Modifying a VSX Cluster Definition

After you create a cluster Two or more Security Gateways that work together in a redundant configuration - High Availability, or Load Sharing. with the wizard, you can change the topology and other parameters in the Cluster Members Properties window. This window lets you configure many advanced features not available with the wizard.

To work with a VSX Virtual System Extension. Check Point virtual networking solution, hosted on a computer or cluster with virtual abstractions of Check Point Security Gateways and other network devices. These Virtual Devices provide the same functionality as their physical counterparts. Cluster definition, double-click a cluster object in SmartConsole Check Point GUI application used to manage a Check Point environment - configure Security Policies, configure devices, monitor products and events, install updates, and so on.. The VSX Cluster Properties window opens.

You can define most cluster objects with SmartConsole. There are some features or properties that you must CLI commands to configure.

A brief explanation for each of the definition pages follows. More detailed explanations for features that are not specific to VSX (NAT, IPS Check Point Software Blade on a Security Gateway that inspects and analyzes packets and data for numerous types of risks (Intrusion Prevention System)., VPN, etc.) are available in the online help or in the applicable product documentation.

General Properties

See the General Properties page to view general properties and to activate Software Blades for use with this VSX Cluster.

You can modify the following properties:

Comment: Free text comment that appears in the Object List and elsewhere
Color: Color of the object icon as it appears in SmartConsole
Network Security: Select Software Blades on this VSX Cluster and its Cluster Members

VSX Cluster Members

The Cluster Members page lets you view and modify several properties for individual VSX Cluster Members, including IP addresses for Cluster Members and the Internal Communication Network.

Gateway VSX Cluster Member List

The Cluster Members page shows all the VSX Cluster Members.

To edit a VSX Cluster Member:

From the Cluster Member page, select a VSX Cluster Member Security Gateway that is part of a cluster. and click Edit.

The Cluster Member Properties window opens. These are the settings that you can edit:

General tab:
- Comment: Free text comment that appears in the Object List and elsewhere
- Color: Color of the object icon as it appears in SmartConsole
- Secure Internal Communication: Check and reset SIC Secure Internal Communication. The Check Point proprietary mechanism with which Check Point computers that run Check Point software authenticate each other over SSL, for secure communication. This authentication is based on the certificates issued by the ICA on a Check Point Management Server. trust
Topology tab: Displays the Cluster Member IP address and Net Mask for each interface. Double-click an interface to see its properties.
NAT tab: Define NAT rules for VSX Cluster Members connected to a Virtual Router Virtual Device on a VSX Gateway or VSX Cluster Member that functions as a physical router. Acronym: VR..
VPN tab: Contains a variety of configuration properties for Site-To-Site VPN deployments.

This window is only available if the IPsec VPN is enabled on the General Properties page.

For more about VPN concepts and configurations, see the R81 Site to Site VPN Administration Guide.

Where Used

Click Where used to show information about the selected member in the objects database.

Name: Cluster name.
Table: Name of the table in the database under which the selected object is listed.
Is removable: Specifies whether or not you are allowed to remove the selected object. If the object is not removable and nevertheless you choose to remove it, it will impact the database or Rule Base All rules configured in a given Security Policy. Synonym: Rulebase..
Refresh: Click to update the window display if you make changes.
Context: Where the object is used.

Internal IP Address and Net Mask

VSX creates an internal communication network and automatically assigns it an IP address and net mask from a predefined pool. You can change this IP address here if you have not yet defined a Virtual System Virtual Device on a VSX Gateway or VSX Cluster Member that implements the functionality of a Security Gateway. Acronym: VS.. Although traffic from this address is never sent to any networks, you must ensure that this IP address is unique and not in use anywhere on your defined network.

ClusterXL

To manage state synchronization, open the ClusterXL window, or run the vsx_util command on the Management Server Check Point Single-Domain Security Management Server or a Multi-Domain Security Management Server..

Enable or disable state synchronization.
Select tracking options for VSX Cluster Member state changes.

All other ClusterXL configuration properties are disabled.

Physical Interfaces

The Physical Interfaces page allows you to add or delete a physical interface on the VSX Gateway Physical server that hosts VSX virtual networks, including all Virtual Devices that provide the functionality of physical network devices. It holds at least one Virtual System, which is called VS0., and to define interfaces to be used as VLAN trunks.

To add a new physical interface, click Add and enter the interface name in the appropriate field.
To define an interface as a VLAN trunk, select the applicable interface and enable the VLAN Trunk option. To disable a VLAN trunk, clear the option.

Synchronization

The Synchronization window displays the state synchronization network. There are no configurable properties.

Topology

On the Topology page, you can see and configure interface and routing definitions.

Interfaces

The Interfaces section defines interfaces and links to devices. You can add new interfaces as well as delete and modify existing interfaces.

To add an interface:

Click New and select one of these options:
- Regular - Create a new interface
- State Synchronization
- Leads to Virtual Router
- Leads to Virtual Switch
The Interface Properties window opens.

Click Actions > Copy to Clipboard to copy the Interfaces table in CSV format.
Define the appropriate properties.
Click OK.

To change an interface:

Double-click an interface.

The Interface Properties window opens.
Change the parameters for the interface.
Click OK.

To delete an interface:

From the Topology page, select the interface and click Delete.
Click OK.

Routes

The Routes section of the Topology window defines routes between network devices, network addresses, and Virtual Devices. Some routes are defined automatically based on the interface definitions. You can add, change, and delete routes.

To add a default route to the routing table:

Click Add Default Route.

The Default Gateway window opens.
Enter the default route IP address or select the default Virtual Router.
Click OK.

The default route is added to the routing table.
Select the default route and click Edit.

The Route Configuration window opens.
Configure the settings for the default route.
Click OK.

To add a new route to the routing table:

Click Add.

The Route Configuration window opens.
Configure the Destination IP address and netmask.
Configure the next hop IP address or Virtual Router.
Optional: Select Propagate route to adjacent Virtual Devices to "advertise" the route to neighboring Virtual Devices, and enable connectivity between them.
Click OK.

To change a route:

Select the route.
Click Edit.

The Route Configuration window opens.
Change the settings.
Click OK.

To delete a route:

Select the route.
Click Remove.

A confirmation window opens.
Click OK.

Calculating Topology Automatically Based on Routing Information

Enable this option to allow VSX to automatically calculate the network topology based on interface and routing definitions (enabled by default). VSX creates automatic links, or connectivity cloud objects linked to existing internal or external networks.

This option is not available in Bridge mode Security Gateway or Virtual System that works as a Layer 2 bridge device for easy deployment in an existing topology..
When employing dynamic routing, it is recommended to disable this option.

VPN Domain

The VPN Domain section in the Topology page defines the set of hosts that use a VPN tunnel to communicate with peer Virtual Systems.

Define a VPN Domain to include a Virtual Device Logical object that emulates the functionality of a type of physical network object. Virtual Device can be on of these: Virtual Router, Virtual System, or Virtual Switch. as part of the VPN connection. The domain defines the Virtual System interfaces that are in the VPN. You can define a VPN Domain in different ways:

All IP Addresses behind Cluster Members are based on topology information: Includes all hosts not located behind an external VSX Cluster Member interface.
Manually Defined: Includes all hosts in the selected network or group.
Remote Access Communities: Define an alternative VPN domain for Remote Access Community traffic.

To specify the VPN domain:

Click Set domain for Remote Access Community.

The VPN Domain per Remote Access Community window opens.
Double-click a Remote Access Community.

The Set VPN Domain window opens.
Select a VPN domain from the list, or click New, to define a new domain.
Click OK.

NAT

The NAT > Advanced page lets you configure NAT rules for packets originating from a Virtual System.

To enable and configure NAT for a Virtual System:

Select Add Automatic Address Translation.
Select a translation method:
- Hide: Hide NAT only allows connections originating from the internal network. Internal hosts can access internal destinations, the Internet and other external networks. External sources cannot initiate a connection to internal network addresses.
- Static: Static NAT translates each private address to a corresponding public address.
If you select Hide, select one of these options:
- Hide behind Gateway hides the real IP address behind the Virtual System external interface IP address,
  
  or
- Hide behind IP Address hides the real address behind a virtual IP address, which is a routable, public IP address that does not belongs to any real machine.
If you selected Static NAT, enter the static IP address in the appropriate field.
Select the VSX Gateway from the Install on Gateway list.

VSX Bridge Configuration

The VSX Bridge Configuration page allows you to specify the loop detection algorithm when working in the Bridge mode.

Enable the Check Point ClusterXL option to enable the Active/Standby Bridge Mode loop detection algorithms contained in ClusterXL.

Enable the Standard Layer 2 Loop Detection Protocols to use standard loop detection protocols, such as STP or PVST+.

See Bridge Mode.

Changing the Cluster Management IP and/or Subnet

To add, change or delete the cluster management IP address and/or subnet, run the vsx_util change_mgmt_ip and vsx_util change_mgmt_subnet commands on the Management Server.

Changing the Internal Communication Network IP

You can change the internal communication network IP address by using the vsx_util change_private_net command on the Management Server.