Configuring Bond High Availability Mode

This section explains how to configure High Availability on a bond interface.

Run the CLI commands from the VSX Gateway Physical server that hosts VSX virtual networks, including all Virtual Devices that provide the functionality of physical network devices. It holds at least one Virtual System, which is called VS0. (VS0) context.

In a VSX Virtual System Extension. Check Point virtual networking solution, hosted on a computer or cluster with virtual abstractions of Check Point Security Gateways and other network devices. These Virtual Devices provide the same functionality as their physical counterparts. Cluster Two or more Security Gateways that work together in a redundant configuration - High Availability, or Load Sharing., run these commands on each VSX Cluster Member Security Gateway that is part of a cluster..

Use the "active-backup" value for the "mode" parameter to configure High Availability.

Configuring the High Availability Bond

This is a workflow of CLI commands to configure Link Aggregation in High Availability mode.

Notes:

For exact commands, see R81 Gaia Administration Guide.
When you are enslaving configured interfaces, make sure that these interfaces are not used in other configurations and that IP addresses are not assigned to them.

To configure the Link Aggregation in High Availability mode:

Add the bonding group.
Add subordinate interfaces to the bonding group.
Make sure that the bond is configured correctly.
Open SmartConsole Check Point GUI application used to manage a Check Point environment - configure Security Policies, configure devices, monitor products and events, install updates, and so on. and configure the cluster object.
- For a new Link Aggregation installation, create a new cluster object.
- For updating an existing configuration, update the interface topology.

Updating the Interface Topology

When you are updating an existing configuration to Link Aggregation, it is necessary to reconfigure the applicable objects to connect to the newly created bond. This includes Virtual Systems, Virtual Routers and Virtual Switches. You can perform these actions in SmartConsole. In most cases, these definitions can be found in the object Properties window.

For large existing VSX deployments containing many Domain Management Servers and Virtual Devices, use the "vsx_util change_interfaces" command on the Management Server Check Point Single-Domain Security Management Server or a Multi-Domain Security Management Server. to reconfigure existing object topologies. For example, in a Multi-Domain Server Dedicated Check Point server that runs Check Point software to host virtual Security Management Servers called Domain Management Servers. Synonym: Multi-Domain Security Management Server. Acronym: MDS. deployment with 200 Domains, each with many Virtual Devices, it is faster to use the "vsx_util change_interfaces" command. This command automatically replaces the interface with the new bond on all applicable objects.

Reconfiguring the Bond

To configure the newly created bond for a cluster:

Connect with SmartConsole to the Security Management Server Dedicated Check Point server that runs Check Point software to manage the objects and policies in a Check Point environment within a single management Domain. Synonym: Single-Domain Security Management Server. or Main Domain Management Server that manages the VSX Cluster.
Delete the subordinate interfaces from the bond that you are not using.
1. From the navigation tree, click Topology.
2. From the navigation tree, click Physical Interfaces.
3. Select the subordinate interface, and click Remove.
4. Click OK.
5. Do these steps again for all the subordinate interfaces.
From Gaia Clish The name of the default command line shell in Check Point Gaia operating system. This is a restricted shell (role-based administration controls the number of commands available in the shell). on each VSX Cluster Member, create the new bond interface.
Connect with SmartConsole to the Security Management Server or Main Domain Management Server that manages the VSX Cluster.
From the Gateways & Servers view or Object Explorer, double-click the VSX Cluster object.
From the left navigation tree, click Physical Interfaces.
Click Add, and configure the bond interface.

The Physical Interface Properties window opens.
1. Enter the bond name.
2. If the bond is a VLAN trunk, select VLAN Trunk.
3. Click OK.
From the left navigation tree, click Topology.
Do these steps for each interface that you are adding to the bond:
1. Double-click the interface.
  
  The Interface Properties window opens.
2. From Interface, select the bond interface.
3. Click OK.
Install the VSX Policy (<Name of VSX Cluster Object>_VSX) on the VSX Cluster object.

Reconfiguring Topology with 'vsx_util change_interfaces'

Important - In a Multi-Domain Server environment, all Domain Management Servers must be unlocked in order for this operation to succeed. Meaning, you need to disconnect all SmartConsole clients from all Domain Management Servers.

To reconfigure objects with the "vsx_util change_interfaces" command:

Close SmartConsole windows for the Security Management Server and all Domain Management Servers that use the designated interface.
Connect to the command line on the Management Server.
Log in to the Expert mode..
Run the "vsx_util change_interfaces" command and follow the on-screen instructions:
1. Enter the IP address of the Security Management Server or Main Domain Management Server.
2. Enter the management administrator name and password.
3. Select VSX Cluster object.
4. Select Apply changes to the management database and to the VSX Gateway/Cluster members immediately.
5. When prompted, select the interface to be replaced.
6. When prompted, select the replacement bond interface.
7. If you wish to replace additional interfaces, enter "y" when prompted and repeat the above steps.
8. To complete the process, enter "n".