Example ClusterXL Topology

ClusterXLClosed Cluster of Check Point Security Gateways that work together in a redundant configuration. The ClusterXL both handles the traffic and performs State Synchronization. These Check Point Security Gateways are installed on Gaia OS: (1) ClusterXL supports up to 5 Cluster Members, (2) VRRP Cluster supports up to 2 Cluster Members, (3) VSX VSLS cluster supports up to 13 Cluster Members. Note: In ClusterXL Load Sharing mode, configuring more than 4 Cluster Members significantly decreases the cluster performance due to amount of Delta Sync traffic. uses unique physical IP and MAC addresses for each Cluster Member, and a virtual IP addresses for the cluster itself.

Cluster interfaceClosed An interface on a Cluster Member, whose Network Type was set as Cluster in SmartConsole in cluster object. This interface is monitored by cluster, and failure on this interface will cause cluster failover. virtual IP addresses do not belong to any real member interface.

Example Diagram

The following diagram illustrates a two-member ClusterXL clusterClosed Two or more Security Gateways that work together in a redundant configuration - High Availability, or Load Sharing., showing the cluster Virtual IP addresses and members physical IP addresses.

This sample deployment is used in many of the examples presented in this chapter.

Item

Description

1

Internal network

2

Internal switch (internal cluster IP address 10.10.0.100)

3

Security GatewayClosed Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources. - Cluster MemberClosed Security Gateway that is part of a cluster. A

3a

Virtual interface to the internal network (10.10.0.1)

3b

Interface to the Cluster Sync network (10.0.10.1)

3c

Virtual interface to the external network (192.168.10.1)

4

Security Gateway - Cluster Member B

4a

Virtual interface to the internal network (10.10.0.2)

4b

Interface to the Cluster Sync network (10.0.10.2)

4c

Virtual interface to the external network (192.168.10.2)

5

External switch (external cluster IP address 192.168.10.100)

6

Internet

Each Cluster Member has three interfaces: one external interface, one internal interface, and one for synchronization. Cluster Member interfaces facing in each direction are connected via a hub or switch.

All Cluster Member interfaces facing the same direction must be in the same network. For example, there must not be a router between Cluster Members.

The Management ServerClosed Check Point Single-Domain Security Management Server or a Multi-Domain Security Management Server. can be located anywhere, and connection should be established to either the internal or external cluster IP addresses.

These sections present ClusterXL configuration concepts shown in the example.

Note - In these examples, RFC 1918 private addresses in the range 192.168.0.0 to 192.168.255.255 are treated as public IP addresses.

Defining the Cluster Member IP Addresses

The guidelines for configuring each Cluster Member are as follows:

All members within the cluster must have at least three interfaces:

  • An interface facing the external network (that, for example, faces the Internet).

  • An interface facing the internal network.

  • An interface used for synchronization.

All interfaces pointing in a certain direction must be on the same network.

For example, in the previous illustration, there are two Cluster Members, Member_A and Member_B. Each has an interface with an IP address facing the Internet through a hub or a switch. This is the external interface with IP address 192.168.10.1 on Member_A and IP address 192.168.10.2 on Member_B.

Note - This release presents an option to use only two interfaces per member, one external and one internal, and to run synchronization over the internal interface. We do not recommend this configuration. It should be used for backupClosed (1) In VRRP Cluster on Gaia OS - State of a Cluster Member that is ready to be promoted to Master state (if Master member fails). (2) In VSX Cluster configured in Virtual System Load Sharing mode with three or more Cluster Members - State of a Virtual System on a third (and so on) VSX Cluster Member. (3) A Cluster Member or Virtual System in this state does not process any traffic passing through cluster. only. (See Synchronizing Connections in the Cluster.)

Defining the Cluster Virtual IP Addresses

In the previous illustration, the IP address of the cluster is 192.168.10.100.

The cluster has one external virtual IP address and one internal virtual IP address.

The external IP address is 192.168.10.100, and the internal IP address is 10.10.0.100.

Defining the Synchronization Network

The previous illustration shows a synchronization interface with a unique IP address on each Cluster Member - IP 10.0.10.1 on Member_A and IP 10.0.10.2 on Member_B.

Configuring Cluster Addresses on Different Subnets

Only one public IP address is required in a ClusterXL cluster, for the virtual cluster interface that faces the Internet. Physical IP addresses of all Cluster Members can be private.

Configuring different subnets for the cluster IP addresses and the members IP addresses (see Cluster IP Addresses on Different Subnets) is useful to:

  • Configure a cluster to replace one Security Gateway in a pre-configured network, without the need to allocate new IP addresses to the Cluster Members.

  • Allow organizations to use only one public IP address for the ClusterXL Cluster. This saves public IP addresses.