Getting Started with ElasticXL Cluster

ElasticXL Configuration

Part 1 - Installation of Appliances

Refer to the Getting Started Guide for your Security Appliance in sk96246.

  1. Install each Security Appliance in a rack.

  2. Connect network cables to each Security Appliance.

    • The "Sync" ports on the Security Appliances must connect through a dedicated Layer 2 switch, or a dedicated VLAN.

    • Data ports on the Security Appliances must connect to your traffic networks.

  3. Connect power cables to each Security Appliance.

  4. Power on each Security Appliance.

Part 2 - Gaia First Time Configuration Wizard

Important - You must run the First Time Configuration Wizard only on one of the Security Appliances.

  1. Connect your computer to one of these Security Appliances to the "Mgmt" port.

  2. On your computer, configure a static IPv4 address in the subnet 192.168.1.0 / 24.

    Refer to the Getting Started Guide for your Security Appliance in sk96246.

  3. In a web browser, enter this URL:

    https://192.168.1.1

  4. The Gaia Portal login page opens.

  5. Enter the default username and password: admin and admin.

  6. Click Login.

    The Gaia First Time Configuration Wizard opens.

    For more information, see the R82 Gaia Administration Guide > Chapter "Configuring Gaia for the First Time" > Section "Running the First Time Configuration Wizard in Gaia Portal".

  7. In the "Welcome" window:

    Click Next.

  8. In the "Deployment Options" window:

    1. Select Continue with R82 configuration.

    2. Click Next.

  9. In the "Authentication Details" window:

    Configure the main passwords for the Gaia OS.

    1. In the section "Change the default administrator password":

      Configure the password for the Expert mode.

    2. In the section "Change the default password for Gaia maintenance mode":

      Configure the password for the Maintenance Mode (GRUB).

      Best Practice - For security reasons, we recommend to configure a different passwords for the Expert mode and for the Maintenance Mode.

    3. Click Next.

    Note - You can change each password after you complete the Gaia First Time Configuration Wizard.

  10. In the "Management Connection" window:

    In this window, you select and configure the main Gaia Management Interface.

    You connect to this IP address to open the Gaia Portal or CLI on the ElasticXL Cluster.

    1. Configure the applicable IPv4 and IPv6 settings.

    2. Click Next.

  11. In the "Internet Connection" window, click Next.

    You must configure the required IP addresses on the ElasticXL Cluster interfaces after the First Time Configuration Wizard.

  12. In the "Device Information" window:

    1. Configure the desired hostname.

      For example: ElasticXL_Cluster

      • The hostname format for ElasticXL Cluster Members on the ElasticXL Site 1:

        <Hostname>-s01-01, <Hostname>-s01-02, <Hostname>-s01-03

      • The hostname format for ElasticXL Cluster Members on the ElasticXL Site 2:

        <Hostname>-s02-01, <Hostname>-s02-02, <Hostname>-s02-03

    2. Configure the required DNS settings.

    3. Configure the required Proxy settings.

    4. Click Next.

  13. In the "Date and Time Settings" window:

    1. Configure the required date and time settings.

    2. Click Next.

  14. In the "Installation Type" window:

    1. Select Security Gateway and/or Security Management.

    2. Click Next.

  15. In the "Products" window:

    1. In the Products section, select Security Gateway.

    2. In the Clustering section, select Unit is a part of a cluster and select ElasticXL.

      Important - To install this ElasticXL Cluster in the VSNext mode, in the Gateway Virtualization section, select Install as VSNext.

      You cannot convert to the VSNext mode after the installation.

    3. Click Next.

  16. In the "Secure Communication to Management Server" window:

    1. Configure a one-time Activation Key.

      You must enter this key later in SmartConsole when you create the corresponding Security Gateway object and initialize SIC.

    2. Click Next.

  17. In the "First Time Configuration Wizard Summary" window, click Finish.

  18. The First Time Configuration Wizard performs the required steps and reboots this Security Appliance.

  19. You now have a ElasticXL Cluster with one ElasticXL Cluster Member.

  20. Connect to your ElasticXL Cluster at the IP address you configured in the "Management Connection" window.

  21. Enter the username "admin" and the password you configured for the Expert mode in the "Authentication Details" window.

Part 3 - Configuration of ElasticXL Cluster

  1. Configure the applicable settings that require a reboot.

    Note - Do not change the SecureXL mode. It must run in the Kernel Mode (KPPAK).

    Best Practice - Do not to change the number of CoreXL Firewall instances. Use CoreXL Dynamic Balancing (enabled by default).

  2. Install the required Hotfixes / Jumbo Hotfix Accumulator.

  3. Reboot (only if you performed Step 1 and Step 2).

  4. Configure the required IP addresses on the data interfaces, to which your networks must send their traffic.

    Refer to the R82 Gaia Administration Guide > Chapter "Network Management" > Section "Network Interfaces".

  5. Configure the required static routes.

    Refer to the R82 Gaia Administration Guide:

    • Chapter "Network Management" > Section "IPv4 Static Routes".

    • Chapter "Network Management" > Section "IPv6 Static Routes".

Part 4 - Configuration in SmartConsole

  1. Configure a single Security Gateway object that represent this ElasticXL Cluster (this is the Single Management Object, SMO).

  2. Configure and install the applicable Security Policies on this Security Gateway object.

Part 5 - Adding other ElasticXL Cluster Members

Add other ElasticXL Cluster Members to this ElasticXL, as needed.

The new ElasticXL Cluster Members automatically clone all software packages, settings, and security policies from the first ElasticXL Cluster Member (the SMO).

You can add other ElasticXL Cluster Members to an ElasticXL Cluster in Gaia Portal or in Gaia gClish.

  1. Connect to Gaia Portal on the ElasticXL Cluster.

  2. In the left panel, click Cluster Management.

  3. In the section Cluster Gateways, click Pending Gateways.

  4. Select the required Security Appliance.

  5. Select to which ElasticXL Site you want to add this Security Appliance:

    • Add to the existing Site (configures Load Sharing with ...)

    • Create a new Site (configures High Availability with ...)

  6. Click Add.

  7. In the notification popup, click OK.

  8. Wait for the new Security Appliance to join this ElasticXL Cluster.

  1. Connect to the command line on the ElasticXL Cluster.

  2. Log in to Gaia gClish.

  3. Get the list of the ElasticXL Cluster Members and detected Security Appliances:

    show cluster info provision

    See show cluster info

    Example output when ElasticXL Cluster detects with one Cluster Member detects the second Security Appliance on the Sync network:

    [Global] EXL-s01-01> show cluster info provision
┌────────────┬──────────────────────────────────────────┬──────────────────────────────────┬─────────┬───────────┬─────┬─────────────────┐
│ Hostname   │ Serial Number                            │ Request ID                       │ Version │ Model     │ ID  │ State           │
├────────────┼──────────────────────────────────────────┼──────────────────────────────────┼─────────┼───────────┼─────┼─────────────────┤
│ EXL-s01-01 │ <123>                                    │ Not Relevant                     │ R82     │ ElasticXL │ 1_1 │ CLUSTER_MEMBER  │
│ gw-9ec32f  │ <456>                                    │ 676190f4bc5b800b59f08c408942a484 │ R82     │ <xxx>     │     │ REQUEST_TO_JOIN │
└────────────┴──────────────────────────────────────────┴──────────────────────────────────┴─────────┴───────────┴─────┴─────────────────┘
[Global] EXL-s01-01>

  4. Add the new Security Appliance to the required ElasticXL Site (existing Site or new Site):

    Note - See the example steps below.

    Syntax:

    add cluster member

          method

                hostname identifier <Hostname>

                serial-number identifier <Serial Number>

                request-id identifier <Request ID>

          site-id {1 | 2}

          [format json]

    Parameters:

    Parameter

    Description

    method

    Specifies how to identify an Security Appliance (press the Tab key to see the detected Security Appliances):

    • hostname identifier <Hostname>

      Adds the Security Appliance by its hostname

    • serial-number identifier <Serial Number>

      Adds the Security Appliance by its serial number

    • request-id identifier <Request ID>

      Adds the Security Appliance by its ElasticXL Request ID (as 32-bit string).

      This method allows a secure joining of a new Security Appliance.

      The "Request ID" is a hash of the public certificate key of the Security Appliance.

      An administrator can:

      1. Locate the new Security Appliance in a datacenter.

      2. Connect to the command line on the Security Appliance.

      3. Log in to Gaia Clish with default username and password: admin and admin (because we do not run the Gaia First Time Configuration Wizard on the additional Security Appliances that join the ElasticXL Cluster).

      4. Get the generated Request ID with this command:

        show cluster member info [request-id]

    site-id

    Specifies the ElasticXL Site ID, to which you add the Security Appliance - 1 or 2.

    format

    Specifies the output format - JSON (instead of the default table format).

    Example:

    1. Let us add the second Security Appliance to the new ElasticXL Site Site 2:

      [Global] EXL-s01-01> add cluster member method request-id identifier 676190f4bc5b800b59f08c408942a484 site-id 2
Successfully added as member 2_1
[Global] EXL-s01-01

    2. The second Security Appliance changes its state from "REQUEST_TO_JOIN" to "APPROVED_TO_JOIN".

      Example output:

      [Global] EXL-s01-01> show cluster info provision
┌────────────┬───────────────┬──────────────────────────────────┬─────────┬───────────┬─────┬──────────────────┐
│ Hostname   │ Serial Number │ Request ID                       │ Version │ Model     │ ID  │ State            │
├────────────┼───────────────┼──────────────────────────────────┼─────────┼───────────┼─────┼──────────────────┤
│ EXL-s01-01 │ <123>         │ Not Relevant                     │ R82     │ ElasticXL │ 1_1 │ CLUSTER_MEMBER   │
│ gw-9ec32f  │ <456>         │ 676190f4bc5b800b59f08c408942a484 │ R82     │ <xxx>     │     │ APPROVED_TO_JOIN │
└────────────┴───────────────┴──────────────────────────────────┴─────────┴───────────┴─────┴──────────────────┘
[Global] EXL-s01-01>

    3. After some time, the second Security Appliance changes its state from "APPROVED_TO_JOIN" to "JOINING_CLUSTER".

      Example output:

      [Global] EXL-s01-01> show cluster info provision
┌────────────┬───────────────┬──────────────────────────────────┬─────────┬───────────┬─────┬─────────────────┐
│ Hostname   │ Serial Number │ Request ID                       │ Version │ Model     │ ID  │ State           │
├────────────┼───────────────┼──────────────────────────────────┼─────────┼───────────┼─────┼─────────────────┤
│ EXL-s01-01 │ <123>         │ Not Relevant                     │ R82     │ ElasticXL │ 1_1 │ CLUSTER_MEMBER  │
│ gw-9ec32f  │ <456>         │ 676190f4bc5b800b59f08c408942a484 │ R82     │ <xxx>     │     │ JOINING_CLUSTER │
└────────────┴───────────────┴──────────────────────────────────┴─────────┴───────────┴─────┴─────────────────┘
[Global] EXL-s01-01

    4. The second Security Appliance clones the required software packages and settings from the SMO, configures itself, and reboots.

      This stage takes several minutes.

    5. After the reboot, the second Security Appliance changes its state to "CLUSTER_MEMBER".

      Example output:

      [Global] EXL-s01-01> show cluster info provision
┌────────────┬───────────────┬──────────────┬─────────┬───────────┬─────┬─────────────────┐
│ Hostname   │ Serial Number │ Request ID   │ Version │ Model     │ ID  │ State           │
├────────────┼───────────────┼──────────────┼─────────┼───────────┼─────┼─────────────────┤
│ EXL-s01-01 │ <123>         │ Not Relevant │ R82     │ ElasticXL │ 1_1 │ CLUSTER_MEMBER  │
│ EXL-s02-01 │ <456>         │ Not Relevant │ R82     │ ElasticXL │ 2_1 │ CLUSTER_MEMBER  │
└────────────┴───────────────┴──────────────┴─────────┴───────────┴─────┴─────────────────┘
[Global] EXL-s01-01>

  5. Monitor the progress on the SMO ElasticXL Cluster Member.

    You can monitor the progress in Gaia gClish of ElasticXL Cluster with one of these commands:

    insights

    show cluster info provision [live]

    See:

You can see how the new Security Appliance clones the software image from the SMO:

  1. Connect your computer to the console port on the new Security Appliance.

  2. Configure the terminal application on your computer.

    See insights.

  3. Log in to Gaia Clish.

    Use the default username and password - admin and admin.

  4. Run:

    insights

  5. Watch the alerts.

  6. When the configuration is complete, the new Security Appliance reboots.

Part 6 - Installing licenses on ElasticXL Cluster Members

  1. Connect an SSH client to the IP address of the ElasticXL Cluster.

  2. Log in.

  3. If you default shell is the Expert mode, then go to Gaia gClish:

    gclish

  4. Get the MAC Addresses of the "magg1" interfaces from all ElasticXL Cluster Members and write them down:

    show interface magg1 mac-addr

    Example:

    [Global] EXL-s01-01> show interface magg1 mac-addr
1_01:
mac-addr XX:XX:XX:11:22:33

1_02:
mac-addr XX:XX:XX:44:55:66

[Global] EXL-s01-01>

  5. In Check Point User Center, generate a license for each Security Appliance using these parameters:

    1. IPv4 address of the ElasticXL Cluster.

      This is the IPv4 address of the "Mgmt" interface of the first ElasticXL Cluster Member, on which you ran the Gaia First Time Configuration Wizard.

    2. MAC Address of the "magg1" interface of each ElasticXL Cluster Member.

    Prepare the list of the required "cplic put" commands - for each generated license, you get an email from the User Center.

  6. Connect an SSH client to the IP address of the ElasticXL Cluster.

  7. Log in.

  8. Run all the "cplic put" commands to install the licenses.

  1. Connect an SSH client to the IP address of the ElasticXL Cluster.

  2. Log in.

  3. If you default shell is Gaia gClish, then go to the Expert mode:

    expert

  4. For Site 1, get the MAC Addresses of the "Mgmt" interface from the default Virtual Switch object with the ID 500 from each ElasticXL Cluster Member and write them down:

    1. Go to the context of the first ElasticXL Cluster Member on Site 1:

      member 1_1

    2. Get the MAC Address of the "Mgmt" interface from the default Virtual Switch object with the ID 500 and write it down:

      ip netns exec CTX00500 cat /sys/class/net/Mgmt/address

    3. Go to the context of the second ElasticXL Cluster Member on Site 1:

      member 1_2

    4. Get the MAC Address of the "Mgmt" interface from the default Virtual Switch object with the ID 500 and write it down:

      ip netns exec CTX00500 cat /sys/class/net/Mgmt/address

    5. Go to the context of the third ElasticXL Cluster Member on Site 1:

      member 1_3

    6. Get the MAC Address of the "Mgmt" interface from the default Virtual Switch object with the ID 500 and write it down:

      ip netns exec CTX00500 cat /sys/class/net/Mgmt/address

  5. For Site 2 (if configured), get the MAC Addresses of the "Mgmt" interface from the default Virtual Switch object with the ID 500 from each ElasticXL Cluster Member and write them down:

    1. Go to the context of the first ElasticXL Cluster Member on Site 2:

      member 2_1

    2. Get the MAC Address of the "Mgmt" interface from the default Virtual Switch object with the ID 500 and write it down:

      ip netns exec CTX00500 cat /sys/class/net/Mgmt/address

    3. Go to the context of the second ElasticXL Cluster Member on Site 2:

      member 2_2

    4. Get the MAC Address of the "Mgmt" interface from the default Virtual Switch object with the ID 500 and write it down:

      ip netns exec CTX00500 cat /sys/class/net/Mgmt/address

    5. Go to the context of the third ElasticXL Cluster Member on Site 2:

      member 2_3

    6. Get the MAC Address of the "Mgmt" interface from the default Virtual Switch object with the ID 500 and write it down:

      ip netns exec CTX00500 cat /sys/class/net/Mgmt/address

  6. In Check Point User Center, generate a license for each Security Appliance using these parameters:

    1. IPv4 address of the ElasticXL Cluster.

      This is the IPv4 address of the "Mgmt" interface of the first Security Appliance, on which you ran the Gaia First Time Configuration Wizard.

    2. MAC Address of the "Mgmt" interface of each Security Appliance as appeared in the CLI output in Step 4.

    Prepare the list of the required "cplic put" commands - for each generated license, you get an email from the User Center.

  7. Connect an SSH client to the IP address of the ElasticXL Cluster.

  8. Log in.

  9. Run all the "cplic put" commands to install the licenses.

Removing a Cluster Member from ElasticXL Cluster

Note - When you remove a Cluster Member from ElasticXL Cluster, that Cluster Member returns to the clean version that was installed last. If that Cluster Member was upgraded, then it returns to the upgraded version.

You can remove ElasticXL Cluster Members from an ElasticXL Cluster in Gaia Portal or in Gaia gClish.

  1. Connect to Gaia Portal on the ElasticXL Cluster.

  2. In the left panel, click Cluster Management.

  3. In the section Cluster Gateways, select the required Security Appliance.

  4. From the top toolbar, click Actions and click Delete.

  5. In the notification popup, click OK to confirm.

  1. Connect to the command line on the ElasticXL Cluster.

  2. Log in to Gaia gClish.

  3. Remove the Cluster Member:

    delete cluster member method {hostname | serial-number | id} <VALUE> [format json]

Moving an ElasticXL Cluster Member between ElasticXL Sites

You can move ElasticXL Cluster Members between ElasticXL Sites in Gaia Portal or in Gaia gClish.

  1. Remove the ElasticXL Cluster Member from the ElasticXL Cluster.

  2. Add the pending Security Appliance to the required ElasticXL Site.

Installing and Uninstalling a Hotfix on ElasticXL Cluster

See Installing and Uninstalling a Hotfix on Security Group Members.

Troubleshooting Log Files

File

Description

/var/log/lightshot.log

Shows the information about:

  1. Creation of a Gaia Lightshot snapshot on the SMO.

  2. Image cloning from the SMO.

$FWDIR/log/blade_config

Show important messages about the cluster state changes from "down" to "up".

/var/log/merge_license_file.log

Shows the information about the license installation.

FAQ

  • Does ElasticXL Cluster support MAGG (bond of Mgmt interfaces)?

    Yes - the default configuration is a Bond called "magg1" that contains the "Mgmt" interface of the Security Appliance.

  • Does ElasticXL Cluster support a bond of Sync interfaces?

    Yes - the default configuration is a Bond called "Sync" that contains the eth1-Sync ("Sync") interface of the Security Appliance.

    By design, this interface is hidden.

  • Does ElasticXL Cluster support a migration from a ClusterXL configuration to a ElasticXL configuration?

    Such a migration feature is on a roadmap.

  • Does ElasticXL Cluster support the Traditional VSX mode?

    No.

    ElasticXL Cluster supports only the VSNext mode.

    See the R82 VSX Administration Guide.

    In the future, it is planned to support for the Traditional VSX mode only during a migration from a legacy VSX Cluster to an ElasticXL Cluster in the VSNext mode.