Example of Cluster IP Addresses on Different Subnets
In this example, a cluster Two or more Security Gateways that work together in a redundant configuration - High Availability, or Load Sharing. separates the network 172.16.6.0 / 24 (Side "A", External) from the network 172.16.4.0 / 24 (Side "B", Internal).
The Cluster Members use these IP addresses:
Side / Interface |
Network IP Address |
IP Addresses on Member_1 |
IP Addresses on Member_2 |
---|---|---|---|
Side "A"
(External) |
192.168.1.0 / 24 |
Real IP address on 192.168.1.1 / 24 |
Real IP address on 192.168.1.2 / 24 |
172.16.6.0 / 24 |
Cluster VIP address on 172.16.6.100 / 24 |
Cluster VIP address on 172.16.6.100 / 24 |
|
Side "B"
(Internal) |
192.168.2.0 / 24 |
Real IP address on 192.168.2.1 / 24 |
Real IP address on 192.168.2.2 / 24 |
172.16.4.0 / 24 |
Cluster VIP address on 172.16.4.100 / 24 |
Cluster VIP address on 172.16.4.100 / 24 |
|
Cluster Sync
|
192.168.3.0 / 24 |
Real IP address on 192.168.3.1 / 24 |
Real IP address on 192.168.3.2 / 24 |
Procedure:
-
On the Cluster Members, configure interfaces and static routes
On each Cluster Member Security Gateway that is part of a cluster., configure interfaces and these static routes:
-
Next hop gateway for the external network 172.16.6.0 is the local interface eth0 with the IP address 192.168.1.x
-
Next hop gateway for the internal network 172.16.4.0 is the local interface eth1 with the IP address 192.168.2.x
Important - You must enable the
scopelocal
attribute on these static routes.See the R81.20 Gaia Administration Guide > Chapter Network Management > Section IPv4 Static Routes.
-
Member_1:
(The IP address on the interface
eth0
is already configured.)set static-route 172.16.6.0/24 nexthop gateway logical eth0 on
set static-route 172.16.6.0/24 scopelocal on
set interface eth1 ipv4-address 192.168.2.1 mask-length 24
set interface eth1 state on
set static-route 172.16.4.0/24 nexthop gateway logical eth1 on
set static-route 172.16.4.0/24 scopelocal on
set interface eth2 ipv4-address 192.168.3.1 mask-length 24
set interface eth2 state on
save config
-
Member_2:
set static-route 172.16.6.0/24 nexthop gateway logical eth0 on
set static-route 172.16.6.0/24 scopelocal on
set interface eth1 ipv4-address 192.168.2.2 mask-length 24
set interface eth1 state on
set static-route 172.16.4.0/24 nexthop gateway logical eth1 on
set static-route 172.16.4.0/24 scopelocal on
set interface eth2 ipv4-address 192.168.3.2 mask-length 24
set interface eth2 state on
save config
-
-
In SmartConsole, open the cluster object
-
Connect with SmartConsole to the Management Server Check Point Single-Domain Security Management Server or a Multi-Domain Security Management Server..
-
From the left navigation panel, click Gateways & Servers.
-
Open the cluster object.
-
From the left tree, click Network Management.
Important - In the configuration of Cluster IP addresses on different subnets, the operation Get Interfaces > Get Interfaces with Topology does not detect the interface topology (External, Internal). You must configure the required topology manually.
-
-
Configure the external cluster interface 'eth0'
-
Select the external cluster interface An interface on a Cluster Member, whose Network Type was set as Cluster in SmartConsole in cluster object. This interface is monitored by cluster, and failure on this interface will cause cluster failover.
eth0
and click Edit. -
In the General section, configure these settings:
Field
Value
Network Type
Cluster
IPv4
172.16.6.100 / 24
-
In the Member IPs section, click Modify and configure these settings:
Field
Value
'Member_1' IPv4
192.168.1.1 / 24
'Member_2' IPv4
192.168.1.2 / 24
-
In the Topology section, click Modify.
-
Select Override.
-
Select This Network (Internal).
-
Select Specific.
-
Click in the drop-down State of a Cluster Member during a failure when one of the Critical Devices reports its state as "problem": In ClusterXL, applies to the state of the Security Gateway component; in 3rd-party / OPSEC cluster, applies to the state of the State Synchronization mechanism. A Cluster Member in this state does not process any traffic passing through cluster. field > in the top right corner, click New > click Network Group.
-
Configure a new Network Group object that contains the networks of Side "A":
-
Enter the object name. For example: SideA_All_Networks_eth0
-
Configure a Network object for the real IP address of interfaces connected to Side "A" - 192.168.1.0 / 24
Click [+] > at the top right corner, click (New) > click Network.
Enter an object name. For example: SideA_Real_Network_eth0
In the Network address field, enter 192.168.1.0
In the Net mask field, enter 255.255.255.0
Click OK to close the New Network window.
-
Configure a Network object for the IP address of the Cluster VIP on Side "A" - 172.16.6.0 / 24
Click [+] > at the top right corner, click (New) > click Network.
Enter an object name. For example: SideA_VIP_Network_eth0
In the Network address field, enter 172.16.6.0
In the Net mask field, enter 255.255.255.0
Click OK to close the New Network window.
-
Click OK to close the New Network Group window.
-
-
The field Specific now shows the object SideA_All_Networks_eth0.
-
Click OK to close the Topology Settings window for
eth0
. -
Click OK to close the Network: eth0 window.
-
-
Configure the internal cluster interface 'eth1'
-
Select the internal cluster interface
eth1
and click Edit. -
In the General section, configure these settings:
Field
Value
Network Type
Cluster
IPv4
172.16.4.100 / 24
-
In the Member IPs section, click Modify and configure these settings:
Field
Value
'Member_1' IPv4
192.168.2.1 / 24
'Member_2' IPv4
192.168.2.2 / 24
-
In the Topology section, click Modify.
-
Select Override.
-
Select This Network (Internal).
-
Select Specific.
-
Click in the drop-down field > in the top right corner, click New > click Network Group.
-
Configure a new Network Group object that contains the networks of Side "B":
-
Enter the object name. For example: SideB_All_Networks_eth1
-
Configure a Network object for the real IP address of interfaces connected to Side "B" - 192.168.2.0 / 24
Click [+] > at the top right corner, click (New) > click Network.
Enter an object name. For example: SideB_Real_Network_eth1
In the Network address field, enter 192.168.2.0
In the Net mask field, enter 255.255.255.0
Click OK to close the New Network window.
-
Configure a Network object for the IP address of the Cluster VIP on Side "B" - 172.16.4.0 / 24
Click [+] > at the top right corner, click (New) > click Network.
Enter an object name. For example: SideB_VIP_Network_eth1
In the Network address field, enter 172.16.4.0
In the Net mask field, enter 255.255.255.0
Click OK to close the New Network window.
-
Click OK to close the New Network Group window.
-
-
The field Specific now shows the object SideB_All_Networks_eth1.
-
Click OK to close the Topology Settings window for
eth1
. -
Click OK to close the Network: eth1 window.
-
-
Configure the sync interface 'eth2'
-
Select the sync cluster interface
eth2
and click Edit. -
In the General section, configure these settings:
Field
Value
Network Type
Sync
-
In the Member IPs section, click Modify and configure these settings:
Field
Value
'Member_1' IPv4
192.168.3.1 / 24
'Member_2' IPv4
192.168.3.2 / 24
-
Click OK to close the Network: eth1 window.
-
Click OK to close the Gateway Cluster Properties window.
-
-
Install the Access Control Policy
-
Publish the SmartConsole session.
-
Install the Access Control Policy on this cluster object.
-
-
Configure the default gateway on hosts located on Side "A"
The default gateway on all hosts on Side "A" must be 172.16.6.100 / 24.
-
Configure thdefault gateway on hosts located on Side "B"
The default gateway on all hosts on Side "B" must be 172.16.4.100 / 24.