Limitations of Cluster Addresses on Different Subnets

This new feature does not yet support all the capabilities of ClusterXLClosed Cluster of Check Point Security Gateways that work together in a redundant configuration. The ClusterXL both handles the traffic and performs State Synchronization. These Check Point Security Gateways are installed on Gaia OS: (1) ClusterXL supports up to 5 Cluster Members, (2) VRRP Cluster supports up to 2 Cluster Members, (3) VSX VSLS cluster supports up to 13 Cluster Members. Note: In ClusterXL Load Sharing mode, configuring more than 4 Cluster Members significantly decreases the cluster performance due to amount of Delta Sync traffic..

Some features require additional configuration to work properly, while others are not supported.

Connectivity Between Cluster Members

Since ARP requests issued by ClusterClosed Two or more Security Gateways that work together in a redundant configuration - High Availability, or Load Sharing. Members are hidden behind the cluster IP and MAC addresses, requests sent by one Cluster MemberClosed Security Gateway that is part of a cluster. to the other may be ignored by the destination computer.

To allow Cluster Members to communicate with each other, a static ARP should be configured for each Cluster Member, stating the MAC addresses of all other Cluster Members. IP packets sent between Cluster Members are not altered, and therefore no changes should be made to the routing table.

Note - Static ARP is not required in order for the Cluster Members to work properly as a cluster, since the cluster synchronization protocol does not rely on ARP.

Load Sharing Multicast Mode with "Semi-Supporting" Hardware

Although not all types of network hardware work with multicast MAC addresses, some routers can pass such packets, even though they are unable to handle ARP Replies containing a multicast MAC address. Where a router semi-supports Load SharingClosed A redundant cluster mode, where all Cluster Members process all incoming traffic in parallel. For more information, see "Load Sharing Multicast Mode" and "Load Sharing Unicast Mode". Synonyms: Active/Active, Load Balancing mode. Acronym: LS. Multicast mode, it is possible to configure the cluster MAC address as a static ARP entry in the router internal tables, and thus allow it to communicate with the cluster.

When different subnets are used for the cluster IP addresses, static ARP entries containing the router MAC address need to be configured on each Cluster Member. This is done because this kind of router will not respond to ARP Requests containing a multicast source MAC address. These special procedures are not required when using routers that fully support multicast MAC addresses.

Manual Proxy ARP

When using Static NAT, the cluster can be configured to automatically recognize the hosts hidden behind it, and issue ARP replies with the cluster MAC address, on their behalf. This process is known as Automatic Proxy ARP.

However, if you use the ClusterXL VMACClosed Virtual MAC Address. When this feature is enabled in a ClusterXL (in the High Availability or Load Sharing Unicast mode), the current Active or Pivot Cluster Member sends Gratuitous ARP Requests (G-ARP) for its Cluster Virtual IP (VIP) addresses and Virtual MAC (VMAC) addresses in G-ARP updates. Cluster Members create a VMAC address for each Cluster VIP address. This feature helps avoid issues during a cluster failover, when switches do not integrate G-ARP updates into their ARP cache table. mode or different subnets for the cluster IP addresses, this mechanism will not work, and you must configure the proxy ARP manually. To do so, in SmartConsoleClosed Check Point GUI application used to manage a Check Point environment - configure Security Policies, configure devices, monitor products and events, install updates, and so on., click Menu > Global properties > NAT Network Address Translation, and disable Automatic ARP Configuration. Then create the $FWDIR/conf/local.arp file.

For instructions, see sk30197.

Connecting to the Cluster Members from the Cluster Network

Because the unique IP addresses may be chosen arbitrarily, there is no guarantee that these addresses are accessible from the subnet of the cluster IP address.

To access the Cluster Members through their unique IP addresses, you must configure routes on the accessing Cluster Member, such that the cluster IP is the Default Gateway for the subnet of the unique IP addresses.

Configuring Anti-Spoofing

  1. Connect with SmartConsole to the Management ServerClosed Check Point Single-Domain Security Management Server or a Multi-Domain Security Management Server..

  2. From the left navigation panel, click Gateways & Servers.

  3. Create a Group object, which contains the objects of both the external network and the internal network.

    In the Example of Cluster IP Addresses on Different Subnets, suppose Side "A" is the external network, and Side "B" is the internal network.

    You must configure the Group object to contain both the network / 24 and the network / 24.

  4. Open the cluster object.

  5. From the left tree, click Network Management.

  6. Select the cluster interfaceClosed An interface on a Cluster Member, whose Network Type was set as Cluster in SmartConsole in cluster object. This interface is monitored by cluster, and failure on this interface will cause cluster failover. and click Edit.

  7. On the General page, in the Topology section, click Modify.

  8. Select Override.

  9. Select This Network (Internal).

  10. Select Specific

  11. Select the Group object that contains the objects of both the external network and the internal network.

  12. Click OK.

  13. Install the Access Control Policy on this cluster object.