Creating a SmartLSM Security Cluster Profile

When you make a new SmartLSM cluster Two or more Security Gateways that work together in a redundant configuration - High Availability, or Load Sharing. profile, define prefixes and suffixes for the profile name to form the full cluster name. This makes it easy to identify which SmartLSM profile is assigned to a cluster.

You define these common parameters in a SmartLSM cluster Security Profile:

Cluster members.
Cluster member Security Gateway that is part of a cluster. physical interfaces.
Interface network objective (Cluster, Sync and so on).
Cluster interface names.
Cluster and member interface IP addresses and net masks.
When you create a SmartLSM cluster Security Profile, define complete IP addresses. These addresses are placeholders and you can override them when you create SmartLSM cluster objects in SmartProvisioning Check Point Software Blade on a Management Server (the actual name is "Provisioning") that manages large-scale deployments of Check Point Security Gateways using configuration profiles. Synonyms: Large-Scale Management, SmartLSM, LSM..
Cluster and member name components - Use a common component for the cluster and cluster member names, and another component, to reflect the relative function in the cluster. The common component is in the Profile. The other component is defined in SmartProvisioning for the specific cluster, as a prefix or a suffix to the common component. For example, you can have two two-member clusters, named First_cluster and Second_cluster. You can then name the respective members First_member1, First_member2, Second_member1 and Second_member2. In this example, you define the names _cluster, _member1 and _member2 at the Profile level. Then, when you define individual clusters, you need to define only the names First and Second as name prefixes.

You can manage SmartProvisioning Clusters by a Security Management Server Dedicated Check Point server that runs Check Point software to manage the objects and policies in a Check Point environment within a single management Domain. Synonym: Single-Domain Security Management Server. or by a Domain Management Server Check Point Single-Domain Security Management Server or a Multi-Domain Security Management Server..

Note - SmartProvisioning is not available for the members of a SmartProvisioning cluster, even if the member gateway runs the SecurePlatform OS.

Procedure

In SmartConsole Check Point GUI application used to manage a Check Point environment - configure Security Policies, configure devices, monitor products and events, install updates, and so on., go to the Objects bar and select New > More > LSM Profile.
Select the cluster:
- Check Point Appliance/Open Server Physical computer manufactured and distributed by a company, other than Check Point. Cluster
- Small Office Appliance Cluster
The Cluster Profile window opens.

On the General Properties page, do these steps:

Enter the profile Name.
The profile name becomes the middle section of all SmartLSM cluster names that you define with this profile.

If your clusters use a third-party clustering platform (such as IPSO or Crossbeam), in the Network Security tab, clear ClusterXL.

Note - When you use third party cluster platforms, create a different SmartLSM Profile for each platform type.

In the Network Security tab, make sure that IPSec VPN is selected, if clusters which use this profile are part of a VPN community.

On the Cluster Members page, add members to the Profile. These member names become the middle section of all member names defined with this Profile.
Configure the applicable parameters on the ClusterXL or 3rd Party Configuration page.
In the Topology page, click Edit Topology.
Double-click the New Object column to configure each interface.

Use these guidelines:
- Make sure that the number of interfaces and their network objectives match those of the physical SmartLSM clusters.
- For interfaces with Private or Sync network objectives, do not enter information in the Cluster column.
- Every SmartLSM cluster mapped to this Profile retains the host parts (by net mask) of the member IP addresses, and the name of the cluster (virtual) interface.
  - The network parts of the members' IP addresses and the entire cluster IP addresses are only used as a template here. You define the relevant network for each interface of each SmartLSM Security Gateway Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources. later in SmartProvisioning.
  - Make sure that the host ID for the external interface of the SmartLSM cluster profile is the same as the external interface of the cluster.
- The network parts of the members IP addresses must be identical for the same interface name, even though they are only place holders.
- Profile member interface names can be overridden for the actual SmartLSM cluster. However, they are usually the same for all clusters (eth0, eth1 and so on), so it is convenient to use the actual names here as well.
In the Fetch Policy page:
- In a High Availability environment, click Add > the Add Masters window opens. From the Available Management Stations column, select all servers and click Add. Then click OK.
- Optional: Change the Fetch Policy interval and select a Scheduled Event or create a new one.
Configure other parameters as required. You define VPN domains for cluster objects using SmartProvisioning.
Click OK to confirm the settings, and save the Policy Package.
Install policies to the cluster Profile.