Changing the Settings of Cluster Object in SmartConsole

The Cluster Gateway Properties window in a cluster Two or more Security Gateways that work together in a redundant configuration - High Availability, or Load Sharing. object contains many different ClusterXL Cluster of Check Point Security Gateways that work together in a redundant configuration. The ClusterXL both handles the traffic and performs State Synchronization. These Check Point Security Gateways are installed on Gaia OS: (1) ClusterXL supports up to 5 Cluster Members, (2) VRRP Cluster supports up to 2 Cluster Members, (3) VSX VSLS cluster supports up to 13 Cluster Members. Note: In ClusterXL Load Sharing mode, configuring more than 4 Cluster Members significantly decreases the cluster performance due to amount of Delta Sync traffic. properties, as well as other properties related to Security Gateway Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources. and Software Blades functionality.

This section includes only the properties and procedures directly related to ClusterXL.

Configuring General Properties

1. In the Name field, enter a unique name for this cluster object.

2. In the IPv4 Address field, enter the unique Cluster Virtual IPv4 addresses for this cluster. This is the main IPv4 address of the cluster object.

3. In the Cluster IPv6 Address field, enter the unique Cluster Virtual IPv6 addresses for this cluster. This is the main IPv6 address of the cluster object.

   Important - You must define a corresponding IPv4 address for every IPv6 address. This release does not support pure IPv6 addresses.

4. In the Hardware field, select the correct hardware platform.

5. In the Version field, select the correct Check Point version.

6. In the OS field, select the correct operating system.

7. Configure the applicable cluster type:

   • To work with ClusterXL or with VRRP on Gaia, select ClusterXL.

     Go to the ClusterXL and VRRP pane and configure the applicable settings.

   • To work with any other cluster mode Configuration of Cluster Members to work in these redundant modes: (1) One Cluster Member processes all the traffic - High Availability or VRRP mode (2) All traffic is processed in parallel by all Cluster Members - Load Sharing., clear ClusterXL.

     Go to the 3rd Party Configuration pane and configure the applicable settings.

8. On the Network Security tab, enable other Software Blades as necessary.

9. Click OK.

10. Publish the SmartConsole Check Point GUI application used to manage a Check Point environment - configure Security Policies, configure devices, monitor products and events, install updates, and so on. session.

Working with Cluster Topology

IPv6 Considerations

To activate IPv6 functionality for an interface, define an IPv6 address for the applicable interface on each Cluster Member Security Gateway that is part of a cluster. and in the cluster object. All interfaces configured with an IPv6 address must also have a corresponding IPv4 address. If an interface does not require IPv6, only the IPv4 definition address is necessary.

Note - You must configure synchronization interfaces with IPv4 addresses only. This is because the synchronization mechanism works using IPv4 only. All IPv6 information and states are synchronized using this interface.

1. Connect with SmartConsole to the Security Management Server Dedicated Check Point server that runs Check Point software to manage the objects and policies in a Check Point environment within a single management Domain. Synonym: Single-Domain Security Management Server. or Domain Management Server Check Point Single-Domain Security Management Server or a Multi-Domain Security Management Server. that manages this cluster.

2. From the left navigation panel, click Gateways & Servers.

3. Open the cluster object.

4. From the left tree, click the Network Management page.

5. Select a cluster interface An interface on a Cluster Member, whose Network Type was set as Cluster in SmartConsole in cluster object. This interface is monitored by cluster, and failure on this interface will cause cluster failover. and click Edit.

6. From the left navigation tree, click General page:

   1. In the General section, configure these settings for Cluster Virtual Interface:

      • Network Type - one of these: Cluster, Sync, Cluster + Sync, Private

        The available network types (network objectives) are:

        Network Type	Description
        Cluster	An interface that connects to an internal or external network.
        Cluster + Sync	A cluster interface that also works as a Synchronization interface. We do not recommend this configuration because it adds the Delta Sync Synchronization of kernel tables between all working Cluster Members - exchange of CCP packets that carry pieces of information about different connections and operations that should be performed on these connections in relevant kernel tables. This Delta Sync process is performed directly by Check Point kernel. While performing Full Sync, the Delta Sync updates are not processed and saved in kernel memory. After Full Sync is complete, the Delta Sync packets stored during the Full Sync phase are applied by order of arrival. traffic to the interface.
        Sync	An interface used exclusively for cluster state synchronization Technology that synchronizes the relevant information about the current connections (stored in various kernel tables on Check Point Security Gateways) among all Cluster Members over Synchronization Network. Due to State Synchronization, the current connections are not cut off during cluster failover..
        Private	An interface that is not part of the cluster. ClusterXL does not monitor the state of this interface. As a result, there is no cluster failover Transferring of a control over traffic (packet filtering) from a Cluster Member that suffered a failure to another Cluster Member (based on internal cluster algorithms). Synonym: Fail-over. if a fault occurs with this interface. This option is recommended for the management interface.

      • Virtual IPv4 - Virtual IPv4 address assigned to this Cluster Virtual Interface

      • Virtual IPv6 - Virtual IPv6 address assigned to this Cluster Virtual Interface

      Important - You must define a corresponding IPv4 address for every IPv6 address. This release does not support the configuration of only IPv6 addresses.

7. In the Member IPs section, click Modify and configure these settings:

   • Physical IPv4 address and Mask Length assigned to the applicable physical interface on each Cluster Member

   • Physical IPv6 address and Mask Length assigned to the applicable physical interface on each Cluster Member

   Important - You must define a corresponding IPv4 address for every IPv6 address. This release does not support the configuration of only IPv6 addresses.

   In addition, see Cluster IP Addresses on Different Subnets.

8. In the Topology section, click Modify and configure these settings:

   • Leads To - one of these: Internet (External), This Network (Internal)

   • Security Zone - one of these: User defined, According to topology (ExternalZone, InternalZone)

   • Anti-Spoofing - whether to perform the Anti-Spoofing, and how to do it (Detect, Prevent)

9. From the left navigation tree, click QoS page:

   1. In the Bandwidth section, configure these settings:

      • Inbound Active - rate limit for inbound traffic

      • Outbound Active - rate limit for outbound traffic

   2. In the DiffServ and Low Latency classes section, configure the applicable classes.

10. From the left navigation tree, click Advanced page:

    1. In the Multicast Restrictions section, configure the applicable settings for dropping multicast packets

    2. In the Interfaces Names section, configure the names of applicable interfaces

11. Click OK.

12. Publish the SmartConsole session.

13. Install the Access Control Policy on this cluster object.

Changing the Synchronization Interface

Important - Schedule a maintenance window, because changing the synchronization interface can impact the traffic.

To change the IPv4 address on the synchronization interface on Cluster Members:

1. On each Cluster Member, change the IPv4 address on the Sync interface An interface on a Cluster Member, whose Network Type was set as Sync or Cluster+Sync in SmartConsole in cluster object. This interface is monitored by cluster, and failure on this interface will cause cluster failover. This interface is used for State Synchronization between Cluster Members. The use of more than one Sync Interfaces for redundancy is not supported because the CPU load will increase significantly due to duplicate tasks performed by all configured Synchronization Networks. Synonyms: Secured Interface, Trusted Interface..

   Use Gaia Portal Web interface for the Check Point Gaia operating system., or Gaia Clish The name of the default command line shell in Check Point Gaia operating system. This is a restricted shell (role-based administration controls the number of commands available in the shell)..

   See the R81.20 Gaia Administration Guide.

2. Connect with SmartConsole to the Security Management Server or Domain Management Server that manages this cluster.

3. From the left navigation panel, click Gateways & Servers.

4. Open the cluster object.

5. In the Gateway Cluster Properties window, click Network Management page.

6. Click Get Interfaces > Get Interfaces With Topology.

7. Make sure the settings are correct.

8. Select the Sync interface and click Edit.

9. From the left navigation tree, click General page.

10. In the General section, in the Network Type field, select Sync.

11. Click OK.

12. Publish the SmartConsole session.

13. Install the Access Control Policy on this cluster object.

To change the synchronization interface on Cluster Members to a new interface:

1. On each Cluster Member:

   1. Configure a new interface that you will use as a new Sync interface.

   2. Delete the IPv4 address from the old Sync interface.

   Use Gaia Check Point security operating system that combines the strengths of both SecurePlatform and IPSO operating systems. Portal, or Gaia Clish.

   See the R81.20 Gaia Administration Guide.

2. Connect with SmartConsole to the Security Management Server or Domain Management Server that manages this cluster.

3. From the left navigation panel, click Gateways & Servers.

4. Open the cluster object.

5. In the Gateway Cluster Properties window, click Network Management page.

6. Click Get Interfaces > Get Interfaces With Topology.

7. Make sure the settings are correct.

8. Right-click on the old Sync interface and click Delete Interface.

9. Select the new interface and click Edit.

10. From the left navigation tree, click General page.

11. In the General section, in the Network Type field, select Sync.

12. Click OK.

13. In SmartConsole, install the Access Control Policy on this cluster object.

14. Publish the SmartConsole session.

15. Install the Access Control Policy on this cluster object.

Adding Another Member to an Existing Cluster

See Adding Another Member to an Existing Cluster.

Removing a Member from an Existing Cluster

See Removing a Member from an Existing Cluster.