Working with NAT in Cluster

This section describes the configuration of NAT in cluster Two or more Security Gateways that work together in a redundant configuration - High Availability, or Load Sharing..

Cluster Fold and Cluster Hide

Network Address Translation (NAT) is a fundamental aspect of the way ClusterXL Cluster of Check Point Security Gateways that work together in a redundant configuration. The ClusterXL both handles the traffic and performs State Synchronization. These Check Point Security Gateways are installed on Gaia OS: (1) ClusterXL supports up to 5 Cluster Members, (2) VRRP Cluster supports up to 2 Cluster Members, (3) VSX VSLS cluster supports up to 13 Cluster Members. Note: In ClusterXL Load Sharing mode, configuring more than 4 Cluster Members significantly decreases the cluster performance due to amount of Delta Sync traffic. works.

When a Cluster Member Security Gateway that is part of a cluster. establishes an outgoing connection towards the Internet, the source address in the outgoing packets, is the physical IP address of the Cluster Member interface.

The source IP address is changed using NAT to that of the external Virtual IP address of the cluster.

This address translation is called "Cluster Hide".
- When working with VRRP on Gaia cluster, this corresponds to the default setting in the ClusterXL and VRRP page of the cluster object of Hide Cluster Members outgoing traffic behind the Cluster IP address being selected.
- When working with VRRP on IPSO cluster, this corresponds to the default setting in the 3rd Party Configuration page of the cluster object of Hide Cluster Members' outgoing traffic behind the Cluster's IP address being selected.
When a client establishes an incoming connection to external (virtual) address of the cluster, ClusterXL changes the destination IP address using NAT to that of the physical external address of one of the Cluster Members. This address translation is called "Cluster Fold".
- When working with VRRP on Gaia cluster, this corresponds to the default setting in the ClusterXL and VRRP page of the cluster object of Forward Cluster incoming traffic to Cluster Members IP address being selected.
- When working with IPSO IP Clustering cluster, this corresponds to the default setting in the 3rd Party Configuration page of the cluster object of Forward Cluster incoming traffic to Cluster Members' IP addresses being selected.

Configuring NAT in Cluster

Network Address Translation (NAT) can be performed on a Cluster, in the same way as it is performed on a Security Gateway Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources..

This NAT is in addition to the automatic "Cluster Fold" and "Cluster Hide" address translations.

To configure NAT, edit the Cluster object, and in the Cluster Properties window, click the NAT page. Do NOT configure the NAT tab of the Cluster Member object.

Configuring NAT on a Cluster Member

It is possible to perform Network Address Translation (NAT) on a non-cluster interface An interface on a Cluster Member, whose Network Type was set as Cluster in SmartConsole in cluster object. This interface is monitored by cluster, and failure on this interface will cause cluster failover. of a Cluster Member.

A possible scenario for this is if the non-Cluster interface of the Cluster Member is connected to another (non-cluster) internal Security Gateway, and you wish to hide the address of the non-Cluster interface of the Cluster Member.

Performing this NAT means that when a packet originates behind or on the non-Cluster interface of the Cluster Member, and is sent to a host on the other side of the internal Security Gateway, the source address of the packet will be translated.

To configure NAT on a non-cluster interface of a Cluster Member:

Edit the Cluster object.
In the Cluster Member page, edit the Cluster Member object.
In the Cluster Member Properties window, click the NAT tab.
Configure Static or Hide NAT as applicable.
Install the Access Control Policy on the cluster.