Working with VPN in Cluster

This section describes the configuration of VPN in clusterClosed Two or more Security Gateways that work together in a redundant configuration - High Availability, or Load Sharing..

Configuring VPN in Clusters

Configuring a cluster using SmartConsoleClosed Check Point GUI application used to manage a Check Point environment - configure Security Policies, configure devices, monitor products and events, install updates, and so on. is very similar to configuring a single Security GatewayClosed Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources..

All attributes of the VPN are configured in the Cluster object, except for two attributes that are configured for each Cluster MemberClosed Security Gateway that is part of a cluster. object.

  1. In SmartConsole, open the cluster object.

  2. In the left navigation tree, go to Cluster Members page.

  3. Select each Cluster Member and click Edit.

    The Cluster Member Properties window opens.

  4. Go the VPN tab:

    • In the Office Mode for Remote access section:

      If you wish to use Office Mode for Remote Access, select Offer Manual Office Mode and define the IP pool allocated to each Cluster Member.

    • In the Certificate List with keys stored on the Security Gateway section:

      If your Cluster Member supports hardware storage for IKE certificates, define the certificate properties.

      In that case, Management ServerClosed Check Point Single-Domain Security Management Server or a Multi-Domain Security Management Server. directs the Cluster Member to create the keys and supply only the required material for creation of the certificate request.

      The certificate is downloaded to the Cluster Member during policy installation.

  5. Click OK to close the Cluster Member Properties window.

  6. In the left navigation tree, go to ClusterXL and VRRP page.

  7. Make sure to select Use State Synchronization.

    This is required to synchronize IKE keys.

  8. In the left navigation tree, go to Network Management > VPN Domain page.

  9. Define the encryption domain of the cluster.

    Select one of the two possible settings:

    • All IP addresses behind Cluster Members based on Topology information. This is the default option.

    • Manually defined. Use this option if the cluster IP address is not on the member network, in other words, if the cluster virtual IP address is on a different subnet than the Cluster Member interfaces. In that case, select a network or group of networks, which must include the virtual IP address of the cluster, and the network or group of networks behind the cluster.

  10. Click OK to close the Gateway Cluster Properties window.

  11. Install the Access Control Policy on the cluster.

Defining VPN Peer Clusters with Separate Management Servers

When working with a VPN peer that is a Check Point Cluster, and the VPN peer is managed by a different Management Server, do NOT define another cluster object. Instead, do the following:

  1. In SmartConsole, go to Objects menu > More object types > Network Object > Gateways and Servers > More > New Externally Managed VPN Gateway.

    The Externally Managed Check Point Gateway window opens.

  2. In the General Properties page, configure the name and the IP address.

  3. In the Topology page, click New to add the external and internal cluster interfaces on the VPN peer.

  4. In the VPN Domain section of the Topology page, define the encryption domain of the externally managed Security Gateway to be behind the internal Virtual IP address of the Security Gateway.

    If the encryption domain is just one subnet, select All IP addresses behind Gateway based on Topology information.

    If the encryption domain includes more than one subnet, select Manually defined.

  5. Click OK.

  6. Install the Access Control Policy on the cluster.