Cluster Management APIs
Introduction
The purpose of Cluster
Two or more Security Gateways that work together in a redundant configuration - High Availability, or Load Sharing. APIs is to provide automation / orchestration of Check Point cluster in a way similar to simple-gateway APIs.
These Cluster APIs support common cluster operations - such as creating a new cluster object, modifying an existing cluster object (for example, adding or removing cluster members, manipulation of interfaces).
These Cluster APIs are called "simple" because they do not support all cluster object features.
For operations on cluster objects that are not provided by these APIs, use SmartConsole Check Point GUI application used to manage a Check Point environment - configure Security Policies, configure devices, monitor products and events, install updates, and so on..
List of APIs
|
API Category |
API |
Description |
|---|---|---|
|
Asynchronous |
|
Creates a new simple cluster object from scratch |
|
|
|
Modifies an existing simple cluster object |
|
Synchronous |
|
Shows an existing simple cluster object specified by its Name or UID |
|
|
|
Shows all existing simple cluster objects |
|
|
|
Deletes an existing simple cluster object |
API Examples
Example 1 - Adding a simple cluster object
API command:
Use this API to add a simple cluster object.
|
|
Once the API command finishes, and the session is published, a new cluster object appears in SmartConsole.
Prerequisite:
-
All Cluster Members must already be installed.
-
The applicable interfaces on each Cluster Member
Security Gateway that is part of a cluster. must already be configured.
Example description:
-
A simple ClusterXL
Cluster of Check Point Security Gateways that work together in a redundant configuration. The ClusterXL both handles the traffic and performs State Synchronization. These Check Point Security Gateways are installed on Gaia OS: (1) ClusterXL supports up to 5 Cluster Members, (2) VRRP Cluster supports up to 2 Cluster Members, (3) VSX VSLS cluster supports up to 13 Cluster Members. Note: In ClusterXL Load Sharing mode, configuring more than 4 Cluster Members significantly decreases the cluster performance due to amount of Delta Sync traffic. in High Availability A redundant cluster mode, where only one Cluster Member (Active member) processes all the traffic, while other Cluster Members (Standby members) are ready to be promoted to Active state if the current Active member fails. In the High Availability mode, the Cluster Virtual IP address (that represents the cluster on that network) is associated: (1) With physical MAC Address of Active member (2) With virtual MAC Address. Synonym: Active/Standby. Acronym: HA. mode called cluster1 -
With two cluster members called member1 and member2
-
With three interfaces: eth0 (external), eth1 (sync), and eth2 (internal)
-
Only the Firewall Software Blade
Specific security solution (module): (1) On a Security Gateway, each Software Blade inspects specific characteristics of the traffic (2) On a Management Server, each Software Blade enables different management capabilities. is enabled (the IPsec VPN Check Point Software Blade on a Security Gateway that provides a Site to Site VPN and Remote Access VPN access. blade is disabled) -
Cluster software version is R80.20
Example cluster object topology:
|
Interface |
Cluster |
Member1 |
Member2 |
|---|---|---|---|
|
eth0 (External) |
172.23.5.254 / |
172.23.5.1 / |
172.23.5.2 / |
|
eth1 (Sync) |
N / A |
1.1.1.1 / |
1.1.1.2 / |
|
eth2 (Internal) |
192.168.1.254 / |
192.168.1.1 / |
192.168.1.2 / |
API example:
|
|
Important - In the API command you must use the same One-Time Password you used on Cluster Members during the First Time Configuration Wizard. |
Example 2 - Modifying an existing cluster object - adding a cluster member
API command:
Use this API to add (scale up) Cluster Members.
|
|
Example description:
Adding a Cluster Member called member3.
Example cluster object topology:
|
Interface |
Cluster |
Member1 |
Member2 |
Member3 |
|---|---|---|---|---|
|
eth0 (External) |
172.23.5.254 / |
172.23.5.1 / |
172.23.5.2 / |
172.23.5.3 / |
|
eth1 (Sync) |
N / A |
1.1.1.1 / |
1.1.1.2 / |
1.1.1.3 / |
|
eth2 (Internal) |
192.168.1.254 / |
192.168.1.1 / |
192.168.1.2 / |
192.168.1.3 / |
API example:
Example 3 - Modifying an existing cluster object - removing a cluster member
API command:
Use this API to remove (scale down State of a Cluster Member during a failure when one of the Critical Devices reports its state as "problem": In ClusterXL, applies to the state of the Security Gateway component; in 3rd-party / OPSEC cluster, applies to the state of the State Synchronization mechanism. A Cluster Member in this state does not process any traffic passing through cluster.) Cluster Members.
|
|
Example description:
Removing a Cluster Member called member3.
Example cluster object topology:
|
Interface |
Cluster |
Member1 |
Member2 |
Member3 |
|---|---|---|---|---|
|
eth0 (External) |
172.23.5.254 / |
172.23.5.1 / |
172.23.5.2 / |
172.23.5.3 / |
|
eth1 (Sync) |
N / A |
1.1.1.1 / |
1.1.1.2 / |
1.1.1.3 / |
|
eth2 (Internal) |
192.168.1.254 / |
192.168.1.1 / |
192.168.1.2 / |
192.168.1.3 / |
API example:
Example 4 - Modifying an existing cluster object - adding a cluster interface
API command:
|
|
Example description:
Adding a cluster interface called eth3.
Example cluster object topology:
|
Interface |
Cluster |
Member1 |
Member2 |
|---|---|---|---|
|
eth0 (External) |
172.23.5.254 / |
172.23.5.1 / |
172.23.5.2 / |
|
eth1 (Sync) |
N / A |
1.1.1.1 / |
1.1.1.2 / |
|
eth2 (Internal) |
192.168.1.254 / |
192.168.1.1 / |
192.168.1.2 / |
|
eth3 (Internal) |
10.10.10.254 / |
10.10.10.1 / |
10.10.10.2 / |
API example:
Example 5 - Modifying an existing cluster object - removing a cluster interface
API command:
Use this API to remove a cluster interface.
|
|
Example description:
Removing a cluster interface called eth3.
Example cluster object topology:
|
Interface |
Cluster |
Member1 |
Member2 |
|---|---|---|---|
|
eth0 (External) |
172.23.5.254 / |
172.23.5.1 / |
172.23.5.2 / |
|
eth1 (Sync) |
N / A |
1.1.1.1 / |
1.1.1.2 / |
|
eth2 (Internal) |
192.168.1.254 / |
192.168.1.1 / |
192.168.1.2 / |
|
eth3 (Internal) |
10.10.10.254 / |
10.10.10.1 / |
10.10.10.2 / |
API example:
Example 6 - Modifying an existing cluster object - changing settings of a cluster interface
API command:
Use this API to change settings of a cluster interface.
|
|
Example description:
Changing the IP address of the cluster interfaces called eth2 from 192.168.x.254 / 255.255.255.0 to 172.30.1.x / 255.255.255.0
Example cluster object topology:
|
Interface |
Cluster |
Member1 |
Member2 |
|---|---|---|---|
|
eth0 (External) |
172.23.5.254 / |
172.23.5.1 / |
172.23.5.2 / |
|
eth1 (Sync) |
N / A |
1.1.1.1 / |
1.1.1.2 / |
|
eth2 (Internal) |
From: 192.168.1.254 / To: 172.30.1.254 / |
From: 192.168.1.1 / To: 172.30.1.1 / |
From: 192.168.1.2 / To: 172.30.1.2 / |
API example:
Example 7 - Modifying an existing cluster object - reestablishing SIC
API command:
Use this API to reestablish SIC Secure Internal Communication. The Check Point proprietary mechanism with which Check Point computers that run Check Point software authenticate each other over SSL, for secure communication. This authentication is based on the certificates issued by the ICA on a Check Point Management Server. with Cluster Members.
|
|
Prerequisite:
SIC must already be reset on the Cluster Members.
API example:
|
|
Important - In the API command you must use the same One-Time Password you used on Cluster Members during the SIC reset. |
Example 8 - Modifying an existing cluster object - enabling / disabling blades
API command:
Use this API to enable and disable Software Blades on Cluster Members.
|
|
|
|
Notes:
|
API example:
To enable all Software Blades supported by the Cluster API:
To disable all Software Blades supported by the Cluster API:
Example 9 - Viewing an existing cluster object
API command:
Use this API to view a specific existing cluster object.
|
|
|
|
Note - By default, the output shows up to 50 configured cluster interfaces. |
API example - request:
API example - response:
Example 10 - Viewing all existing cluster objects
API command:
Use this API to view all existing cluster objects.
|
|
Example 11 - Deleting an existing cluster object
API command:
Use this API to delete a specific cluster object.
|
|
API example:
Known Limitations
-
These Cluster APIs support only subset of cluster operations.
-
These Cluster APIs support only basic configuration of Software Blades (similar to "
simple-gateway" APIs - see the Check Point Management API Reference). -
These Cluster APIs support only ClusterXL High Availability, ClusterXL Load Sharing
A redundant cluster mode, where all Cluster Members process all incoming traffic in parallel. For more information, see "Load Sharing Multicast Mode" and "Load Sharing Unicast Mode". Synonyms: Active/Active, Load Balancing mode. Acronym: LS., and CloudGuard OPSEC clusters. -
These Cluster APIs do not support the configuration of a Cluster Virtual IP address on a different subnet than the IP addresses of the Cluster Members.
For such configuration, use SmartConsole.
-
These Cluster APIs do not support VRRP Clusters (either on Gaia
Check Point security operating system that combines the strengths of both SecurePlatform and IPSO operating systems. OS or IPSO OS). -
These Cluster APIs support a limited subset of interface settings.
To change interface settings such as Topology, Anti-Spoofing and Security Zone, you must replace the interface.