SmartLSM Clusters

In This Section: Overview Creating a SmartLSM Security Cluster Profile Configuring SmartLSM Cluster Objects in SmartProvisioning Creating a SmartLSM Small Office Appliance Cluster UTM-1 Edge Clusters Pushing a Policy in SmartProvisioning Activating a SmartLSM Cluster with QoS

Overview

A SmartLSM Cluster is a logical entity that provides high-availability connectivity with at least two devices. Each device serves as an entry point to the same network. In a SmartLSM Cluster, there is no state synchronization between the devices: if the active SmartLSM Cluster member becomes unavailable, users are not automatically connected to another member. The party that initiated the communication must actively intervene to reconnect the users.

To create a SmartLSM Cluster, you need at least two SmartLSM Security Gateways. A gateway can participate in only one SmartLSM Cluster at a time.

To create and configure SmartLSM clusters (except UTM-1 Edge clusters), do these steps:

1. Create a SmartLSM Security Cluster Profile in SmartConsole. Profiles set common parameters and policies for SmartLSM clusters which are created with that profile.
2. Create a SmartLSM cluster object in SmartProvisioning. In the Security Profile field, select the Profile that you created in step 1.
3. Push Policy to the SmartLSM cluster object.

Creating a SmartLSM Security Cluster Profile

When you make a new SmartLSM cluster profile, define prefixes and suffixes for the profile name to form the full cluster name. This makes it easy to identify which SmartLSM profile is assigned to a cluster.

You define these common parameters in a SmartLSM cluster Security Profile:

• Cluster members.
• Cluster member physical interfaces.
• Interface network objective (Cluster, Sync and so on).
• Cluster interface names.
• Cluster and member interface IP addresses and net masks.
• When you create a SmartLSM cluster Security Profile, define complete IP addresses. These addresses are placeholders and you can override them when you create SmartLSM cluster objects in SmartProvisioning.

• Cluster and member name components - Use a common component for the cluster and cluster member names, and another component, to reflect the relative function in the cluster. The common component is in the Profile. The other component is defined in SmartProvisioning for the specific cluster, as a prefix or a suffix to the common component. For example, you can have two two-member clusters, named First_cluster and Second_cluster. You can then name the respective members First_member1, First_member2, Second_member1 and Second_member2. In this example, you define the names _cluster, _member1 and _member2 at the Profile level. Then, when you define individual clusters, you need to define only the names First and Second as name prefixes.

You can manage SmartProvisioning Clusters by a Security Management Server or by a Domain Management Server.

Note - SmartProvisioning is not available for the members of a SmartProvisioning cluster, even if the member gateway runs the SecurePlatform OS.

To create a SmartLSM Security Cluster Profile:

1. In SmartConsole, go to the Objects bar and select New > More > LSM Profile.
2. Select the cluster:
   • Check Point Appliance/Open Server Cluster
   • Small Office Appliance Cluster

   The Cluster Profile window opens.

3. On the General Properties page, do these steps:
   1. Enter the profile Name.
      The profile name becomes the middle section of all SmartLSM cluster names that you define with this profile.
   2. If your clusters use a third-party clustering platform (such as IPSO or Crossbeam), in the Network Security tab, clear ClusterXL.

      Note - When you use third party cluster platforms, create a different SmartLSM Profile for each platform type.

   3. In the Network Security tab, make sure that IPSec VPN is selected, if clusters which use this profile are part of a VPN community.
4. On the Cluster Members page, add members to the Profile. These member names become the middle section of all member names defined with this Profile.
5. Configure the applicable parameters on the ClusterXL or 3rd Party Configuration page.
6. On the Topology page, click Edit Topology.
7. Double-click the New Object column to configure each interface.

   Use these guidelines:

   • Make sure that the number of interfaces and their network objectives match those of the physical SmartLSM clusters.
   • For interfaces with Private or Sync network objectives, do not enter information in the Cluster column.
   • Every SmartLSM cluster mapped to this Profile retains the host parts (by net mask) of the member IP addresses, and the name of the cluster (virtual) interface.
     • The network parts of the members’ IP addresses and the entire cluster IP addresses are only used as a template here. You define the relevant network for each interface of each SmartLSM Security Gateway later in SmartProvisioning.
     • Make sure that the host ID for the external interface of the SmartLSM cluster profile is the same as the external interface of the cluster.
   • The network parts of the members IP addresses must be identical for the same interface name, even though they are only place holders.
   • Profile member interface names can be overridden for the actual SmartLSM cluster. However, they are usually the same for all clusters (eth0, eth1 and so on), so it is convenient to use the actual names here as well.
8. In the Fetch Policy page:
   • In a High Availability environment, click Add > the Add Masters window opens. From the Available Management Stations column, select all servers and click Add. Then click OK.
   • Optional: Change the Fetch Policy interval and select a Scheduled Event or create a new one.
9. Configure other parameters as required. You define VPN domains for cluster objects using SmartProvisioning.
10. Click OK to confirm the settings, and save the Policy Package.
11. Install policies to the cluster Profile.

Configuring SmartLSM Cluster Objects in SmartProvisioning

Before you define a SmartLSM cluster in SmartProvisioning, you must have an applicable SmartLSM Cluster Security Profile in SmartConsole. Use SmartProvisioning to create and configure a SmartLSM cluster.

Note - Alternatively, you can use LSMcli commands (possibly, in a script) to define SmartLSM clusters, for example AddROBO VPN1Cluster”. The LSMcli commands enable you to replace a part of Profile names, which is not possible when you use the SmartProvisioning interface.

To define a SmartLSM Cluster object in SmartProvisioning:

1. From the File menu, select New > Check Point Appliance/Open Server SmartLSM Cluster.
2. Enter a Cluster Name Prefix or Suffix or both to add to the cluster Profile and member names.
3. Enter the Cluster Main IP Address, and click Next.
4. Select the SmartLSM Cluster Version and the SmartLSM Security Cluster Profile. Click Next.
5. Verify the resulting names, and click Next.

   The More Information window opens. This window shows the interface topology defined on the Cluster Profile object in SmartConsole. The profile topology includes generic (template) IPs for any SmartLSM Cluster mapped to this profile. You can override the IP addresses in the list with new values for a specific SmartLSM Cluster.

6. Select each interface and Edit it.

   The settings here override Profile settings.

7. For each interface, define:
   • The Members’ Network Override address (usually the same for all interfaces).
   • Members’ interface Name Override (must match the name defined in the operating system)
   • The Cluster IP Address and Net Mask.

   For fields left empty, the values are taken from the Profile. You can define the overrides later on by editing the cluster object. You can also edit the cluster object to override interface topology.

8. Click Next.
9. Select each member, and Initialize SIC communication. The Communication window opens. SIC is initialized only when you complete the wizard.

   Note - Alternatively, you can do this later - edit the member object and, in the General tab, click Communication.

10. Click Next.

    The Finished SmartLSM Security Cluster Wizard window opens.

    1. To create a VPN certificate for the cluster, select this option.

       The certificate is created only when you complete the wizard. You can later create VPN certificates for the individual cluster members - edit the member object and, in the VPN tab, click Generate.

    2. To configure additional cluster options (such as VPN settings or Dynamic Objects) after the SmartLSM cluster object is created, select this option and click Finish.

    SmartProvisioning creates the SmartLSM Cluster object and its members.

    Note - After a SmartLSM Cluster is defined and mapped to a Profile, do not add or remove a member or an interface. Do not change a cluster (virtual) interface name.

11. To retrieve the policy for the first time, from the command line of each SmartLSM Cluster member, run:

    fw fetch_robo -n -f

Note - To edit the cluster properties, double-click the cluster object. To edit the properties of a cluster member, you can double-click the member object or go to the Cluster tab in the cluster properties window.

Creating a SmartLSM Small Office Appliance Cluster

Make sure you have a SmartLSM cluster Security Profile defined in SmartConsole before you create a Small Office Appliance cluster in SmartProvisioning.

To create a new SmartLSM Small Office Appliance Cluster:

1. In the navigation tree, click Devices.
2. From the Launch Menu, select File > New > Small Office Appliance Cluster.

   The SmartLSM Security Cluster General Properties page opens.

3. Enter a unique Cluster Name Prefix (Suffix is optional).

   The SmartLSM Security Cluster name is:
   <prefix>cluster<suffix>.

4. In Cluster Main IP Address, enter the real external virtual IP address for your actual gateway cluster.
5. Click Next.
6. Configure these settings:
   1. Hardware - Select the gateway hardware version.
   2. Version - Select the firmware version for the device.
   3. Security Profile - Select the SmartLSM Cluster Profile that was created in SmartConsole.
   4. Provisioning - Select Enable Provisioning to enable the management of this gateway by provisioning configurations:
   • No Provisioning Profile - Select to enable provisioning but not yet assign a specific profile.
   • Provisioning Profile - Select to assign to this gateway from the drop-down list.
7. Click Next

   The Cluster Names page opens.

   The names of the cluster members are shown with the configured prefix.

8. Click Next.

   The More Information page opens.

9. Click Edit to override the settings of the template topology on each of the interfaces. For example, select WAN and click Edit.

   The interface's window opens:

   1. In IP Address Override, enter the actual network IP address to override the template Network address.
   2. Click OK and do this procedure again for all the interfaces.
   3. Click Next.
10. Select a member and click Initialize:
    1. Enter the trusted communication (SIC) details and click OK.
    2. Do this again for the second member.
    3. Click Next.
11. Select how to create a VPN certificate:
    • For a VPN certificate from the Internal Check Point CA, select I wish to create a VPN Certificate from the Internal CA.
    • For a VPN certificate from a third party CA (for example, if your organization already has certificates from an external CA for other devices), clear this checkbox and request the certificate from the appropriate CA server.
12. Select Edit SmartLSM cluster properties after creation to work with the newly created object
13. Click Finish.

After the wizard finishes, the SIC initialization takes a few minutes to complete. When it completes, you can see the cluster object and its two members. Double-click the cluster object to see that the topology is configured with the actual addresses.

On each Small Office Appliance, open the WebUI Home > Security Management page and click Fetch Policy to manually pull the policy immediately. Alternatively, the appliance connects to the Security Management Server at predefined periodic intervals to pull the policy.

UTM-1 Edge Clusters

UTM-1 Edge clusters are configured differently than other SmartLSM clusters. There is no option to create a Cluster Security Profile in SmartConsole or a Cluster object in SmartProvisioning. Instead, you assign the Security Policy to each device separately and activate the Cluster on each device separately.

In a UTM-1 Edge cluster there are only two UTM-1 Edge devices.

To create a UTM-1 Edge cluster:

1. Create an SmartLSM UTM-1 Edge Security Profile in SmartConsole.
2. In SmartProvisioning, create the UTM-1 Edge gateways to be in the cluster.

   Note - In the Security Profile field, select the SmartLSM UTM-1 Edge Security Profile you created in step 1.

3. Push Policy to the SmartLSM cluster object.

VRRP Configuration Prerequisites for UTM-1 Edge clusters

To create a topology in which two UTM-1 Edge SmartLSM Security Gateways serve as entry points to the same network, you must configure a mechanism such as VRRP clustering for that network. This configuration handles the routing in situations where only one of the gateways is available, as well as in situations where both of the gateways are available.

• The internal (LAN) interfaces of both devices are configured with different IP addresses.
• Both the interfaces need to have a third, shared IP address, to be utilized by the member, designated as the VRRP master (the VRRP master designates which UTM-1 Edge cluster member is active).
• The external interfaces of both devices must have different IP addresses.
• The VPN domains of both gateways must be the same.

The Corporate Office (CO) gateway recognizes that the two UTM-1 Edge SmartLSM Security Gateways in any UTM-1 Edge cluster represent entry points to the same network. When the CO gateway initiates communication with that network, it communicates with the UTM-1 Edge cluster member that last communicated with the CO gateway (the CO gateway may recognize several UTM-1 Edge clusters, on different networks).

Creating UTM-1 Edge Cluster Objects in SmartProvisioning

To create a UTM-1 Edge cluster object:

1. In SmartProvisioning, right-click a UTM-1 Edge SmartLSM Security Gateway to designate as a member of the UTM-1 Edge cluster.
2. Select Actions > Define UTM-1 Edge cluster.
3. Make sure that the gateway name displayed in the First Member field is the gateway that is the primary gateway of the UTM-1 Edge cluster. If it is not, click Find to select another gateway.
4. In the Search for field, enter the name of the gateway that you want to add to the cluster and click Find.

   The Search SmartLSM Security Gateway window shows the list of available UTM-1 Edge SmartLSM Security Gateways.

5. Select the required gateway and click OK.
6. In the Define UTM-1 Edge cluster window, in the Second Member field, click Find and select the second member of the UTM-1 Edge cluster.
7. Click OK.

Viewing UTM-1 Edge Cluster Pairs

To see if the gateway participates in a UTM-1 Edge cluster:

1. From SmartProvisioning, open the UTM-1 Edge SmartLSM Security Gateway window.
2. Click the Details tab.

Deleting or Changing UTM-1 Edge Clusters

To change one member of a UTM-1 Edge cluster, you must first delete the UTM-1 Edge cluster and then create the new one.

To delete a UTM-1 Edge cluster:

From SmartProvisioning, right-click a gateway in the pair and select Actions > Remove UTM-1 Edge cluster.

Pushing a Policy in SmartProvisioning

In the general SmartLSM system, you can manually push a policy to a SmartLSM gateway. For a SmartLSM cluster, push the policy to the cluster object. All the cluster members will receive the policy.

To push a policy to a SmartLSM cluster:

1. Right-click the SmartLSM cluster object in the Device pane of the SmartLSM GUI client.
2. Select Actions > Push Policy.

   You can also push a policy with the command line interface.

Activating a SmartLSM Cluster with QoS

To activate a SmartLSM cluster with QoS:

1. In SmartConsole, create a SmartLSM Cluster profile.
2. On the SmartLSM Cluster Profile > General Properties page, select QoS.
3. On the Topology page, click Edit.
4. Double-click the QoS cluster interface.

   The Interface Properties window opens.

5. On the QoS tab, confhffigure:
   • Inbound and Outbound bandwidth allocation
   • DiffServ and Low Latency classes
6. Go to Security Policies > Access Control > QoS, open SmartDashboard, and in the QoS tab define QoS policy.
7. Install the QoS policy on the SmartLSM profile.

For more information on how to configure QoS, see the R80.30 QoS Administration Guide.

In SmartProvisioning:

1. Right-click the SmartLSM Cluster object.
2. Select Actions > Push Policy.

   Note - These steps are not mandatory. Gateways periodically fetch their policies from the Security Management Server.