Installing a cluster in the VSNext mode

Notes:

Procedure:

  1. Step

    Instructions

    1

    Install the required platform.

    2

    Run the First Time Configuration Wizard.

    See the R82 Scalable Platforms Administration Guide > Chapter "Working with ElasticXL Cluster".

    During the First Time Configuration Wizard on the first appliance, you must configure these settings (other appliances copy these settings when they join this ElasticXL Cluster):

    1. In the "Management Connection" window, select and configure the main GaiaClosed Check Point security operating system that combines the strengths of both SecurePlatform and IPSO operating systems. Management InterfaceClosed (1) Interface on a Gaia Security Gateway or Cluster member, through which Management Server connects to the Security Gateway or Cluster member. (2) Interface on Gaia computer, through which users connect to Gaia Portal or CLI..

      You connect to this IP address to open the Gaia PortalClosed Web interface for the Check Point Gaia operating system. or CLI on the ElasticXL Cluster.

    2. In the Installation Type window, select Security Gateway and/or Security Management.

    3. In the Products window:

      1. In the Products section, select Security Gateway only.

      2. In the Clustering section, select Unit is a part of a cluster and select ElasticXL.

      3. In the Gateway Virtualization section, select Install as VSNext.

    4. In the Secure Internal Communication window, enter the applicable Activation Key (between 4 and 127 characters long).

    See the R82 Scalable Platforms Administration Guide > Chapter "Working with Quantum Maestro".

    When you create a new Security Group on a Maestro Orchestrator, in the First Time Wizard settings section:

    1. Enter the required hostname.

    2. Enter the required admin password.

    3. Enter the required SICClosed Secure Internal Communication. The Check Point proprietary mechanism with which Check Point computers that run Check Point software authenticate each other over SSL, for secure communication. This authentication is based on the certificates issued by the ICA on a Check Point Management Server. password.

    4. Select Install as VSNext / VSX.

    3

    Install a valid license.

    See the R82 Scalable Platforms Administration Guide:

    • For an ElasticXL Cluster:

      Chapter "Working with ElasticXL Cluster".

    • For a Maestro Security Group:

      Chapter "Working with Quantum Maestro".

  2. On an ElasticXL Cluster / a Maestro Security Group, configure the required Virtual Switches and Virtual Gateways.

    See the R82 VSX Administration Guide > Chapter "VSNext".

  		3.

    Best Practice - Configure a Security GatewayClosed Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources. object for the default Virtual Gateway to ensure secure access.

    Step

    Instructions

    1

    Connect with SmartConsoleClosed Check Point GUI application used to manage a Check Point environment - configure Security Policies, configure devices, monitor products and events, install updates, and so on. to the Security Management ServerClosed Dedicated Check Point server that runs Check Point software to manage the objects and policies in a Check Point environment within a single management Domain. Synonym: Single-Domain Security Management Server. or Domain Management ServerClosed Check Point Single-Domain Security Management Server or a Multi-Domain Security Management Server. that should manage this Virtual Gateway.

    2

    From the left navigation panel, click Gateways & Servers.

    3

    Create a new Security Gateway object:

    From the top toolbar, click New () > Gateway.

    4

    In the Name field, enter the applicable name for this Virtual Gateway object.

    Note - After the first policy installation, the name you assign to the Security Gateway object in SmartConsole appears in Gaia Portal of the ElasticXL Cluster / Maestro Security Group:

    • On the top toolbar, in the field Virtual System.

    • On the page Virtual Systems in the column Name.

    5

    In the IPv4 address and IPv6 address fields, configure the same IPv4 and IPv6 addresses that you configured for this Virtual Gateway object on the ElasticXL Cluster / the Maestro Security Group.

    Make sure the Security Management Server or Multi-Domain ServerClosed Dedicated Check Point server that runs Check Point software to host virtual Security Management Servers called Domain Management Servers. Synonym: Multi-Domain Security Management Server. Acronym: MDS. can connect to these IP addresses.

    6

    Establish the Secure Internal Communication (SIC) between the Management Server and this Virtual Gateway:

    1. Near the Secure Internal Communication field, click Communication.

    2. In the Platform field, select Open server / Appliance.

    3. Enter the same Activation Key you entered during the Security Gateway's First Time Configuration Wizard.

    4. Click Initialize.

      The Certificate state field must show "Established".

    5. Click OK.

    7

    In the Platform section, make sure the correct values appear:

    1. The Hardware field must show:

      • For an ElasticXL Cluster, must show ElasticXL.

      • For a Maestro Security Group, must show Maestro.

    2. The Version field must show R82.

    3. The OS field must show Gaia.

    4. The Virtualization field must show VS.

    8

    Enable the applicable Software Blades:

    • On the Network Security tab.

    • On the Threat Prevention tab.

    9

    Click OK.

    10

    Publish the SmartConsole session.

  4. Best Practice - Configure and install a Security PolicyClosed Collection of rules that control network traffic and enforce organization guidelines for data protection and access to resources with packet inspection. for the default Virtual Gateway (with ID 0) to ensure secure access.

    Allow administration access to the ElasticXL Cluster / MaestroSecurity Group and to each Virtual Gateway only from secured hosts and networks.

    The administration access requires HTTPS (for Gaia Portal) and SSH (for command line). Optionally, allow ICMP (for pings).

    Step

    Instructions

    1

    Connect with SmartConsole to the Security Management Server or Domain Management Server that manages this Virtual Gateway.

    2

    From the left navigation panel, click Security Policies.

    3

    Create a new policy and configure the applicable layers:

    1. At the top, click the + tab (or press CTRL+T).

    2. On the Manage Policies tab, click Manage policies and layers.

    3. In the Manage policies and layers window, create a new policy and configure the applicable layers.

    4. Click Close.

    5. On the Manage Policies tab, click the new policy you created.

    4

    Create the applicable Access Control rules.

    5

    Install the Access Control Policy on the Security Gateway object.

    6

    Create the applicable Threat Prevention rules.

    7

    Install the Threat Prevention Policy on the Security Gateway object.

For more information, see the: