Adding Another Member to an Existing Cluster

Important - Schedule a full maintenance window to perform this procedure.

Best Practice - Before you change the current configuration, export a complete management database with "migrate_server" command. See the R81.20 CLI Reference Guide.

Adding a New Cluster Member to the Cluster Object

  1. Install a new Cluster MemberClosed Security Gateway that is part of a cluster. you plan to add to the existing clusterClosed Two or more Security Gateways that work together in a redundant configuration - High Availability, or Load Sharing..

    See the R81.20 Installation and Upgrade Guide > Chapter Installing a ClusterXL, VSX Cluster, VRRP Cluster.

    Follow only the step "Install the Cluster Members".

    Important - The new Cluster Member must run the same version with the same Hotfixes as the existing Cluster Members.

  2. On the new Cluster Member you plan to add to the existing cluster:

    1. Configure or change the IP addresses on the applicable interfaces to match the current cluster topologyClosed Set of interfaces on all members of a cluster and their settings (Network Objective, IP address / Net Mask, Topology, Anti-Spoofing, and so on)..

      Use Gaia PortalClosed Web interface for the Check Point Gaia operating system. or Gaia ClishClosed The name of the default command line shell in Check Point Gaia operating system. This is a restricted shell (role-based administration controls the number of commands available in the shell)..

      See R81.20 Gaia Administration Guide.

    2. Configure or change the applicable static routes to match the current cluster topology.

      Use GaiaClosed Check Point security operating system that combines the strengths of both SecurePlatform and IPSO operating systems. Portal or Gaia Clish.

    3. Connect to the command line.

    4. Log in to Gaia Clish or the Expert mode.

    5. Start the Check Point Configuration Tool. Run:

      cpconfig

    6. Select the option Enable cluster membership for this gateway and enter y to confirm.

    7. Reboot the new Cluster Member.

    1. Connect with SmartConsoleClosed Check Point GUI application used to manage a Check Point environment - configure Security Policies, configure devices, monitor products and events, install updates, and so on. to the Security Management ServerClosed Dedicated Check Point server that runs Check Point software to manage the objects and policies in a Check Point environment within a single management Domain. Synonym: Single-Domain Security Management Server. or Domain Management ServerClosed Check Point Single-Domain Security Management Server or a Multi-Domain Security Management Server. that manages this cluster.

    2. From the left navigation panel, click Gateways & Servers.

    3. Open the existing cluster object.

    4. In the Cluster Members page, click Add > New Cluster Member.

      The Cluster Members Properties window opens.

      Follow the instructions on the screen to configure this new Cluster Member.

    5. Click the General tab.

    6. In the Name field, enter a Cluster Member name.

    7. In the IPv4 Address field, enter a physical IPv4 addresses.

      The Management Server must be able to connect to the Cluster Member at this IPv4 address.

      This IPv4 address can be an internal, or external. You can use a dedicated management interface on the Cluster Member.

      Important - You must define a corresponding IPv4 address for every IPv6 address. This release does not support the configuration of only IPv6 addresses.

    8. In the IPv6 Address field, enter a physical IPv6 address, if you need to use IPv6.

      The Management Server must be able to connect to the Cluster Member at this IPv6 address. This IPv6 address can be an internal, or external. You can use a dedicated management interface on the Cluster Member.

      Important - You must define a corresponding IPv4 address for every IPv6 address. This release does not support the configuration of only IPv6 addresses.

    9. Click Communication, and initialize Secure Internal Communication (SICClosed Secure Internal Communication. The Check Point proprietary mechanism with which Check Point computers that run Check Point software authenticate each other over SSL, for secure communication. This authentication is based on the certificates issued by the ICA on a Check Point Management Server.) trust.

      Enter the same key you entered during First Time Configuration Wizard on the new Cluster Member.

    10. Click the NAT tab to configure the applicable NAT settings.

    11. Click the VPN tab to configure the applicable VPN settings.

    12. Click OK.

    13. From the left tree, click Network Management.

      • Make sure all interfaces are defined correctly.

      • Make sure all IP addresses are defined correctly.

    14. Click OK.

    15. Publish the SmartConsole session.

    16. Install the Access Control Policy on this cluster object.

      Policy installation must succeed on all Cluster Members.

    17. Install the Threat Prevention Policy on this cluster object.

      Policy installation must succeed on all Cluster Members.

  4. On each Cluster Member (existing and the newly added):

    1. Connect to the command line.

    2. Log in to Gaia Clish or the Expert mode.

    3. Make sure all Cluster Members detect each other and agree on their cluster states. Run:

      Shell

      Command

      Gaia Clish

      1. set virtual-system <VSID>

      2. show cluster state

      Expert mode

      cphaprob [-vs <VSID>] state

      For more information, see Viewing Cluster State.

    If Cluster Members do not detect each other, or do not agree on their cluster states, then restart the clustering.

    1. Connect to the command line on each Cluster Member (existing and the newly added).

    2. Log in to Gaia Clish or the Expert mode.

    3. Restart the clustering on each Cluster Member.

      Run:

      cphastop

      cphastart

      Important - This temporarily causes the Cluster Member not to be a part of the cluster. As a result, cluster failoverClosed Transferring of a control over traffic (packet filtering) from a Cluster Member that suffered a failure to another Cluster Member (based on internal cluster algorithms). Synonym: Fail-over. can occur.

    4. Make sure all Cluster Members detect each other and agree on their cluster states. Run:

      Shell

      Command

      Gaia Clish

      1. set virtual-system <VSID>

      2. show cluster state

      Expert mode

      cphaprob [-vs <VSID>] state

Adding an Existing Security Gateway as a Cluster Member to the Cluster Object

Important - The existing Security GatewayClosed Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources. must run the same version with the same Hotfixes as the existing Cluster Members.

  1. On the existing Security Gateway you plan to add to the existing cluster:

    1. Configure or change the IP addresses on the applicable interfaces to match the current cluster topology.

      Use Gaia Portal or Gaia Clish.

      See R81.20 Gaia Administration Guide.

    2. Configure or change the applicable static routes to match the current cluster topology.

      Use Gaia Portal or Gaia Clish.

    3. Connect to the command line.

    4. Log in to Gaia Clish or the Expert mode.

    5. Start the Check Point Configuration Tool. Run:

      cpconfig

    6. Select the option Enable cluster membership for this gateway and enter y to confirm.

    7. Reboot the Security Gateway.

    1. Connect with SmartConsole to the Security Management Server or Domain Management Server that manages this cluster.

    2. From the left navigation panel, click Gateways & Servers.

    3. Open the existing cluster object.

    4. From the left tree, click Cluster Members.

    5. Click Add > Add Existing Gateway.

      Follow the instructions on the screen to configure this new Cluster Member.

      Read the warning and click Yes:

      If you add <Name_of_Security_Gateway_object> to the cluster, it will be converted to a cluster member. Some settings will be lost.
The following settings will still remain:
-SIC
-VPN
-NAT (except for IP Pools)
In order to revert the conversion, session must be discarded.
Are you sure you want to continue?

    6. In the list of Cluster Members, select the new Cluster Member and click Edit.

    7. Click the NAT tab and configure the applicable NAT settings.

    8. Click the VPN tab and configure the applicable VPN settings.

    9. From the left tree, click Network Management.

      • Make sure all interfaces are defined correctly.

      • Make sure all IP addresses are defined correctly.

    10. Click OK.

    11. Install the Access Control Policy on this cluster object.

      Policy installation must succeed on all Cluster Members.

    12. Install the Threat Prevention Policy on this cluster object.

      Policy installation must succeed on all Cluster Members.

  3. On each Cluster Member (existing and the newly added):

    1. Connect to the command line.

    2. Log in to Gaia Clish or the Expert mode.

    3. Make sure all Cluster Members detect each other and agree on their cluster states. Run:

      Shell

      Command

      Gaia Clish

      1. set virtual-system <VSID>

      2. show cluster state

      Expert mode

      cphaprob [-vs <VSID>] state

      For more information, see Viewing Cluster State.

    If Cluster Members do not detect each other, or do not agree on their cluster states, then restart the clustering.

    1. Connect to the command line on each Cluster Member (existing and the newly added).

    2. Log in to Gaia Clish or the Expert mode.

    3. Restart the clustering on each Cluster Member.

      Run:

      cphastop

      cphastart

      Important - This temporarily causes the Cluster Member not to be a part of the cluster. As a result, cluster failover can occur.

    4. Make sure all Cluster Members detect each other and agree on their cluster states. Run:

      Shell

      Command

      Gaia Clish

      1. set virtual-system <VSID>

      2. show cluster state

      Expert mode

      cphaprob [-vs <VSID>] state