer than the VRRP timeout to process incoming VRRP Hello packets. The Interface Delay extends the time that VRRP waits to receive Hello packets from the existing VRRP Master.
Disable All Virtual Routers - Select this option to disable all Virtual Routers defined on this Gaia system. Clear this option to enable all Virtual Routers. By default, all Virtual Routers are enabled.
Monitor Firewall State - Select this option to let VRRP monitor the Security Gateway and automatically take appropriate action. This is enabled by default, which is the recommended setting when using VRRP with ClusterXL enabled. This must be disabled when using VRRP with ClusterXL disabled.
Important - If you disable Monitor Firewall State, VRRP can assign VRRP Master status to a Security Gateway before it completes the boot process. This can cause more than one Security Gateway in a Virtual Router to have VRRP Master status.

Click Apply Global Settings.

Configuration Notes:

Gaia starts to monitor the firewall after the cold start delay completes. This can cause some problems:

If all the Security Gateway (member) interfaces in a Virtual Router fail, all Security Gateways become VRRP Backups. None of the Security Gateways can become the VRRP Master and no traffic is allowed.
If you change the time on any of the Security Gateways (member), a failover occurs automatically.
In certain situations, installing a firewall policy causes a failover. This can happen if it takes a long time to install the policy.

Configuring Monitored Circuit/Simplified VRRP - Gaia Portal

This section includes the basic procedure for configuring a Virtual Router using the Gaia Portal.

To add a new Virtual Router:

Step	Description
1	In the navigation tree, click High Availability > VRRP.
2	Configure the VRRP Global Settings.
3	In the Virtual Routers section, click Add.
4	In the Add Virtual Router window, configure these parameters: Virtual Router ID - Enter a unique ID number for this virtual router. The range of valid values is 1 to 255. Priority - Enter the priority value, which selects the Security Gateway that takes over in the event of a failure. The Security Gateway with the highest available priority becomes the new VRRP Master. The range of valid values 1 to 254. The default value is 100. Hello Interval - Optional. Enter or select the number of seconds, after which the VRRP Master sends its VRRP advertisements. The valid range is between 1 (default) and 255 seconds. All VRRP routers on a Security Gateways must be configured with the same hello interval. Otherwise, more than one Security Gateway can be in the VRRP Master state. The Hello interval also defines the failover interval (the time a VRRP Backup router waits to hear from the existing VRRP Master before it takes on the VRRP Master role). The value of the failover interval is three times the value of the Hello interval (default - 3 seconds). Authentication: None - To disable authentication of VRRP packets Simple - To authenticate VRRP packets using a plain-text password You must use the same authentication method for all Security Gateways in a Virtual Router. Priority Delta - Enter the value to subtract from the Priority to create an effective priority when an interface fails. The range is 1-254. If an interface fails on the VRRP Backup, the value of the priority delta is subtracted from its priority. This gives a higher effective priority to another Security Gateway member. If the effective priority of the current VRRP Master is less than that of the VRRP Backup, the VRRP Backup becomes the VRRP Master for this Virtual Router. If the effective priority for the current VRRP Master and VRRP Backup are the same, the gateway with the highest IP address becomes the VRRP Master. Auto-deactivation - When an interface is reported as DOWN, a cluster member's Priority value is reduced by the configured Priority Delta amount. If another cluster member exists with a higher Priority, it will then take over as VRRP Master to heal the network. By default, some cluster member will be elected as VRRP Master, even if all cluster members have issues and are reporting a Priority of zero. The auto-deactivation option can be enabled to change this behavior and ensure that no cluster member is elected as VRRP Master, if all cluster members have a Priority of zero. When this option is enabled, Priority Delta should be set equal to the Priority value, so that Priority will become zero, if an interface goes down.
5	In the Backup Addresses section, click Add. Configure these parameters in the Add Backup Address window: IPv4 address - Enter the interface IPv4 address. VMAC Mode - For each Virtual Router, a Virtual MAC (VMAC) address is assigned to the Virtual IP address. The VMAC address is included in all VRRP packets as the source MAC address. The physical MAC address is not used. Select one of these Virtual MAC modes: VRRP - Sets the VMAC to use the standard VRRP protocol. It is automatically set to the same value on all Security Gateways in the Virtual Router. This is the default setting. Interface - Sets the VMAC to the local interface MAC address. If you define this mode for the VRRP Master and the VRRP Backup, the VMAC is different for each. VRRP IP addresses are related to different VMACs. This is because they are dependent on the physical interface MAC address of the currently defined VRRP Master. Note - If you configure different VMACs on the VRRP Master and VRRP Backup, you must make sure that you select the correct proxy ARP setting for NAT. Static - Manually set the VMAC address. Enter the VMAC address in the applicable field. Extended - Gaia dynamically calculates and adds three bytes to the interface MAC address to generate VMAC address that is more random. If you select this mode, Gaia constructs the same MAC address for VRRP Master and VRRP Backups in the Virtual Router. Note - If you set the VMAC mode to Interface or Static, syslog error messages show when you restart the computer, or during VRRP failover. This is caused by duplicate IP addresses for the VRRP Master and VRRP Backup. This is expected behavior because the VRRP Master and VRRP Backups temporarily use the same Virtual IP address until they get to the VRRP Master and VRRP Backup statuses. Click OK. The new VMAC mode shows in the in the Backup Address table.
6	To remove a Backup Address, select an address and click Delete. The address is removed from the Backup Address table.
7	Click Save.

Configuring the VRRP Security Gateway Cluster in SmartConsole

From the Networks Objects tree, select Check Point > Security Cluster > Check Point appliance/ Open Server.
The Security Gateway Cluster Creation window opens
Choose Wizard Mode.
Define the:
- Cluster Name
- Cluster IPv4 Address
- For an IPv6 cluster: Cluster IPv6 Address
Choose the Cluster's Solution: Gaia VRRP.
Click Finish.

Configuring VRRP Rules for the Security Gateway

Define this rule above the Stealth Rule in the Rule Base:

Source

Destination

VPN

Services &
Applications

Action

Firewalls (Group)
fwcluster-object

mcast-224.0.0.1

Any

vrrp
igmp

accept

Where:
- Firewalls -Simple Group object containing the firewall objects.
- fwcluster-object - the VRRP cluster object.
- mcast-224.0.0.18 - Node Host object with the IP address 224.0.0.18.
If your Security Gateways use dynamic routing protocols (such as OSPF or RIP), create new rules for each multicast destination IP address.
Alternatively, you can create a Network object to show all multicast network IP destinations with these values:
- Name: MCAST.NET
- IP: 224.0.0.0
- Net mask: 240.0.0.0
You can use one rule for all multicast protocols you agree to accept, as shown in this example:

Source

Destination

VPN

Services &
Applications

Action

All Cluster
IP addresses

fwcluster-object

MCAST.NET

Any

vrrp
igmp
ospf
rip

accept

To Learn More About Maximizing Network Performance

To learn more about maximizing network performance and redundancy, see:

CoreXL, SecureXL and Multi-Queue - R80.30 Performance Tuning Administration Guide
ClusterXL - R80.30 ClusterXL Administration Guide
VRRP, including Advanced VRRP - R80.30 Gaia Administration Guide

Source	Destination	VPN	Services & Applications	Action
Firewalls (Group) fwcluster-object	`mcast-224.0.0.1`	`Any`	`vrrp` `igmp`	`accept`