High Availability

Understanding VRRP

Virtual Routing Redundancy Protocol (VRRP) is a high-availability solution, where two Gaia Check Point security operating system that combines the strengths of both SecurePlatform and IPSO operating systems. Security Gateways can provide backup for each other. Gaia offers two ways to configure VRRP:

Monitored Circuit/Simplified VRRP - All the VRRP interfaces automatically monitor other VRRP interfaces.
Advanced VRRP - Every VRRP interface must be explicitly configured to monitor every other VRRP interface.

Important:

You cannot have a Standalone Configuration in which the Security Gateway and the Security Management Server products are installed and configured on the same server. deployment (Security Gateway Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources. and Security Management Server Dedicated Check Point server that runs Check Point software to manage the objects and policies in a Check Point environment within a single management Domain. Synonym: Single-Domain Security Management Server. on the same computer) in a Gaia VRRP cluster Two or more Security Gateways that work together in a redundant configuration - High Availability, or Load Sharing..
You cannot use both the Monitored Circuit/Simplified VRRP and Advanced VRRP together on the same Cluster Member Security Gateway that is part of a cluster..

Virtual Router Redundancy Protocol (VRRP) provides dynamic failover of IP addresses from one router to another in the event of failure. This increases the availability and reliability of routing paths through gateway selections on an IP network. Each VRRP router has a unique identifier known as the Virtual Router Identifier (VRID), which is associated with at least one Virtual IP Address (VIP). Neighboring network nodes connect to the VIP as a next hop in a route or as a final destination. Gaia supports VRRP as configured in RFC 3768.

VRRP Terminology

The conceptual information and procedures in this chapter use standard VRRP terminology.

This glossary contains basic VRRP terminology and a reference to related Check Point ClusterXL terms.

VRRP Term	ClusterXL Term	Definition
VRRP Cluster	Cluster	A group of Security Gateways that provides redundancy.
VRRP Router	Member	A Security Gateway using the VRRP protocol that is a member of one or more Virtual Router. In this guide, a VRRP Router is commonly called a Security Gateway.
Master	Active	The Security Gateway (Security Gateway) that handles traffic to and from a Virtual Router. The Master is the Security Gateway with the highest priority in a group. The Master inspects traffic and enforces the security policy Collection of rules that control network traffic and enforce organization guidelines for data protection and access to resources with packet inspection..
Backup	Standby	A redundant Security Gateway (Security Gateway) that is available to take over for the Master in the event of a failure.
VRID	Cluster name	Unique Virtual Router identifier The VRID is the also last byte of the MAC address.
VIP	Cluster Virtual IP address	Virtual IP address assigned to a Virtual Router. VIPs are routable from internal and/or external network resources. The VIP is called Backup Address in the Gaia Portal Web interface for the Check Point Gaia operating system..
VMAC	VMAC	Virtual MAC address assigned to a Virtual Router.
VRRP Transition	Failover	Automatic change over to a backup Security Gateway when the primary Security Gateway fails or is unavailable. The term 'failover' is used frequently in this guide.

VRRP on Gaia OS

On Gaia, VRRP can be used with ClusterXL enabled or with ClusterXL disabled.

VRRP with ClusterXL	Description
VRRP with ClusterXL enabled	This is the most common use case. You can deploy only an Active/Backup environments. VRRP supports a maximum of one VRID with one Virtual IP Address (VIP) for each interface. You must configure VRRP, so that the same node is the VRRP Master for all VRIDs. Therefore, you must configure each VRID to monitor every other VRRP-enabled interface. You must also configure priority deltas to allow a failover to the VRRP Backup node, when the VRID on any on interface fails over.
VRRP with ClusterXL disabled	You can deploy an Active/Active environment. You can configure two VRIDs on the same interface, with one VIP for each VRID. This configuration supports only static routes on the VRRP interfaces. You must disable the VRRP monitoring of the Check Point Firewall (see Preparing a VRRP Cluster).

VRRP with ClusterXL

Description

VRRP with ClusterXL enabled

This is the most common use case.

You can deploy only an Active/Backup environments.

VRRP supports a maximum of one VRID with one Virtual IP Address (VIP) for each interface.

You must configure VRRP, so that the same node is the VRRP Master for all VRIDs. Therefore, you must configure each VRID to monitor every other VRRP-enabled interface.

You must also configure priority deltas to allow a failover to the VRRP Backup node, when the VRID on any on interface fails over.

VRRP with ClusterXL disabled

You can deploy an Active/Active environment.

You can configure two VRIDs on the same interface, with one VIP for each VRID.

This configuration supports only static routes on the VRRP interfaces.

You must disable the VRRP monitoring of the Check Point Firewall (see Preparing a VRRP Cluster).

VRRP Configuration Methods

VRRP Method	Description
Monitored Circuit/Simplified VRRP	To configure this simplified VRRP method, in the Gaia Portal go to High Availability > VRRP. This method contains all of the basic parameters, and is applicable for most environments. You configure each Virtual Router as one unit and configure the same VRID on all interfaces. Monitored Circuit VRRP automatically monitors all VRRP interfaces. This make a complete node failover possible. You can configure only one VRID, which is automatically added to all the VRRP interfaces. If the VRID on any of the VRRP-enabled interfaces fails, the configured priority delta is decremented on the other VRRP-enabled interfaces to allow the VRRP Backup node to take over as the new VRRP Master.
Advanced VRRP	To configure this advanced VRRP method, in the Gaia Portal go to High Availability > Advanced VRRP. This method allows configuration of different VRIDs on different interfaces. You configure a VRID on each interface individually. In addition, each VRRP-enabled interface must be monitored by each VRID together with an appropriate priority delta. This ensures that when one interface fails, all the other VRIDs can transition to VRRP Backup state With ClusterXL enabled, you must configure each VRID to monitor every other VRRP interface. You must also configure priority deltas that allow complete node failover. Advanced VRRP also makes it possible for a VRID to monitor interfaces that do not run VRRP. With ClusterXL disabled, you can configure two VRIDs on each interface, with one VIP for each VRID.

VRRP Method

Description

Monitored Circuit/Simplified VRRP

To configure this simplified VRRP method, in the Gaia Portal go to High Availability > VRRP.

This method contains all of the basic parameters, and is applicable for most environments.

You configure each Virtual Router as one unit and configure the same VRID on all interfaces.

Monitored Circuit VRRP automatically monitors all VRRP interfaces. This make a complete node failover possible.

You can configure only one VRID, which is automatically added to all the VRRP interfaces.

If the VRID on any of the VRRP-enabled interfaces fails, the configured priority delta is decremented on the other VRRP-enabled interfaces to allow the VRRP Backup node to take over as the new VRRP Master.

Advanced VRRP

To configure this advanced VRRP method, in the Gaia Portal go to High Availability > Advanced VRRP.

This method allows configuration of different VRIDs on different interfaces.

You configure a VRID on each interface individually. In addition, each VRRP-enabled interface must be monitored by each VRID together with an appropriate priority delta. This ensures that when one interface fails, all the other VRIDs can transition to VRRP Backup state

With ClusterXL enabled, you must configure each VRID to monitor every other VRRP interface.

You must also configure priority deltas that allow complete node failover.

Advanced VRRP also makes it possible for a VRID to monitor interfaces that do not run VRRP.
With ClusterXL disabled, you can configure two VRIDs on each interface, with one VIP for each VRID.

Monitoring of VRRP Interfaces

The monitoring of all VRRP-enabled interfaces by all VRIDs is important to avoid connection issues with asymmetric routes.

For example, when an external interface fails, the VRRP Master fails over only for the external Virtual Router. The VRRP Master for the internal Virtual Router does not fail over. This can cause connectivity problems when the internal Virtual Router accepts traffic and is unable to connect to the new external VRRP Master.

Another tool for avoiding asymmetric issues during transitions is the VRRP interface delay setting. Configure this when the Preempt Mode of VRRP was turned off. This VRRP global setting is useful when the VRRP node with a higher priority is rebooted, but must not preempt the existing VRRP Master that handles the traffic, but is configured with a lower priority. Sometimes, interfaces that come up, take longer than the VRRP timeout to process incoming VRRP Hello packets. The interface delay extends the time that VRRP waits to receive VRRP Hello packets from the existing VRRP Master.

How VRRP Failover Works

Each Virtual Router (VRRP Group) is identified by a unique Virtual Router ID (VRID).

A Virtual Router contains one VRRP Master Security Gateway and at least one VRRP Backup Security Gateway.

The VRRP Master sends periodic VRRP advertisements (known as VRRP Hello messages) to the VRRP Backup Security Gateways.

VRRP advertisements broadcast the operational status of the VRRP Master to the VRRP Backup.

Gaia uses dynamic routing protocols to advertise the VIP of the Virtual Router (Virtual IP address or Backup IP address).

Notes:

Gaia supports OSPF on VPN tunnels that terminate at a VRRP group.
Active/Backup VRRP environments are supported with ClusterXL enabled.

If ClusterXL is disabled, Active/Active environments can be deployed.
Active/Active VRRP environments support only static routes. In addition, you must disable the monitoring of the Check Point Firewall by VRRP.

If the VRRP Master fails, or its VRRP-enabled interfaces fail, VRRP uses a priority algorithm to make the decision if failover to a VRRP Backup is necessary. Initially, the VRRP Master is the Security Gateway that has the highest configured priority value. You configure a priority for each Security Gateway when you create a Virtual Router or change its configuration. If two VRRP Security Gateways have same priority value, the platform that comes online and broadcasts its VRRP advertisements first becomes the VRRP Master.

Gaia also uses priorities to select a VRRP Backup Security Gateway upon failover (when there is more than one VRRP Backup available). In the event of failover, the Virtual Router priority value is decreased by a predefined Priority Delta value to calculate an Effective Priority value. The Virtual Router with the highest effective priority becomes the new VRRP Master. The Priority Delta value is a Check Point proprietary parameter that you configure when configuring a Virtual Router. If you configure your system correctly, the effective priority will be lower than the VRRP Backup Security Gateway priority in the other Virtual Routers. This causes the problematic VRRP Master to fail over for the other Virtual Routers as well.

Note - If the effective priority for the current VRRP Master and VRRP Backup are the same, the Security Gateway with the highest IP address becomes the VRRP Master.

Typical VRRP Use Cases

These are examples of some VRRP environments.

VRRP Use Case 1 - Internal Network High Availability

This is a simple VRRP use case, where Security Gateway 1 is the VRRP Master, and Security Gateway 2 is the VRRP Backup.

Virtual Router redundancy is available only for connections to and from the internal network.

There is no redundancy for external network traffic.

Item	Description
1	VRRP Master Security Gateway
2	VRRP Backup Security Gateway
3	Virtual Router VRID 5 - Virtual IP Address (Backup Address) is 192.168.2.5
4	Internal Network Computers and resources protected by the Firewall and accessed by authenticated users. and hosts

VRRP Use Case 2 - Internal and External Network High Availability

This use case shows an example of an environment, where there is redundancy for internal and external connections.

Here, you can use Virtual Routers for the two Security Gateways - for internal and for external connections.

The internal and external interfaces must be on different subnets.

Configure one Security Gateway as the VRRP Master and one Security Gateway as the VRRP Backup.

Item	Description
1	Virtual Router VRID 5 - External Virtual IP Address (Backup Address) is 192.168.2.5
2	VRRP Master Security Gateway
3	VRRP Backup Security Gateway
4	Virtual Router VRID 5 - Internal Virtual IP Address (Backup Address) is 192.168.3.5
5	Internal network and hosts

VRRP Use Case 3 - Internal Network Load Sharing

This use case shows an example of an Active/Active Load Sharing environment for internal network traffic.

This environment gives load balancing, as well as full redundancy.

This configuration is supported with ClusterXL disabled. Only Static Routes are supported.

The monitoring of the Check Point Firewall by VRRP must be disabled (it is enabled by default).

A maximum of two VRIDs is supported per interface.

Security Gateway 1 is the VRRP Master for VRID 5, and Security Gateway 2 is the VRRP Backup.

Security Gateway 2 is the VRRP Master for VRID 7, and Security Gateway 1 is the VRRP Backup.

The two Security Gateways are configured to back each other up. If one fails, the other takes over its VRID and IP addresses.

Item	Description
1	VRRP Master Security Gateway for VRID 5 and VRRP Backup for VRID 7
2	VRRP Backup Security Gateway for VRID 5 and VRRP Master for VRID7
3	Virtual Router, VRID 5 Virtual IP Address (Backup Address) is 192.168.2.5
4	Virtual Router, VRID 7 Virtual IP Address (Backup Address) is 192.168.2.7
5	Internal network and hosts