Configuring VSX Clusters

Important - This chapter does not apply to Scalable Platforms (Maestro and Chassis).

This chapter presents a conceptual overview of VSXClosed Virtual System Extension. Check Point virtual networking solution, hosted on a computer or cluster with virtual abstractions of Check Point Security Gateways and other network devices. These Virtual Devices provide the same functionality as their physical counterparts. ClusterClosed Two or more Security Gateways that work together in a redundant configuration - High Availability, or Load Sharing. deployments, with emphasis on clustering features and their application.

It assumes you are familiar with network cluster applications and environments, particularly ClusterXL.

For more about Check Point ClusterXL features and functionality, see the R81.10 ClusterXL Administration Guide

VSX Cluster Overview

VSX Clusters provide redundancy and load sharing features for Virtual Systems and other Virtual Devices.

A VSX Cluster consists of two or more identical, interconnected VSX Gateways that ensure continuous data synchronization.

The advantages of using clusters in a VSX environment include:

VSX Cluster Modes:

Mode

Description

Virtual System Load SharingClosed VSX Cluster technology that assigns Virtual System traffic to different Active Cluster Members. Acronym: VSLS. (VSLS)

Ensures continuous operation by means of transparent VSX Cluster Member failover.

Enhances system performance by distributing Active Virtual Systems amongst VSX Cluster Members.

Efficiently balances network traffic load by distributing active Virtual Systems between VSX Cluster Members.

All VSX Cluster Members and Virtual Systems are continuously synchronized.

Note - This is the only mode available for a VSX Cluster that was installed as R81.10 or higher.

High Availability

Ensures continuous operation by means of transparent VSX Cluster Member failover.

All VSX Cluster Members and Virtual Systems function in an the Active/Standby mode and are continuously synchronized.

Note - This mode is available only if you upgrade a VSX Cluster from R81 or lower to R81.10.

Physical Clusters

VSX Cluster is based on Check Point ClusterXL concepts. This section reviews these concepts, and then demonstrates how these principles apply to VSX virtualization.

In typical Security GatewayClosed Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources. deployment, a cluster consists of two or more identical, interconnected physical Security Gateways that provide redundancy and/or Load Sharing. This cluster behaves as a single Security Gateway and is assigned its own IP address, which is known as its Cluster IP or Virtual IP address. This IP address is distinct from the physical IP addresses of its VSX Cluster Members, which are hidden from the networks connected to the cluster.

Traffic from external networks or the Internet directed to the internal networks arrives at the external cluster IP address. Depending on the clustering mode (High Availability or Load Sharing), a designated VSX Cluster Member receives the traffic and performs the required inspection. After inspection, traffic is either sent to its destination on the internal network, or dropped.

Internal networks send traffic destined for the Internet or external networks, to the cluster IP address. This traffic is processed by the designated VSX Cluster Member, inspected, and forwarded to its external destination.

Each member interface has a unique, physical IP addresses. These IP addresses, which are invisible to physical networks, are used for internal communication between VSX Cluster Members and the Management ServerClosed Check Point Single-Domain Security Management Server or a Multi-Domain Security Management Server. for such tasks as downloading Security PoliciesClosed Collection of rules that control network traffic and enforce organization guidelines for data protection and access to resources with packet inspection., sending logs and checking the status of individual VSX Cluster Members.

VSX Clusters

VSX Clusters, like their physical counterparts, connect two or more synchronized Gateways in such a way that if one fails, another immediately takes its place.

VSX Clusters are defined at two levels:

VSX ensures that Virtual Systems, Virtual Routers, Virtual Switches and their interfaces are provisioned and configured identically on each VSX Cluster Member.

The figure below shows that each VSX Cluster Member contains identical instances of each Virtual DeviceClosed Logical object that emulates the functionality of a type of physical network object. Virtual Device can be on of these: Virtual Router, Virtual System, or Virtual Switch..

These identical instances are referred to as peers.

Item

Description

 

Item

Description

1

Virtual System 2

 

7

VSX Cluster Member 1

2

Virtual System 1

 

8

VSX Cluster Member 2

3

Internet

 

9

VLAN switch

4

Router

 

10

Network 2

5

External Cluster Interface

 

11

Network 1

6

Sync

 

VLAN Trunk

VSX provides the management functionality to support network and security virtualization, including:

  • Assigning virtual IP addresses: Each Virtual Device interface requires its own virtual IP address.

  • State synchronization: Virtual Device state tables are synchronized to peers on other VSX Cluster Members.