Working with ElasticXL Cluster

Note - This chapter describes the unique procedures that apply only to ElasticXL Cluster.

For additional procedures that apply to all Scalable Platforms, see the chapter Common Procedures for Scalable Platforms.

ElasticXL Cluster Overview

ElasticXL is a new clustering technology delivering simplified operations with a Single Management Object (SMO) and automatic sync of configuration and software between all cluster members.

ElasticXL Cluster provides a better administrator experience and performance than ClusterXL:

  • Install and configure only the first Security Appliance (this is the SMO).

    Additional ElasticXL Cluster Members automatically clone the configuration and software packages from this SMO.

  • The entire ElasticXL Cluster is represented by one Security Gateway object (SMO).

  • Efficient scale architecture - ability to add and remove ElasticXL Cluster Members on-the-fly (the configuration and software packages are cloned automatically from the SMO).

  • Global Gaia Portal and Global Gaia Clish to manage the entire ElasticXL Cluster.

  • Dual Site support.

  • Automatic configuration of the internal synchronization network.

  • Support for Gaia RESTful API.

Note - To see the maximum numbers of supported items in ElasticXL, see the R82 Release Notes > Chapter "Maximum Supported Items".

ElasticXL Network Diagram

Below is a simplified network diagram for connecting Check Point appliances in the ElasticXL Cluster configuration.

This diagram shows only two Check Point appliances for simplicity.

This diagram shows four different switches only to explain the required connections.

Legend

Item

Description

1

SmartConsole client

2

First ElasticXL Cluster Member

3

External switch

4

Management switch

5

Synchronization switch

6

Security Management Server

7

Second ElasticXL Cluster Member

8

Internal switch

A

Management interface

B

External interface

C

Synchronization interface

D

Internal interface

ElasticXL Important Notes

  • ElasticXL Cluster requires each appliance to be after a Clean Install or restored to factory defaults.

  • ElasticXL Cluster supports a maximum of:

    • 3 ElasticXL Cluster Members on each ElasticXL Site.

    • 6 ElasticXL Cluster Members in total.

    Note - If more Security Group Members are required, then use Maestro (Introduction to Maestro).

  • ElasticXL Cluster requires at least 4 interfaces on each ElasticXL Cluster Member:

    • A dedicated management interface (the port "Mgmt" is selected automatically).

    • A dedicated sync interface (the port "Sync" is selected automatically).

      Important:

      • The "Sync" ports of all ElasticXL Cluster Members in the same ElasticXL Cluster must connect to the same Layer 2 broadcast domain (a dedicated Layer 2 switch, or a dedicated VLAN).

      • Only one ElasticXL Cluster is supported in the same Layer 2 broadcast domain (connecting Sync interfaces of different ElasticXL Clusters is not supported).

      • Configuring the Sync interface as VLAN Trunk is not supported.

      • ElasticXL Cluster sends all traffic over the Sync network in clear-text (non-encrypted).

      • ElasticXL Cluster automatically configures the IP address of the sync network to 192.0.2.0/24.

        If needed, later it is possible to change the IP address of the sync network.

    • An "external" interface (you select and configure this interface).

      ElasticXL Cluster assigns a unicast MAC Address to these data interfaces.

      ElasticXL Cluster does not rename these data interfaces.

    • An "internal" interface (you select and configure this interface).

      ElasticXL Cluster assigns a unicast MAC Address to these data interfaces.

      ElasticXL Cluster does not rename these data interfaces.

  • ElasticXL Cluster renames the physical interfaces on the appliances:

    • The "Mgmt" interface becomes a subordinate interface in the Bond called "magg1".

    • The "Sync" interface is renamed to "eth1-Sync" and becomes a subordinate interface in the Bond called "Sync".

    Notes - Gaia OS does not show the bond interface "Sync" (or its subordinate interfaces) in Gaia Portal and in the Gaia Clish "set" commands. This is to prevent any changes to this infrastructure interface.

  • On each ElasticXL Site, only one ElasticXL Cluster Member (the SMO) accepts all traffic and distributes this traffic to other ElasticXL Cluster Members (works like the Pivot member in the ClusterXL Load Sharing Unicast mode).

  • ElasticXL Cluster supports only the "General" Distribution Mode to assign incoming traffic to cluster members on each ElasticXL (the Gaia gClish command "set distribution configuration"). See Working with the Distribution Mode.

  • ElasticXL Cluster supports only the VSNext mode (the Legacy VSX mode is not supported). To configure the VSNext mode, you must enable it during the Gaia First Time Configuration Wizard on the first Security Appliance.

ElasticXL Configuration

Part 1 - Installation of Appliances

Refer to the Getting Started Guide for your appliance in sk96246.

  1. Install each appliance in a rack.

  2. Connect network cables to each appliance.

    • The "Sync" ports on the appliances must connect through a dedicated Layer 2 switch, or a dedicated VLAN.

    • Data ports on the appliances must connect to your traffic networks.

  3. Connect power cables to each appliance.

  4. Power on each appliance.

Part 2 - Gaia First Time Configuration Wizard

Important - You must run the First Time Configuration Wizard only on one of the appliances.

  1. Connect your computer to one of these appliances to the "Mgmt" port.

  2. On your computer, configure a static IPv4 address in the subnet 192.168.1.0 / 24.

    Refer to the Getting Started Guide for your appliance in sk96246.

  3. In a web browser, enter this URL:

    https://192.168.1.1

  4. The Gaia Portal login page opens.

  5. Enter the default username and password: admin and admin.

  6. Click Login.

    The Gaia First Time Configuration Wizard opens.

    For more information, see the R82 Gaia Administration Guide > Chapter "Configuring Gaia for the First Time" > Section "Running the First Time Configuration Wizard in Gaia Portal".

  7. In the "Welcome" window:

    Click Next.

  8. In the "Deployment Options" window:

    1. Select Continue with R82 configuration.

    2. Click Next.

  9. In the "Authentication Details" window:

    Configure the main passwords for the Gaia OS.

    1. In the section "Change the default administrator password":

      Configure the password for the Expert mode.

    2. In the section "Change the default password for Gaia maintenance mode":

      Configure the password for the Maintenance Mode (GRUB).

      Best Practice - For security reasons, we recommend to configure a different passwords for the Expert mode and for the Maintenance Mode.

    3. Click Next.

    Note - You can change each password after you complete the Gaia First Time Configuration Wizard.

  10. In the "Management Connection" window:

    In this window, you select and configure the main Gaia Management Interface.

    You connect to this IP address to open the Gaia Portal or CLI on the ElasticXL Cluster.

    1. Configure the applicable IPv4 and IPv6 settings.

    2. Click Next.

  11. In the "Internet Connection" window, click Next.

    You must configure the required IP addresses on the ElasticXL Cluster interfaces after the First Time Configuration Wizard.

  12. In the "Device Information" window:

    1. Configure the desired hostname.

      For example: ElasticXL_Cluster

      • The hostname format for ElasticXL Cluster Members on the ElasticXL Site 1:

        <Hostname>-s01-01, <Hostname>-s01-02, <Hostname>-s01-03

      • The hostname format for ElasticXL Cluster Members on the ElasticXL Site 2:

        <Hostname>-s02-01, <Hostname>-s02-02, <Hostname>-s02-03

    2. Configure the required DNS settings.

    3. Configure the required Proxy settings.

    4. Click Next.

  13. In the "Date and Time Settings" window:

    1. Configure the required date and time settings.

    2. Click Next.

  14. In the "Installation Type" window:

    1. Select Security Gateway and/or Security Management.

    2. Click Next.

  15. In the "Products" window:

    1. In the Products section, select Security Gateway.

    2. In the Clustering section, select Unit is a part of a cluster and select ElasticXL.

      Important - To install this ElasticXL Cluster in the VSNext mode, in the Gateway Virtualization section, select Install as VSNext.

      You cannot convert to the VSNext mode after the installation.

    3. Click Next.

  16. In the "Secure Communication to Management Server" window:

    1. Configure a one-time Activation Key.

      You must enter this key later in SmartConsole when you create the corresponding Security Gateway object and initialize SIC.

    2. Click Next.

  17. In the "First Time Configuration Wizard Summary" window, click Finish.

  18. The First Time Configuration Wizard performs the required steps and reboots this appliance.

  19. You now have a ElasticXL Cluster with one ElasticXL Cluster Member.

  20. Connect to your ElasticXL Cluster at the IP address you configured in the "Management Connection" window.

  21. Enter the username "admin" and the password you configured for the Expert mode in the "Authentication Details" window.

Part 3 - Configuration of ElasticXL Cluster

  1. Configure the applicable settings that require a reboot.

    Note - Do not change the SecureXL mode. It must run in the Kernel Mode (KPPAK).

    Best Practice - Do not to change the number of CoreXL Firewall instances. Use CoreXL Dynamic Balancing (enabled by default).

  2. Install the required Hotfixes / Jumbo Hotfix Accumulator.

  3. Reboot (only if you performed Step 1 and Step 2).

  4. Configure the required IP addresses on the data interfaces, to which your networks must send their traffic.

    Refer to the R82 Gaia Administration Guide > Chapter "Network Management" > Section "Network Interfaces".

  5. Configure the required static routes.

    Refer to the R82 Gaia Administration Guide:

    • Chapter "Network Management" > Section "IPv4 Static Routes".

    • Chapter "Network Management" > Section "IPv6 Static Routes".

Part 4 - Configuration in SmartConsole

  1. Configure a single Security Gateway object that represent this ElasticXL Cluster (this is the Single Management Object, SMO).

  2. Configure and install the applicable Security Policies on this Security Gateway object.

Part 5 - Adding other ElasticXL Cluster Members

Add other appliances to this ElasticXL, as needed.

The new appliances automatically clone all software packages, settings, and security policies from the first ElasticXL Cluster Member (the SMO).

You can add other appliances to an ElasticXL Cluster in Gaia Portal or in Gaia gClish.

  1. Connect to Gaia Portal on the ElasticXL Cluster.

  2. In the left panel, click Cluster Management.

  3. In the section Cluster Gateways, click Pending Gateways.

  4. Select the required appliance.

  5. Select to which ElasticXL Site you want to add this appliance:

    • Add to the existing Site (configures Load Sharing with ...)

    • Create a new Site (configures High Availability with ...)

  6. Click Add.

  7. In the notification popup, click OK.

  8. Wait for the new appliance to join this ElasticXL Cluster.

  1. Connect to the command line on the ElasticXL Cluster.

  2. Log in to Gaia gClish.

  3. Get the list of the ElasticXL Cluster Members and detected appliances:

    show cluster info provision

    See show cluster info

    Example output when ElasticXL Cluster detects with one Cluster Member detects the second appliance on the Sync network:

    [Global] EXL-s01-01> show cluster info provision
┌────────────┬──────────────────────────────────────────┬──────────────────────────────────┬─────────┬───────────┬─────┬─────────────────┐
│ Hostname   │ Serial Number                            │ Request ID                       │ Version │ Model     │ ID  │ State           │
├────────────┼──────────────────────────────────────────┼──────────────────────────────────┼─────────┼───────────┼─────┼─────────────────┤
│ EXL-s01-01 │ <123>                                    │ Not Relevant                     │ R82     │ ElasticXL │ 1_1 │ CLUSTER_MEMBER  │
│ gw-9ec32f  │ <456>                                    │ 676190f4bc5b800b59f08c408942a484 │ R82     │ <xxx>     │     │ REQUEST_TO_JOIN │
└────────────┴──────────────────────────────────────────┴──────────────────────────────────┴─────────┴───────────┴─────┴─────────────────┘
[Global] EXL-s01-01>

  4. Add the new appliance to the required ElasticXL Site (existing Site or new Site):

    Note - See the example steps below.

    Syntax:

    add cluster member

          method

                hostname identifier <Hostname>

                serial-number identifier <Serial Number>

                request-id identifier <Request ID>

          site-id {1 | 2}

          [format json]

    Parameters:

    Parameter

    Description

    method

    Specifies how to identify an appliance (press the Tab key to see the detected appliances):

    • hostname identifier <Hostname>

      Adds the appliance by its hostname

    • serial-number identifier <Serial Number>

      Adds the appliance by its serial number

    • request-id identifier <Request ID>

      Adds the appliance by its ElasticXL Request ID (as 32-bit string).

      This method allows a secure joining of a new appliance.

      The "Request ID" is a hash of the public certificate key of the appliance.

      An administrator can:

      1. Locate the new appliance in a datacenter.

      2. Connect to the command line on the appliance.

      3. Log in to Gaia Clish with default username and password: admin and admin (because we do not run the Gaia First Time Configuration Wizard on the additional appliances that join the ElasticXL Cluster).

      4. Get the generated Request ID with this command:

        show cluster member info [request-id]

    site-id

    Specifies the ElasticXL Site ID, to which you add the appliance - 1 or 2.

    format

    Specifies the output format - JSON (instead of the default table format).

    Example:

    1. Let us add the second appliance to the new ElasticXL Site Site 2:

      [Global] EXL-s01-01> add cluster member method request-id identifier 676190f4bc5b800b59f08c408942a484 site-id 2
Successfully added as member 2_1
[Global] EXL-s01-01

    2. The second appliance changes its state from "REQUEST_TO_JOIN" to "APPROVED_TO_JOIN".

      Example output:

      [Global] EXL-s01-01> show cluster info provision
┌────────────┬───────────────┬──────────────────────────────────┬─────────┬───────────┬─────┬──────────────────┐
│ Hostname   │ Serial Number │ Request ID                       │ Version │ Model     │ ID  │ State            │
├────────────┼───────────────┼──────────────────────────────────┼─────────┼───────────┼─────┼──────────────────┤
│ EXL-s01-01 │ <123>         │ Not Relevant                     │ R82     │ ElasticXL │ 1_1 │ CLUSTER_MEMBER   │
│ gw-9ec32f  │ <456>         │ 676190f4bc5b800b59f08c408942a484 │ R82     │ <xxx>     │     │ APPROVED_TO_JOIN │
└────────────┴───────────────┴──────────────────────────────────┴─────────┴───────────┴─────┴──────────────────┘
[Global] EXL-s01-01>

    3. After some time, the second appliance changes its state from "APPROVED_TO_JOIN" to "JOINING_CLUSTER".

      Example output:

      [Global] EXL-s01-01> show cluster info provision
┌────────────┬───────────────┬──────────────────────────────────┬─────────┬───────────┬─────┬─────────────────┐
│ Hostname   │ Serial Number │ Request ID                       │ Version │ Model     │ ID  │ State           │
├────────────┼───────────────┼──────────────────────────────────┼─────────┼───────────┼─────┼─────────────────┤
│ EXL-s01-01 │ <123>         │ Not Relevant                     │ R82     │ ElasticXL │ 1_1 │ CLUSTER_MEMBER  │
│ gw-9ec32f  │ <456>         │ 676190f4bc5b800b59f08c408942a484 │ R82     │ <xxx>     │     │ JOINING_CLUSTER │
└────────────┴───────────────┴──────────────────────────────────┴─────────┴───────────┴─────┴─────────────────┘
[Global] EXL-s01-01

    4. The second appliance clones the required software packages and settings from the SMO, configures itself, and reboots.

      This stage takes several minutes.

    5. After the reboot, the second appliance changes its state to "CLUSTER_MEMBER".

      Example output:

      [Global] EXL-s01-01> show cluster info provision
┌────────────┬───────────────┬──────────────┬─────────┬───────────┬─────┬─────────────────┐
│ Hostname   │ Serial Number │ Request ID   │ Version │ Model     │ ID  │ State           │
├────────────┼───────────────┼──────────────┼─────────┼───────────┼─────┼─────────────────┤
│ EXL-s01-01 │ <123>         │ Not Relevant │ R82     │ ElasticXL │ 1_1 │ CLUSTER_MEMBER  │
│ EXL-s02-01 │ <456>         │ Not Relevant │ R82     │ ElasticXL │ 2_1 │ CLUSTER_MEMBER  │
└────────────┴───────────────┴──────────────┴─────────┴───────────┴─────┴─────────────────┘
[Global] EXL-s01-01>

  5. Monitor the progress on the SMO ElasticXL Cluster Member.

    You can monitor the progress in Gaia gClish of ElasticXL Cluster with one of these commands:

    insights

    show cluster info provision [live]

    See:

You can see how the new appliance clones the software image from the SMO:

  1. Connect your computer to the console port on the new appliance.

  2. Configure the terminal application on your computer.

    See insights.

  3. Log in to Gaia Clish.

    Use the default username and password - admin and admin.

  4. Run:

    insights

  5. Watch the alerts.

  6. When the configuration is complete, the new appliance reboots.

Part 6 - Installing licenses on ElasticXL Cluster Members

The procedure assumes that your default shell is Gaia gClish.

  1. Connect an SSH client to the IP address of the ElasticXL Cluster.

  2. Log in.

  3. Get the MAC Addresses of the "magg1" interfaces from each appliance in the ElasticXL Cluster and write them down:

    show interface magg1 mac-addr

    Example:

    [Global] EXL-s01-01> show interface magg1 mac-addr
1_01:
mac-addr XX:XX:XX:11:22:33

1_02:
mac-addr XX:XX:XX:44:55:66

[Global] EXL-s01-01>

  4. In Check Point User Center, generate a license for each appliance using these parameters:

    1. IPv4 address of the ElasticXL Cluster.

      This is the IPv4 address of the "Mgmt" interface of the first appliance, on which you ran the Gaia First Time Configuration Wizard.

    2. MAC Address of the "magg1" interface of each appliance.

    Prepare the list of the required "cplic put" commands - for each generated license, you get an email from the User Center.

  5. Connect an SSH client to the IP address of the ElasticXL Cluster.

  6. Log in.

  7. Run all the "cplic put" commands to install the licenses.

Removing a Cluster Member from ElasticXL Cluster

Note - When you remove a Cluster Member from ElasticXL Cluster, that Cluster Member returns to the clean version that was installed last. If that Cluster Member was upgraded, then it returns to the upgraded version.

You can remove appliances from an ElasticXL Cluster in Gaia Portal or in Gaia gClish.

  1. Connect to Gaia Portal on the ElasticXL Cluster.

  2. In the left panel, click Cluster Management.

  3. In the section Cluster Gateways, select the required appliance.

  4. From the top toolbar, click Actions and click Delete.

  5. In the notification popup, click OK to confirm.

  1. Connect to the command line on the ElasticXL Cluster.

  2. Log in to Gaia gClish.

  3. Remove the Cluster Member:

    delete cluster member method {hostname | serial-number | id} <VALUE> [format json]

Moving a Cluster Member from between ElasticXL Sites

You can move appliances between ElasticXL Sites in Gaia Portal or in Gaia gClish.

  1. Remove the Cluster Member from the ElasticXL Cluster.

  2. Add the pending appliance to the required ElasticXL Site.

Troubleshooting Log Files

File

Description

/var/log/lightshot.log

Shows the information about:

  1. Creation of a Gaia Lightshot snapshot on the SMO.

  2. Image cloning from the SMO.

$FWDIR/log/blade_config

Show important messages about the cluster state changes from "down" to "up".

/var/log/merge_license_file.log

Shows the information about the license installation.

FAQ

  • Does ElasticXL Cluster support MAGG (bond of Mgmt interfaces)?

    Yes - the default configuration is a Bond called "magg1" that contains the "Mgmt" interface of the appliance.

  • Does ElasticXL Cluster support a bond of Sync interfaces?

    Yes - the default configuration is a Bond called "Sync" that contains the eth1-Sync ("Sync") interface of the appliance.

    By design, this interface is hidden.

  • Does ElasticXL Cluster support a migration from a ClusterXL configuration to a ElasticXL configuration?

    Such a migration feature is on a roadmap.

  • Does ElasticXL Cluster support the Legacy VSX mode?

    No.

    ElasticXL Cluster supports only the VSNext mode.

    See the R82 VSX Administration Guide.

    In the future, it is planned to support for the legacy VSX mode only during a migration from a legacy VSX Cluster to an ElasticXL Cluster in the VSNext mode.