Preparing a VRRP Cluster

Configuring Network Switches

Best Practice - If you use the Spanning Tree protocol on Cisco switches connected to Check Point VRRP clusters, we recommend that you enable PortFast. It sets interfaces to the Spanning Tree forwarding state, which prevents them from waiting for the standard forward-time interval.

If you use switches from a different vendor, we recommend that you use the equivalent feature for that vendor. If you use the Spanning Tree protocol without PortFast, or its equivalent, you may see delays during VRRP failover.

Preparing VRRP Cluster Members

Step

Instructions

1

Install the VRRP ClusterClosed Two or more Security Gateways that work together in a redundant configuration - High Availability, or Load Sharing. Members

See the R81 Installation and Upgrade Guide > Chapter Installing a ClusterXL, VSX Cluster, VRRP Cluster > Section Installing a VRRP Cluster..

2

Synchronize the system time on the VRRP Cluster Members.

Best Practice - Enable NTP (Network Time Protocol) on all Security Gateways (see Time).

You can also manually change the time and time zone on each Security GatewayClosed Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources. to match the other members.

In this case, you must synchronize member times to within a few seconds.

3

Optional: Add host names and IP address pairs to the host table on each Security Gateway (see Hosts).

This lets you use host names as an alternative to IP addresses or DNS servers.

4

Enable Virtual Routers:

  1. With a web browser, connect to Gaia PortalClosed Web interface for the Check Point Gaia operating system. at:

    https://<IP address of Gaia Management Interface>

    If you changed the default port of GaiaClosed Check Point security operating system that combines the strengths of both SecurePlatform and IPSO operating systems. Portal from 443, then you must also enter it (https://<IP address>:<Port>).

  2. In the navigation tree, click High Availability > VRRP.

  3. Configure the VRRP Global Settings.

    See the section "Configuring Global Settings for VRRP" below.

  4. If the Disable All Virtual Routers option is currently selected, clear it.

  5. Click Apply Global Settings.

5

Configure your Virtual Routers in either Gaia Portal, or Gaia ClishClosed The name of the default command line shell in Check Point Gaia operating system. This is a restricted shell (role-based administration controls the number of commands available in the shell)..

See:

Configuring Global Settings for VRRP

This section shows you how to configure the global settings that apply to all Virtual Routers.

Step

Instructions

1

In the navigation tree, click one of these:

  • High Availability > VRRP.

  • High Availability >Advanced VRRP.

2

In the VRRP Global Settings section:

  • Cold Start Delay - Configures the delay period in seconds before a Security Gateway joins a Virtual Router. Default = 0.

  • Interface Delay - Configure this when the Preempt Mode of VRRP was turned off. This is useful when the VRRP node with a higher priority is rebooted, but must not preempt the existing VRRP Master that is handling the traffic, but is configured with a lower priority. Sometimes interfaces that come up take longer than the VRRP timeout to process incoming VRRP Hello packets. The Interface Delay extends the time that VRRP waits to receive Hello packets from the existing VRRP Master.

  • Disable All Virtual Routers - Select this option to disable all Virtual Routers defined on this Gaia system. Clear this option to enable all Virtual Routers. By default, all Virtual Routers are enabled.

  • Monitor Firewall State - Select this option to let VRRP monitor the Security Gateway and automatically take appropriate action. This is enabled by default, which is the recommended setting when using VRRP with ClusterXL enabled. This must be disabled when using VRRP with ClusterXL disabled.

    Important - If you disable Monitor Firewall State, VRRP can assign VRRP Master status to a Security Gateway before it completes the boot process. This can cause more than one Security Gateway in a Virtual Router to have VRRP Master status.

3

Click Apply Global Settings.

Gaia starts to monitor the Firewall after the cold start delay completes.

This can cause some problems:

  • If all the interfaces in a Virtual Router fail, all VRRP Cluster Members become VRRP Backups.

    None of the VRRP Cluster Members can become the VRRP Master and no traffic is allowed.

  • If you change the time on any of the VRRP Cluster Members, a VRRP failover occurs automatically.

  • In certain situations, installing a policy causes a failover.

    This can happen if it takes a long time to install the policy.