Installing a VSX Cluster

Notes:

Procedure:

  1. Step

    Instructions

    1

    Install the GaiaClosed Check Point security operating system that combines the strengths of both SecurePlatform and IPSO operating systems. Operating System:

    2

    Follow Configuring Gaia for the First Time.

    3

    During the First Time Configuration Wizard, you must configure these settings:

    • In the Installation Type window, select Security Gateway and/or Security Management.

    • In the Products window:

      1. In the Products section, select Security Gateway only.

      2. In the Clustering section, select these two options:

        • Unit is a part of a cluster

        • ClusterXL

    • In the Secure Internal Communication window, enter the applicable Activation Key (between 4 and 127 characters long).

    4

    Install a valid license.

    See Working with Licenses.

  2. Notes:

    Step

    Instructions

    1

    Connect with SmartConsoleClosed Check Point GUI application used to manage a Check Point environment - configure Security Policies, configure devices, monitor products and events, install updates, and so on. to the Security Management ServerClosed Dedicated Check Point server that runs Check Point software to manage the objects and policies in a Check Point environment within a single management Domain. Synonym: Single-Domain Security Management Server. or Main Domain Management ServerClosed Check Point Single-Domain Security Management Server or a Multi-Domain Security Management Server. that should manage this VSX Cluster.

    2

    From the left navigation panel, click Gateways & Servers.

    3

    Create a new VSX Cluster object in one of these ways:

    • From the top toolbar, click the New () > VSX > Cluster.

    • In the top left corner, click Objects menu > More object types > Network Object > Gateways and Servers > VSX > New Cluster.

    • In the top right corner, click Objects Pane > New > More > Network Object > Gateways and Servers > VSX > Cluster.

    4

    On the VSX Cluster General Properties (Specify the object's basic settings) page:

    1. In the Enter the VSX Cluster Name field, enter the applicable name for this VSX Cluster object.

    2. In the Enter the VSX Cluster IPv4 field, enter the Cluster Virtual IPv4 address that is configured on the Dedicated Management Interfaces (DMI).

    3. In the Enter the VSX Cluster IPv6 field, enter the Cluster Virtual IPv6 address that is configured on the Dedicated Management Interfaces (DMI).

    4. In the Select the VSX Cluster Version field, select R81.10.

    5. In the Select the VSX Cluster Platform field, select the applicable VSX Cluster mode:

      • ClusterXL (for High Availability)

      • ClusterXL Virtual System Load Sharing

    6. Click Next.

    5

    On the VSX Cluster Members (Define the members of this VSX Cluster) page, add the objects for the VSX Cluster Members:

    1. Click Add.

    2. In the Cluster Member Name field, enter the applicable name for this Cluster Member object.

    3. In the Cluster Member IPv4 Address field, enter the IPv4 address of the Dedicated Management InterfaceClosed (1) Interface on a Gaia Security Gateway or Cluster member, through which Management Server connects to the Security Gateway or Cluster member. (2) Interface on Gaia computer, through which users connect to Gaia Portal or CLI. (DMI).

    4. In the Cluster Member IPv6 Address field, enter the applicable IPv6 address.

    5. In the Activation Key and Confirm Activation Key fields, enter the same Activation Key you entered during the Cluster Member's First Time Configuration Wizard.

    6. Click Initialize.

    7. Click OK.

    8. Repeat Steps a-f to add the second VSX Cluster Member, and so on.

     

    If the Trust State field does not show Trust established, perform these steps:

    1. Connect to the command line on the VSX Cluster Member.

    2. Make sure there is a physical connectivity between the VSX Cluster Member and the Management Server (for example, pings can pass).

    3. Run:

      cpconfig

    4. Enter the number of this option:

      Secure Internal Communication

    5. Follow the instructions on the screen to change the Activation Key.

    6. In SmartConsole, click Reset.

    7. Enter the same Activation Key you entered in the cpconfig menu.

    8. In SmartConsole, click Initialize.

    6

    On the VSX Cluster Interfaces (Physical Interfaces Usage) page:

    1. Examine the list of the interfaces - it must show all the physical interfaces on the VSX GatewayClosed Physical server that hosts VSX virtual networks, including all Virtual Devices that provide the functionality of physical network devices. It holds at least one Virtual System, which is called VS0..

    2. If you plan to connect more than one Virtual System directly to the same physical interface, you must select VLAN Trunk for that physical interface.

    3. Click Next.

    7

    On the VSX Cluster members (Synchronization Network) page:

    1. Select the interface that will be used for state synchronization.

    2. Configure the IPv4 addresses for the Sync interfaces on each Cluster Member.

    3. Click Next.

    8

    On the Virtual Network Device Configuration (Specify the object's basic settings) page:

    1. You can select Create a Virtual Network Device and configure the first applicable Virtual Network Device at this time (we recommend to do this later) - Virtual Switch or Virtual Router.

    2. Click Next.

    9

    On the VSX Gateway Management (Specify the management access rules) page:

    1. Examine the default access rules.

    2. Select the applicable default access rules.

    3. Configure the applicable source objects, if needed.

    4. Click Next.

    Important - These access rules apply only to the VSX Gateway (context of VS0), which is not intended to pass any "production" traffic.

    10

    On the VSX Gateway Creation Finalization page:

    1. Click Finish and wait for the operation to finish.

    2. Click View Report for more information.

    3. Click Close.

    11

    Examine the VSX Cluster configuration:

    1. Connect to the command line on each VSX Cluster Member.

    2. Log in to the Expert mode.

    3. Run:

      vsx stat -v

    12

    In SmartConsole, open the VSX Cluster object.

    13

    On the General Properties page > the Network Security tab:

    1. Make sure the ClusterXL Software BladeClosed Specific security solution (module): (1) On a Security Gateway, each Software Blade inspects specific characteristics of the traffic (2) On a Management Server, each Software Blade enables different management capabilities. is selected.

    2. Enable the additional applicable Software Blades for the VSX Cluster object itself (context of VS0).

    Refer to:

    14

    Click OK to push the updated VSX Configuration.

    Click View Report for more information.

    15

    Install the default policy on the VSX Cluster object:

    1. Click Install Policy.

    2. In the Policy field, select the default policy for this VSX Cluster object.

      This policy is called:

      <Name of VSX Cluster object>_VSX

    3. Click Install.

    16

    Examine the VSX configuration and cluster state:

    1. Connect to the command line on each VSX Cluster Member.

    2. Examine the VSX configuration:

      In the Expert mode, run:

      vsx stat -v

      Important:

    3. Examine the cluster state in one of these ways:

      Important:

      • All VSX Cluster Members must show the same information about the states of all VSX Cluster Members.

      • One VSX Cluster Member must be in the Active state, and all other VSX Cluster Members must be in Standby state.

      • All Virtual Systems must show the same information about the states of all Virtual Systems.

    4. Examine the cluster interfaces in one of these ways:

      • In Gaia Clish, run:

        set virtual-system 0

        show cluster members interfaces all

      • In the Expert mode, run:

        vsenv 0

        cphaprob -a if

  3. Step

    Instructions

    1

    Connect with SmartConsole to the Security Management Server, or each Target Domain Management Server that should manage each Virtual Device.

    2

    Configure the applicable Virtual Devices on this VSX Cluster.

    3

    Configure the applicable Access Control and Threat Prevention Policies for these Virtual Devices.

    4

    Install the configured Security PoliciesClosed Collection of rules that control network traffic and enforce organization guidelines for data protection and access to resources with packet inspection. on these Virtual Devices.

    5

    Examine the VSX configuration and cluster state:

    1. Connect to the command line on each VSX Cluster Member.

    2. Examine the VSX configuration:

      In the Expert mode, run:

      vsx stat -v

      Important:

      • Make sure all the configured Virtual Devices are loaded.

      • Make sure all Virtual Systems and Virtual Routers have SIC Trust and policy.

    3. Examine the cluster state in one of these ways:

      • In Gaia Clish, run:

        set virtual-system 0

        show cluster state

      • In the Expert mode, run:

        vsenv 0

        cphaprob state

      Important:

      • All VSX Cluster Members must show the same information about the states of all VSX Cluster Members.

      • One VSX Cluster Member must be in the Active state, and all other VSX Cluster Members must be in Standby state.

      • All Virtual Systems must show the same information about the states of all Virtual Systems.

    4. Examine the cluster interfaces in one of these ways:

      • In Gaia Clish, run:

        set virtual-system 0

        show cluster members interfaces all

      • In the Expert mode, run:

        vsenv 0

        cphaprob -a if

For more information, see the: