Using the Classic Mode in SmartConsole

Step

Instructions

Connect with SmartConsole Check Point GUI application used to manage a Check Point environment - configure Security Policies, configure devices, monitor products and events, install updates, and so on. to the Security Management Server Dedicated Check Point server that runs Check Point software to manage the objects and policies in a Check Point environment within a single management Domain. Synonym: Single-Domain Security Management Server. or Domain Management Server Check Point Single-Domain Security Management Server or a Multi-Domain Security Management Server. that should manage this ClusterXL Cluster of Check Point Security Gateways that work together in a redundant configuration. The ClusterXL both handles the traffic and performs State Synchronization. These Check Point Security Gateways are installed on Gaia OS: (1) ClusterXL supports up to 5 Cluster Members, (2) VRRP Cluster supports up to 2 Cluster Members, (3) VSX VSLS cluster supports up to 13 Cluster Members. Note: In ClusterXL Load Sharing mode, configuring more than 4 Cluster Members significantly decreases the cluster performance due to amount of Delta Sync traffic..

From the left navigation panel, click Gateways & Servers.

Create a new Cluster Two or more Security Gateways that work together in a redundant configuration - High Availability, or Load Sharing. object in one of these ways:

From the top toolbar, click the New () > Cluster > Cluster.
In the top left corner, click Objects menu > More object types > Network Object > Gateways and Servers > Cluster > New Cluster.
In the top right corner, click Objects Pane > New > More > Network Object > Gateways and Servers > Cluster > Cluster.

In the Check Point Security Gateway Creation window, click Classic Mode.

The Gateway Cluster Properties window opens.

On the General Properties page > Machine section:

In the Name field, make sure you see the configured applicable name for this ClusterXL object.
In the IPv4 Address and IPv6 Address fields, configure the same IPv4 and IPv6 addresses that you configured on the Management Connection page of the Cluster Member Security Gateway that is part of a cluster.'s First Time Configuration Wizard.

Make sure the Security Management Server or Multi-Domain Server Dedicated Check Point server that runs Check Point software to host virtual Security Management Servers called Domain Management Servers. Synonym: Multi-Domain Security Management Server. Acronym: MDS. can connect to these IP addresses.

On the General Properties page > Platform section, select the correct options:

In the Hardware field:

If you install the Cluster Members on Check Point Appliances, select the correct appliances series.

If you install the Cluster Members on Open Servers, select Open server.
In the Version field, select R81.
In the OS field, select Gaia Check Point security operating system that combines the strengths of both SecurePlatform and IPSO operating systems..

On the General Properties page:

On the Network Security tab, make sure the ClusterXL Software Blade Specific security solution (module): (1) On a Security Gateway, each Software Blade inspects specific characteristics of the traffic (2) On a Management Server, each Software Blade enables different management capabilities. is selected.
Enable the additional applicable Software Blades on the Network Security tab and on the Threat Prevention tab.

On the Cluster Members page:

Click Add > New Cluster Member.

The Cluster Member Properties window opens.
In the Name field, enter the applicable name for this Cluster Member object.

Configure the main physical IP address(es) for this Cluster Member object.

In the IPv4 Address and IPv6 Address fields, configure the same IPv4 and IPv6 addresses that you configured on the Management Connection page of the Cluster Member's First Time Configuration Wizard.

Make sure the Security Management Server or Multi-Domain Server can connect to these IP addresses.

Note - You can configure the Cluster Virtual IP address to be on a different network than the physical IP addresses of the Cluster Members. In this case, you must configure the required static routes on the Cluster Members.

Click Communication.
In the One-time password and Confirm one-time password fields, enter the same Activation Key you entered during the Cluster Member's First Time Configuration Wizard.
Click Initialize.
Click Close.
Click OK.
Repeat Steps a-h to add the second Cluster Member, and so on.

If the Trust State field does not show Trust established, perform these steps:

Connect to the command line on the Cluster Member.
Make sure there is a physical connectivity between the Cluster Member and the Management Server (for example, pings can pass).

Run:

cpconfig

Enter the number of this option:

Secure Internal Communication

Follow the instructions on the screen to change the Activation Key.
In SmartConsole, click Reset.
Enter the same Activation Key you entered in the cpconfig menu.
In SmartConsole, click Initialize.

On the ClusterXL and VRRP page:

In the Select the cluster mode and configuration section, select the applicable mode:
- High Availability and ClusterXL (seeHigh Availability and Load Sharing Modes in ClusterXL )
- Load Sharing and Multicast or Unicast (seeHigh Availability and Load Sharing Modes in ClusterXL )
- Active-Active (see Active-Active Mode in ClusterXL)
In the Tracking section, select the applicable option.
In the Advanced Settings section:

If you selected the High Availability mode, then:

Optional: Select Use State Synchronization.

This configures the Cluster Members to synchronize the information about the connections they inspect.

Best Practice - Enable this setting to prevent connection drops after a cluster failover Transferring of a control over traffic (packet filtering) from a Cluster Member that suffered a failure to another Cluster Member (based on internal cluster algorithms). Synonym: Fail-over..

Optional: Select Start synchronizing [ ] seconds after connection initiation and enter the applicable value.

This option is available only for clusters R80.20 and higher.

To prevent the synchronization of short-lived connections (which decreases the cluster performance), you can configure the Cluster Members to start the synchronization of all connections a number of seconds after they start.

Range: 2 - 60 seconds

Default: 3 seconds

Notes:

This setting in the cluster object applies to all connections that pass through the cluster.

You can override this global cluster synchronization delay in the properties of applicable services - see Configuring Services to Synchronize After a Delay.
The greater this value, the fewer short-lived connections the Cluster Members have to synchronize.
The connections that the Cluster Members did not synchronize, do not survive a cluster failover.

Best Practice - Enable and configure this setting to increase the cluster performance.

Optional: Select Use Virtual MAC.

This configure all Cluster Members to associate the same virtual MAC address with the Virtual IP address on the applicable interfaces (each Virtual IP address has its unique Virtual MAC address).

For more information, see sk50840.
Select the Cluster Member recovery method - which Cluster Member to select as Active during a fallback (return to normal operation after a cluster failover):
- Maintain current active Cluster Member
  1. The Cluster Member that is currently in the Active state, remains in this state.
  2. Other Cluster Members that return to normal operation, remain the Standby state.
- Switch to higher priority Cluster Member
  1. The Cluster Member that has the highest priority (appears at the top of the list on the Cluster Members page of the cluster object) becomes the new Active.
  2. The state of the previously Active Cluster Member changes to Standby.
  3. Other Cluster Members that return to normal operation remain the Standby state.

If you selected the Load Sharing > Multicast mode, then:

Optional: Select Use Sticky Decision Function.

This option is available only for clusters R80.10 and lower.

For more information, click the (?) button in the top right corner.

Optional: Select Start synchronizing [ ] seconds after connection initiation and enter the applicable value.

This option is available only for clusters R80.20 and higher.

Range: 2 - 60 seconds

Default: 3 seconds

Notes:

This setting in the cluster object applies to all connections that pass through the cluster.

You can override this global cluster synchronization delay in the properties of applicable services - see Configuring Services to Synchronize After a Delay.
The greater this value, the fewer short-lived connections the Cluster Members have to synchronize.
The connections that the Cluster Members did not synchronize, do not survive a cluster failover.

Best Practice - Enable and configure this setting to increase the cluster performance.

Select the connection sharing method between the Cluster Members:
- IPs, Ports, SPIs
  
  Configures each Cluster Member to inspect all connections with the same Source and Destination IP address, the same Source and Destination ports, and the same IPsec SPI numbers.
  
  This is the least "sticky" sharing configuration that provides the best sharing distribution between Cluster Members.
  
  This method decreases the probability that a certain connection passes through the same Cluster Member in both inbound and outbound directions
  
  We recommend this method.
- IPs, Ports
  
  Configures each Cluster Member to inspect all connections with the same Source and Destination IP address and the same Source and Destination ports, regardless of the IPsec SPI numbers.
  
  Use this method only if there are problems when distributing IPsec packets between Cluster Members.
- IPs
  
  Configures each Cluster Member to inspect all connections with the same Source and Destination IP address, regardless of the Source and Destination ports and IPsec SPI numbers.
  
  This is the most "sticky" sharing configuration that provides the worst sharing distribution between Cluster Members.
  
  This method increases the probability that a certain connection passes through the same Cluster Member in both inbound and outbound directions
  
  Use this method only if there are problems when distributing packets with different port numbers or distributing IPsec packets between Cluster Members.

If you selected the Load Sharing > Unicast mode, then:

Optional: Select Use Sticky Decision Function.

This option is available only for clusters R80.10 and lower.

For more information, click the (?) button in the top right corner.

Optional: Select Start synchronizing [ ] seconds after connection initiation and enter the applicable value.

This option is available only for clusters R80.20 and higher.

Range: 2 - 60 seconds

Default: 3 seconds

Notes:

This setting in the cluster object applies to all connections that pass through the cluster.

You can override this global cluster synchronization delay in the properties of applicable services - see Configuring Services to Synchronize After a Delay.
The greater this value, the fewer short-lived connections the Cluster Members have to synchronize.
The connections that the Cluster Members did not synchronize, do not survive a cluster failover.

Best Practice - Enable and configure this setting to increase the cluster performance.

Optional: Select Use Virtual MAC.

This configure all Cluster Members to associate the same virtual MAC address with the Virtual IP address on the applicable interfaces (each Virtual IP address has its unique Virtual MAC address).

For more information, see sk50840.
Select the connection sharing method between the Cluster Members:
- IPs, Ports, SPIs
  
  Configures each Cluster Member to inspect all connections with the same Source and Destination IP address, the same Source and Destination ports, and the same IPsec SPI numbers.
  
  This is the least "sticky" sharing configuration that provides the best sharing distribution between Cluster Members.
  
  This method decreases the probability that a certain connection passes through the same Cluster Member in both inbound and outbound directions
  
  We recommend this method.
- IPs, Ports
  
  Configures each Cluster Member to inspect all connections with the same Source and Destination IP address and the same Source and Destination ports, regardless of the IPsec SPI numbers.
  
  Use this method only if there are problems when distributing IPsec packets between Cluster Members.
- IPs
  
  Configures each Cluster Member to inspect all connections with the same Source and Destination IP address, regardless of the Source and Destination ports and IPsec SPI numbers.
  
  This is the most "sticky" sharing configuration that provides the worst sharing distribution between Cluster Members.
  
  This method increases the probability that a certain connection passes through the same Cluster Member in both inbound and outbound directions
  
  Use this method only if there are problems when distributing packets with different port numbers or distributing IPsec packets between Cluster Members.

On the Network Management page:

Select each interface and click Edit. The Network: <Name of Interface> window opens.
From the left tree, click the General page.

In the General section, in the Network Type field, select the applicable type:

For cluster traffic interfaces, select Cluster.

Make sure the Cluster Virtual IPv4 address and its Net Mask are correct.

For cluster synchronization interfaces, select Sync or Cluster+Sync.

Notes:

We do not recommend the configuration Cluster+Sync.
Check Point cluster supports only these settings:
- One Sync interface.
- One Cluster+Sync interface.
- One Sync interface and one Cluster+Sync interface.
For Check Point Appliances or Open Servers:

The Synchronization Network A set of interfaces on Cluster Members that were configured as interfaces, over which State Synchronization information will be passed (as Delta Sync packets ). The use of more than one Synchronization Network for redundancy is not supported because the CPU load will increase significantly due to duplicate tasks performed by all configured Synchronization Networks. Synonyms: Sync Network, Secured Network, Trusted Network. is supported only on the lowest VLAN tag of a VLAN interface.

For interfaces that do not pass the traffic between the connected networks, select Private.

In the Member IPs section, make sure the IPv4 address and its Net Mask are correct on each Cluster Member.

Notes:

For a ClusterXL in High Availability A redundant cluster mode, where only one Cluster Member (Active member) processes all the traffic, while other Cluster Members (Standby members) are ready to be promoted to Active state if the current Active member fails. In the High Availability mode, the Cluster Virtual IP address (that represents the cluster on that network) is associated: (1) With physical MAC Address of Active member (2) With virtual MAC Address. Synonym: Active/Standby. Acronym: HA. mode that is deployed in a Cloud environment (Geo Cluster A High Availability cluster mode (in versions R81.20 and higher), where cluster members are located in different cloud availability zones. This mode supports the configuration of IP addresses from different subnets on all cluster interfaces, including the Sync interfaces. The Active cluster member inspects all traffic routed to the cluster and synchronizes the recorded connections to its peer cluster members. The traffic is not balanced between the cluster members. See "High Availability".):

You can configure IP addresses that belong to different networks on cluster synchronization interfaces and on cluster traffic interfaces.
For cluster traffic interfaces, you can configure the Cluster Virtual IP address to be on a different network than the physical IP addresses of the Cluster Members. In this case, you must configure the required static routes on the Cluster Members. See Cluster IP Addresses on Different Subnets.

In the Topology section:
- Make sure the settings are correct in the Leads To and Security Zone fields.
- Make sure to enable the Anti-Spoofing.

Click OK.

Publish the SmartConsole session.