Example 2: VSX Cluster managed by Multi-Domain Server

This example shows:

  • One VSX Cluster in Virtual System Load Sharing (VSLS)

  • Two VSX Cluster Members with DMI management connection

  • One external Virtual Switch

  • Two Virtual Systems:

    • External interface on each Virtual System connects directly to the Virtual Switch

    • Internal interface on each Virtual System connects to the VLAN Trunk interface

    • One Virtual System is configured with the IPsec VPN Software Blade

    • One Virtual System is configured with the Mobile Access Software Blade

  • One Multi-Domain Server:

    • One Main Domain Management Server manages the objects of the VSX Cluster and Virtual Switch

    • One Target Domain Management Server manages the object of the first Virtual System

    • One Target Domain Management Server manages the object of the second Virtual System

Related documentation:

Topology

Computer

Interface

IP Address / Net Mask

Description

VSX Cluster Member 1

eth0

10.20.30.1/24

Main Cluster VIP 10.20.30.100/24

Dedicated Management Interface (DMI)

 

eth1

none

External physical interface

 

wrpX

192.168.10.1/24

Cluster VIP 192.168.10.100/24

External warp interface on Virtual System 1

Note - Interface name is generated automatically

 

wrpY

192.168.20.1/24

VIP 192.168.20.100/24

External warp interface on Virtual System 2

Note - Interface name is generated automatically

 

eth2

none

Internal physical interface - VLAN Trunk

 

eth2.11

172.30.10.1/24

Cluster VIP 172.30.10.100/24

Internal VLAN interface on Virtual System 1

 

eth2.22

172.30.20.1/24

Cluster VIP 172.30.10.100/24

Internal VLAN interface on Virtual System 2

 

eth3

192.168.200.1/24

Cluster Sync physical interface

VSX Cluster Member 2

eth0

10.20.30.2/24

Cluster VIP 10.20.30.100/24

Dedicated Management Interface (DMI)

 

eth1

none

External physical interface

 

wrpX

192.168.10.2/24

Cluster VIP 192.168.10.100/24

External warp interface on Virtual System 1

Note - Interface name is generated automatically

 

wrpY

192.168.20.2/24

Cluster VIP 192.168.20.100/24

External warp interface on Virtual System 2

Note - Interface name is generated automatically

 

eth2

none

Internal physical interface - VLAN Trunk

 

eth2.11

172.30.10.2/24

Cluster VIP 172.30.10.100/24

Internal VLAN interface on Virtual System 1

 

eth2.22

172.30.10.2/24

Cluster VIP 172.30.10.100/24

Internal VLAN interface on Virtual System 2

 

eth3

192.168.200.2/24

Cluster Sync physical interface

Multi-Domain Server

eth0

10.20.30.200/24

Leading Interface that belongs to the Multi-Domain Server

 

eth0:1

10.20.30.210/24

Virtual interface that belongs to the Main Domain Management Server (DMS 1), which manages the VSX Cluster and Virtual Switch

 

eth0:2

10.20.30.211/24

Virtual interface that belongs to the Target Domain Management Server (DMS 2), which manages the Virtual System 1

 

eth0:3

10.20.30.212/24

Virtual interface that belongs to the Target Domain Management Server (DMS 3), which manages the Virtual System 2

Action Plan

  1. See the R82 Installation and Upgrade Guide.

    Step

    Instructions

    A

    Install a Check Point appliance or Open Server.

    B

    Install Gaia OS.

    C

    Run the Gaia First Time Configuration Wizard.

    These settings are specific to the Multi-Domain Server:

    1. On the Management Connection page, select the applicable interface and configure the applicable IPv4 address.

      In our example: eth0, 10.20.30.200/24

    2. On the first Installation Type page, select Multi-Domain Server.

    3. On the second Installation Type page, select Primary Multi-Domain Server.

    4. On the Leading VIP Interfaces Configuration page, select the applicable interface.

      In our example: eth0

    D

    Install the applicable licenses.

    E

    Configure the applicable settings:

    1. Connect with SmartConsole to the Multi-Domain Server.

    2. Configure the applicable settings.

    3. Publish the SmartConsole session.

  2. Step

    Instructions

    A

    Connect with SmartConsole to the Multi-Domain Server.

    B

    Create a new Domain and Domain Server.

    In our example:

    • Name: DMS1

    • IPv4: 10.20.30.210/24

    C

    From the left navigation panel, click Gateways & Servers.

    D

    Configure the Main Domain Management Server:

    1. Connect with SmartConsole to the Main Domain Management Server (DMS1).

    2. Configure the applicable Management Software Blades and settings.

    3. Publish the SmartConsole session.

  3. Step

    Instructions

    A

    Connect with SmartConsole to the Multi-Domain Server.

    B

    Create a new Domain and Domain Server.

    In our example:

    • Name: DMS2

    • IPv4: 10.20.30.211/24

    C

    From the left navigation panel, click Gateways & Servers.

    D

    Configure the Target Domain Management Server:

    1. Connect with SmartConsole to the Target Domain Management Server (DMS2).

    2. Configure the applicable Management Software Blades and settings.

    3. Publish the SmartConsole session.

  4. Step

    Instructions

    A

    Connect with SmartConsole to the Multi-Domain Server.

    B

    Create a new Domain and Domain Server.

    In our example:

    • Name: DMS3

    • IPv4: 10.20.30.212/24

    C

    From the left navigation panel, click Gateways & Servers.

    D

    Configure the Target Domain Management Server:

    1. Connect with SmartConsole to the Target Domain Management Server (DMS3).

    2. Configure the applicable Management Software Blades and settings.

    3. Publish the SmartConsole session.

  5. See the R82 Installation and Upgrade Guide.

    Step

    Instructions

    A

    Install a Check Point appliance or Open Server.

    B

    Make sure you have enough physical interfaces for your VSX topology.
    C

    Install Gaia OS.

    D

    Run the Gaia First Time Configuration Wizard.

    These settings are specific to the VSX Cluster Member 1:

    1. On the Management Connection page, select the interface for the DMI management connection and configure the applicable IPv4 address.

      In our example: eth0, 10.20.30.1/24

    2. On the Internet Connection page, do not configure IP addresses on physical interfaces, to which your Virtual Systems connect directly.

    3. On the Installation Type page, select Security Gateway and/or Security Management.

    4. On the Products page, select Security Gateway.

    5. On the Dynamically Assigned IP page, select No.

    E

    Make sure to enable the applicable physical interfaces:

    To enable a physical interface in Gaia Portal

    1. Connect to the Gaia Portal in your web browser.

      In our example: https://10.20.30.1

    2. Click Network Management > Network Interfaces.

    3. In the upper left corner, click the lock icon to obtain the configuration lock.

    4. Select the applicable physical interface > click Edit.

    5. Select Enable.

    6. Click OK.

    To enable a physical interface in Gaia Clish, run:

    1. set interface <Name of Physical Interface> state on

    2. save config

    F

    Install the applicable licenses.

    G

    Enable the Per Virtual System State mode:

    1. Connect to the command line.

    2. Log in to Gaia Clish, or Expert mode.

    3. Run: cpconfig

    4. Select: Enable Check Point Per Virtual System State

    5. Enter y to confirm

    6. Run: reboot

  6. See the R82 Installation and Upgrade Guide.

    Step

    Instructions

    A

    Install a Check Point appliance or Open Server.

    B

    Make sure you have enough physical interfaces for your VSX topology.

    C

    Install Gaia OS.

    D

    Run the Gaia First Time Configuration Wizard.

    These settings are specific to the VSX Cluster Member 1:

    1. On the Management Connection page, select the interface for the DMI management connection and configure the applicable IPv4 address.

      In our example: eth0, 10.20.30.2/24

    2. On the Internet Connection page, do not configure IP addresses on physical interfaces, to which your Virtual Systems connect directly.

    3. On the Installation Type page, select Security Gateway and/or Security Management.

    4. On the Products page, select Security Gateway.

    5. On the Dynamically Assigned IP page, select No.

    E

    Make sure to enable the applicable physical interfaces:

    To enable a physical interface in Gaia Portal

    1. Connect to the Gaia Portal in your web browser.

      In our example: https://10.20.30.2

    2. Click Network Management > Network Interfaces.

    3. In the upper left corner, click the lock icon to obtain the configuration lock.

    4. Select the applicable physical interface > click Edit.

    5. Select Enable.

    6. Click OK.

    To enable a physical interface in Gaia Clish, run:

    1. set interface <Name of Physical Interface> state on

    2. save config

    F

    Install the applicable licenses.

    G

    Enable the Per Virtual System State mode:

    1. Connect to the command line.

    2. Log in to Gaia Clish, or Expert mode.

    3. Run: cpconfig

    4. Select: Enable Check Point Per Virtual System State

    5. Enter y to confirm

    6. Run: reboot

  7. See Configuring VSX Clusters and Working with VSX Clusters.

    Step

    Instructions

    A

    Connect with SmartConsole to the Main Domain Management Server that manages the objects of the VSX Cluster and Virtual Switch.

    In our example: DMS1

    B

    At the top, click Objects > More object types > Network Object > Gateways and Servers > VSX > New Cluster.

    C

    On the VSX Cluster General Properties (Specify the object's basic settings) page:

    1. In the Enter the VSX Cluster Name field, enter the applicable name for this object.

      In our example: MyVsxCluster

    2. In the Enter the VSX Cluster IPv4 field, enter the Cluster Virtual IPv4 address that is configured on the Dedicated Management Interfaces (DMI).

      In our example: 10.20.30.100

    3. In the Enter the VSX Cluster IPv6 field, enter the Cluster Virtual IPv6 address that is configured on the Dedicated Management Interfaces (DMI).

    4. In the Select the VSX Cluster Version field, select the applicable Check Point version.

      In our example: R82

    5. In the Select the VSX Cluster Platform field, select ClusterXL Virtual System Load Sharing.

      See Configuring Virtual System Load Sharing (VSLS).

      Note - This is the only mode available for a VSX Cluster that was installed as R81.10 or higher.

    6. Click Next.

    D

    On the VSX Cluster Members (Define the members of this VSX Cluster) page:

    Add the first VSX Cluster Member:

    1. Click Add.

    2. In the Cluster Member Name field, enter the applicable name for this object.

      In our example: MyVsxMember1

    3. In the Cluster Member IPv4 Address field, enter the IPv4 address of the Dedicated Management Interface (DMI).

      In our example: eth0, 10.20.30.1

    4. In the Enter the VSX Gateway IPv6 field, enter the applicable IPv6 address.

    5. In the Activation Key field, enter the same Activation Key you entered during the First Time Configuration Wizard of this VSX Cluster Member.

    6. In the Confirm Activation Key field, enter the same Activation Key again.

    7. Click Initialize.

    8. Click OK.

    9. Enter the same Activation Key you entered in the cpconfig menu.

    10. Click Initialize.

     

    If the Trust State field does not show Trust established, perform these steps:

    1. Connect to the command line on the VSX Cluster Member.

    2. Make sure there is a physical connectivity between the VSX Cluster Member and the Management Server (for example, pings can pass).

    3. Run: cpconfig

    4. Enter the number of this option: Secure Internal Communication

    5. Follow the instructions on the screen to change the Activation Key.

    6. On the VSX Cluster General Properties page, click Reset.

    7. Enter the same Activation Key you entered in the cpconfig menu.

    8. Click Initialize.

    E

    On the VSX Cluster Members (Define the members of this VSX Cluster) page:

    Add the second VSX Cluster Member:

    1. Click Add.

    2. In the Cluster Member Name field, enter the applicable name for this object.

      In our example: MyVsxMember2

    3. In the Cluster Member IPv4 Address field, enter the IPv4 address of the Dedicated Management Interface (DMI).

      In our example: eth0, 10.20.30.2

    4. In the Enter the VSX Gateway IPv6 field, enter the applicable IPv6 address.

    5. In the Activation Key field, enter the same Activation Key you entered during the First Time Configuration Wizard of this VSX Cluster Member.

    6. In the Confirm Activation Key field, enter the same Activation Key again.

    7. Click Initialize.

    8. Click OK.

    9. Click Next.

     

    If the Trust State field does not show Trust established, perform these steps:

    1. Connect to the command line on the VSX Cluster Member.

    2. Make sure there is a physical connectivity between the VSX Cluster Member and the Management Server (for example, pings can pass).

    3. Run: cpconfig

    4. Enter the number of this option: Secure Internal Communication

    5. Follow the instructions on the screen to change the Activation Key.

    6. On the VSX Cluster General Properties page, click Reset.

    7. Enter the same Activation Key you entered in the cpconfig menu.

    8. Click Initialize.

    F

    On the VSX Cluster Interfaces (Physical Interfaces Usage) page:

    1. Examine the list of the interfaces - it must show all the physical interfaces on the VSX Gateway.

    2. If you plan to connect more than one Virtual System directly to same physical interface, you must select VLAN Trunk for that physical interface.

      In our example: eth2

    3. Click Next.

    G

    On the VSX Cluster members (Synchronization Network) page:

    1. Select the interface that will be used for state synchronization.

      In our example: eth3

    2. Configure the IPv4 addresses for the Sync interfaces on each VSX Cluster Member.

      In our example:

      MyVsxMember1 - 192.168.200.1 / 255.255.255.0

      MyVsxMember2 - 192.168.200.2 / 255.255.255.0

    3. Click Next.

    H

    On the Virtual Network Device Configuration (Specify the object's basic settings) page:

    1. You can select Create a Virtual Network Device and configure the first applicable Virtual Network Device at this time (we recommend to do this later) - Virtual Switch or Virtual Router.

    2. Click Next.

    I

    On the VSX Gateway Management (Specify the management access rules) page:

    1. Examine the default access rules.

    2. Select the applicable default access rules.

    3. Configure the applicable source objects, if needed.

    4. Click Next.

    Important - These access rules apply only to the VSX Gateway (context of VS0), which is not intended to pass any "production" traffic.

    J

    On the VSX Gateway Creation Finalization page:

    1. Click Finish and wait for the operation to finish.

    2. Click View Report for more information.

    3. Click Close.

    K

    Examine the VSX configuration:

    1. Connect to the command line on each VSX Cluster Member.

    2. Log in to Gaia Clish, or Expert mode.

    3. Run: vsx stat -v

  8. See Working with VSX Clusters.

    Step

    Instructions

    A

    From the left navigation toolbar, click Gateways & Servers.

    B

    Open the VSX Cluster object.

    In our example: MyVsxCluster

    C

    Enable the applicable Software Blades.

    Refer to:

    D

    Configure other applicable settings.

    E

    Click OK to push the updated VSX Configuration.

    Click View Report for more information.

    F

    Install policy on the VSX Cluster object:

    1. Click Install Policy.

    2. In the Policy field, select the default policy for this VSX Cluster object.

      This policy is called: <Name of VSX Cluster object>_VSX.

      In our example: MyVsxCluster_VSX

    3. Click Install.

    G

    Examine the VSX configuration and VSX Cluster configuration:

    1. Connect to the command line on each VSX Cluster Member.

    2. Log in to Gaia Clish, or Expert mode.

    3. Run: vsx stat -v

    4. Run:

      • In Gaia Clish: show cluster state

      • In the Expert mode: cphaprob state

  9. Step

    Instructions

    A

    Connect with SmartConsole to the Main Domain Management Server that manages the objects of the VSX Cluster and Virtual Switch.

    In our example: DMS1

    B

    Create the Virtual Switch object:

    At the top, click Objects > More object types > Network Object > Gateways and Servers > VSX > New Virtual Switch.

    C

    On the VSX Switch General Properties (Define the object name and the hosting VSX) page:

    1. In the Name field, enter the applicable name for this object.

      In our example: MyVsw

    2. In the VSX Gateway / Cluster field, select the applicable VSX Gateway or VSX Cluster object.

      In our example: MyVsxCluster

    3. Click Next.

    D

    On the VSX Switch Network Configuration (Define Virtual Switch Interfaces) page:

    1. Click Add.

    2. In the Interface field, select the applicable physical interface.

      In our example: eth2

    3. Click OK.

    4. Click Next.

    E

    On the VSX Switch Cluster Creation Finalization page:

    1. Click Finish and wait for the operation to finish.

    2. Click View Report for more information.

    3. Click Close.

    F

    Examine the VSX configuration:

    1. Connect to the command line on each VSX Cluster Member.

    2. Log in to Gaia Clish, or Expert mode.

    3. Run: vsx stat -v

  10. Step

    Instructions

    A

    Connect with SmartConsole to the Target Domain Management Server that manages the object of the first Virtual System.

    In our example: DMS2

    B

    In SmartConsole, create the first Virtual System object:

    SeeWorking with Virtual Systems.

    At the top, click Objects > More object types > Network Object > Gateways and Servers > VSX > New Virtual System.

    C

    On the VSX System General Properties (Define the object name and the hosting VSX) page:

    1. In the Name field, enter the applicable name for this object.

      In our example: MyVs1

    2. In the VSX Gateway / Cluster field, select the applicable VSX Gateway or VSX Cluster object.

      In our example: MyVsxCluster

    3. Click Next.

    D

    On the Virtual System Network Configuration (Define Virtual System Interfaces and Routes) page:

    In our example, this Virtual System connects to the Virtual Switch ("external") and to the physical VLAN Trunk interface ("internal") on the VSX Cluster Members.

    In the Interfaces section, add the "external" interface:

    1. Click Add > Leads to Virtual Switch.

      Add Interface window opens.

    2. In the Leads to field, select the Virtual Switch your created earlier.

      In our example: MyVsxVsw

    3. In the IPv4 Configuration section, enter the applicable IP Address and Net Mask.

      In our example: 192.168.10.1/24

    4. In the IPv6 Configuration section, enter the applicable IPv6 Address and Prefix.

    5. Click OK.

     

    In the Interfaces section, add the "internal" interface:

    1. Click Add > Regular.

    2. In the Interface field, select the applicable physical interface - this is the "internal" interface.

      In our example: eth2 (that is marked as VLAN Trunk)

    3. In the VLAN tag field, enter the applicable number between 2 and 4094.

      In our example: 11 (to configure eth2.11)

    4. In the IPv4 Configuration section, enter the applicable IP Address and Net Mask.

      In our example: 172.30.10.1/24

      You can select Propagate route to adjacent Virtual Devices (IPv4) to "advertise" this Virtual System to neighboring Virtual Devices. This enables IPv4 connectivity between the neighboring Virtual Devices.

    5. In the IPv6 Configuration section, enter the applicable IPv6 Address and Prefix.

      You can select Propagate route to adjacent Virtual Devices (IPv6) to "advertise" this Virtual System to neighboring Virtual Devices. This enables IPv6 connectivity between the neighboring Virtual Devices.

    6. Click OK.

    In the Routes section, click Add to configure the applicable static routes and the Default Route.

    Click Next.

    E

    On the Virtual System Cluster Creation Finalization page:

    1. Click Finish and wait for the operation to finish.

    2. Click View Report for more information.

    3. Click Close.

    F

    Examine the VSX configuration:

    1. Connect to the command line on each VSX Cluster Member.

    2. Log in to Gaia Clish, or Expert mode.

    3. Run: vsx stat -v

  11. SeeWorking with Virtual Systems.

    Step

    Instructions

    A

    From the left navigation toolbar, click Gateways & Servers.

    B

    Open the first Virtual System object.

    In our example: MyVs1

    C

    Enable the applicable Software Blades.

    In our example: IPsec VPN blade

    Refer to:

    D

    Configure other applicable settings.

    E

    Click OK to push the updated VSX Configuration.

    F

    Configure and install the applicable policy on the first Virtual System object.

    G

    Examine the VSX configuration and VSX Cluster configuration:

    1. Connect to the command line on each VSX Cluster Member.

    2. Log in to Gaia Clish, or Expert mode.

    3. Run: vsx stat -v

    4. Run:

      • In Gaia Clish: show cluster state

      • In the Expert mode: cphaprob state

  12. Step

    Instructions

    A

    Connect with SmartConsole to the Target Domain Management Server that manages the object of the first Virtual System.

    In our example: DMS3

    B

    In SmartConsole, create the first Virtual System object:

    SeeWorking with Virtual Systems.

    At the top, click Objects > More object types > Network Object > Gateways and Servers > VSX > New Virtual System.

    C

    On the VSX System General Properties (Define the object name and the hosting VSX) page:

    1. In the Name field, enter the applicable name for this object.

      In our example: MyVs2

    2. In the VSX Gateway / Cluster field, select the applicable VSX Gateway or VSX Cluster object.

      In our example: MyVsxCluster

    3. Click Next.

    D

    On the Virtual System Network Configuration (Define Virtual System Interfaces and Routes) page:

    In our example, this Virtual System connects to the Virtual Switch ("external") and to the physical VLAN Trunk interface ("internal") on the VSX Cluster Members.

    In the Interfaces section, add the "external" interface:

    1. Click Add > Leads to Virtual Switch.

    2. In the Leads to field, select the Virtual Switch your created earlier.

      In our example: MyVsxVsw

    3. In the IPv4 Configuration section, enter the applicable IP Address and Net Mask.

      In our example: 192.168.20.1/24

    4. In the IPv6 Configuration section, enter the applicable IPv6 Address and Prefix.

    5. Click OK.

     

    In the Interfaces section, add the "internal" interface:

    1. Click Add > Regular.

    2. In the Interface field, select the applicable physical interface - this is the "internal" interface.

      In our example: eth2 (that is marked as VLAN Trunk)

    3. In the VLAN tag field, enter the applicable number between 2 and 4094.

      In our example: 22 (to configure eth2.22)

    4. In the IPv4 Configuration section, enter the applicable IP Address and Net Mask.

      In our example: 172.30.20.1/24

      You can select Propagate route to adjacent Virtual Devices (IPv4) to "advertise" this Virtual System to neighboring Virtual Devices. This enables IPv4 connectivity between the neighboring Virtual Devices.

    5. In the IPv6 Configuration section, enter the applicable IPv6 Address and Prefix.

      You can select Propagate route to adjacent Virtual Devices (IPv6) to "advertise" this Virtual System to neighboring Virtual Devices. This enables IPv6 connectivity between the neighboring Virtual Devices.

    6. Click OK.

    In the Routes section, click Add to configure the applicable static routes and the Default Route.

    Click Next.

    E

    On the Virtual System Cluster Creation Finalization page:

    1. Click Finish and wait for the operation to finish.

    2. Click View Report for more information.

    3. Click Close.

    F

    Examine the VSX configuration:

    1. Connect to the command line on each VSX Cluster Member.

    2. Log in to Gaia Clish, or Expert mode.

    3. Run: vsx stat -v

  13. SeeWorking with Virtual Systems.

    Step

    Instructions

    A

    From the left navigation toolbar, click Gateways & Servers.

    B

    Open the second Virtual System object.

    In our example: MyVs2

    C

    Enable the applicable Software Blades.

    In our example: Mobile Access blade

    Refer to:

    D

    Configure other applicable settings.

    E

    Click OK to push the updated VSX Configuration.

    F

    Configure and install the applicable policy on the second Virtual System object.

    G

    Examine the VSX configuration and VSX Cluster configuration:

    1. Connect to the command line on each VSX Cluster Member.

    2. Log in to Gaia Clish, or Expert mode.

    3. Run: vsx stat -v

    4. Run:

      • In Gaia Clish: show cluster state

      • In the Expert mode: cphaprob state