Working with VSX Clusters

Configuration Overview

You use SmartConsoleClosed Check Point GUI application used to manage a Check Point environment - configure Security Policies, configure devices, monitor products and events, install updates, and so on. for most of the basic clusterClosed Two or more Security Gateways that work together in a redundant configuration - High Availability, or Load Sharing. configurations. Many cluster management procedures require the command line. For example, you need the CLI to change the VSXClosed Virtual System Extension. Check Point virtual networking solution, hosted on a computer or cluster with virtual abstractions of Check Point Security Gateways and other network devices. These Virtual Devices provide the same functionality as their physical counterparts. Cluster definitions.

Creating VSX Clusters

This section describes how to create a new VSX Cluster using the VSX Cluster Wizard. The wizard guides you through the steps to configure a VSX Cluster.

After completing the VSX Cluster Wizard, you can modify most VSX Cluster and VSX Cluster MemberClosed Security Gateway that is part of a cluster. properties directly from SmartConsole.

  1. Connect with SmartConsole to the Security Management ServerClosed Dedicated Check Point server that runs Check Point software to manage the objects and policies in a Check Point environment within a single management Domain. Synonym: Single-Domain Security Management Server. or Main Domain Management ServerClosed Check Point Single-Domain Security Management Server or a Multi-Domain Security Management Server. that manages the VSX Cluster.

  2. From the left navigation panel, click Gateways & Servers.

  3. At the top, click Objects menu > More object types > Network Object > Gateways and Servers > VSX > New Cluster.

    The VSX Cluster Wizard > General Properties opens.

Defining Cluster General Properties

The Cluster General Properties page contains basic properties for VSX Clusters:

  • VSX Cluster Name: Unique, alphanumeric name for the cluster. The name cannot contain spaces or special characters except the underscore.

  • VSX Cluster IPv4 Address: IPv4 address of the cluster.

  • VSX Cluster IPv6 Address: IPv6 address of the cluster.

  • VSX Cluster Version: VSX version to use for this cluster.

  • VSX Cluster Platform: Platform type hosting the VSX Cluster Members:

    • To create a High Availability cluster, select ClusterXL.

    • To create a Load Sharing (VSLS) cluster, select ClusterXL Virtual System Load Sharing.

Note - All VSX Cluster Members must use the same type of platform, with the same specifications and configuration.

Adding VSX Cluster Member

The VSX Cluster Members window defines the members of the new cluster. You must define at least two VSX Cluster Members. You can add more members later.

  1. In the VSX Cluster Members window, click Add.

  2. The Member Properties window opens.

  3. Enter the name and IP addresses for the VSX Cluster Member.

    Note: If you define an IPv6 IP address, you must also have an IPv4 address.

  4. Enter and confirm the Activation Key to initialize SICClosed Secure Internal Communication. The Check Point proprietary mechanism with which Check Point computers that run Check Point software authenticate each other over SSL, for secure communication. This authentication is based on the certificates issued by the ICA on a Check Point Management Server. trust between the VSX Cluster Member and the Management Server.

    Note - You defined this Activation Key during the First Time Configuration Wizard of the VSX Cluster Member.

  5. Follow these steps for all VSX Cluster Members.

  6. Click Next to continue.

Defining Cluster Interfaces

The VSX Cluster Interfaces window lets you define physical interfaces as VLAN Trunks.

The list shows all interfaces currently defined on the VSX GatewayClosed Physical server that hosts VSX virtual networks, including all Virtual Devices that provide the functionality of physical network devices. It holds at least one Virtual System, which is called VS0. or VSX Cluster object.

To configure a VLAN Trunk:

Select one or more interfaces to define them as VLAN Trunks. You can clear an interface to remove the VLAN Trunk assignment.

Important - You cannot define the management interface as a VLAN trunk. To use the management interface as a VLAN, you must define the VLAN on the VSX Gateway before you use SmartConsole to create the VSX Gateway object.

Configuring VSX Cluster Members

If you selected the custom configuration option, the VSX Cluster Members window appears.

In this window, you define the synchronization IP address for each VSX Cluster Member.

To configure the VSX Cluster Members:

  1. Select the synchronization interface from the list.

  2. Enter the synchronization interface addresses and net mask for each VSX Cluster Member.

To use a VLAN as a synchronization interface:

  1. On each VSX Cluster Member, define the VLAN interface on the applicable physical interface.

  2. In SmartConsole, create the VSX Cluster object.

  3. On each VSX Cluster Member, set the value of the kernel parameter fwha_monitor_all_vlan to 1 in the $FWDIR/boot/modules/fwken.conf file. For more information, see sk92826 and Working with Kernel Parameters on Security Gateway.

Cluster Management

The VSX Gateway Management page allows you to define several security policyClosed Collection of rules that control network traffic and enforce organization guidelines for data protection and access to resources with packet inspection. rules that protect the cluster itself. This policy is installed automatically on the new VSX Cluster.

Note - This policy applies only to traffic destined for the cluster. Traffic destined for Virtual Systems, other Virtual Devices, external networks, and internal networks is not affected by this policy.

The security policy consists of predefined rules covering the following services:

  • UDP: SNMP requests

  • TCP: SSH traffic

  • ICMP: Echo-request (ping)

  • TCP: HTTPS (secure HTTP) traffic

Configuring the Cluster Security Policy

  1. Allow: Enable a ruleClosed Set of traffic parameters and other conditions in a Rule Base (Security Policy) that cause specified actions to be taken for a communication session. to allow traffic for those services for which you wish to allow traffic. Clear a rule to block traffic. By default, all services are blocked.

    For example, you may wish to allow UDP echo-request traffic in order to be able to ping VSX Cluster Member from the Management Server.

  2. Source: Click the arrow and select a Source Object from the list. The default value is *Any.

    Click New Source Object to define a new source.

    For more about Security Policies, see the R81 Security Management Administration Guide.

Completing the Wizard

  1. Click Next to continue and then click Finish to complete the VSX Cluster wizard.

    It can take several minutes to complete. A message appears indicating successful or unsuccessful completion of the process.

    If the process ends unsuccessfully, click View Report to view the error messages.

    Refer to the troubleshooting steps for more information - VSX Diagnostics and Troubleshooting.

  2. In SmartConsole, double-click the new VSX Cluster object.

  3. Configure the applicable settings.

  4. Click OK.

  5. Install the Access Control Policy.

  6. Install the Threat Prevention Policy.