Working with VSX Clusters

Important - This section does not apply to Scalable Platforms (Maestro and Chassis).

Configuration Overview

You use SmartConsole for most of the basic cluster configurations.

Many cluster management procedures require the command line.

For example, you need the CLI to change the VSX Cluster definitions.

Creating VSX Clusters

This section describes how to create a new VSX Cluster using the VSX Cluster Wizard. The wizard guides you through the steps to configure a VSX Cluster.

After completing the VSX Cluster Wizard, you can modify most VSX Cluster and VSX Cluster Member properties directly from SmartConsole.

  1. Connect with SmartConsole to the Security Management Server or Main Domain Management Server that manages the VSX Cluster.

  2. From the left navigation panel, click Gateways & Servers.

  3. At the top, click Objects menu > More object types > Network Object > Gateways and Servers > VSX > New Cluster.

    The VSX Cluster Wizard > General Properties opens.

The VSX Cluster Wizard shows these pages:

The Cluster General Properties page contains basic properties for VSX Clusters:

  • VSX Cluster Name: Unique, alphanumeric name for the cluster. The name cannot contain spaces or special characters except the underscore.

  • VSX Cluster IPv4 Address: IPv4 address of the cluster.

  • VSX Cluster IPv6 Address: IPv6 address of the cluster.

  • VSX Cluster Version: VSX version to use for this cluster.

  • VSX Cluster Platform: Platform type hosting the VSX Cluster Members:

    • To create a High Availability cluster, select ClusterXL.

    • To create a Load Sharing (VSLS) cluster, select ClusterXL Virtual System Load Sharing.

Note - All VSX Cluster Members must use the same type of platform, with the same specifications and configuration.

The VSX Cluster Members window defines the members of the new cluster. You must define at least two VSX Cluster Members. You can add more members later.

  1. In the VSX Cluster Members window, click Add.

  2. The Member Properties window opens.

  3. Enter the name and IP addresses for the VSX Cluster Member.

    Note: If you define an IPv6 IP address, you must also have an IPv4 address.

  4. Enter and confirm the Activation Key to initialize the SIC trust between the VSX Cluster Member and the Management Server.

    Note - You defined this Activation Key during the First Time Configuration Wizard of the VSX Cluster Member.

  5. Follow these steps for all VSX Cluster Members.

  6. Click Next to continue.

The VSX Cluster Interfaces window lets you define physical interfaces as VLAN Trunks.

The list shows all interfaces currently defined on the VSX Gateway or VSX Cluster object.

To configure a VLAN Trunk:

Select one or more interfaces to define them as VLAN Trunks. You can clear an interface to remove the VLAN Trunk assignment.

Important - You cannot define the management interface as a VLAN trunk. To use the management interface as a VLAN, you must define the VLAN on the VSX Gateway before you use SmartConsole to create the VSX Gateway object.

If you selected the custom configuration option, the VSX Cluster Members window appears.

In this window, you define the synchronization IP address for each VSX Cluster Member.

To configure the VSX Cluster Members:

  1. Select the synchronization interface from the list.

  2. Enter the synchronization interface addresses and net mask for each VSX Cluster Member.

To use a VLAN as a synchronization interface:

  1. On each VSX Cluster Member, define the VLAN interface on the applicable physical interface.

  2. In SmartConsole, create the VSX Cluster object.

  3. On each VSX Cluster Member, set the value of the kernel parameter "fwha_monitor_all_vlan" to 1 in the $FWDIR/boot/modules/fwken.conf file. For more information, see sk92826 and Working with Kernel Parameters.

The VSX Gateway Management page allows you to define several security policy rules that protect the cluster itself. This policy is installed automatically on the new VSX Cluster.

Note - This policy applies only to traffic destined for the cluster. This policy does not apply to traffic that is destined for Virtual Systems, other Virtual Devices, external networks, and internal networks.

The security policy consists of predefined rules covering the following services:

  • UDP: SNMP requests

  • TCP: SSH traffic

  • ICMP: Echo-request (ping)

  • TCP: HTTPS (secure HTTP) traffic

Configuring the Cluster Security Policy

  1. Allow: Enable a rule to allow traffic for those services for which you wish to allow traffic. Clear a rule to block traffic. By default, all services are blocked.

    For example, you may wish to allow UDP echo-request traffic in order to be able to ping VSX Cluster Member from the Management Server.

  2. Source: Click the arrow and select a Source Object from the list. The default value is *Any.

    Click New Source Object to define a new source.

    For more about Security Policies, see the R82 Security Management Administration Guide.

  1. Click Next to continue and then click Finish to complete the VSX Cluster wizard.

    It can take several minutes to complete. A message appears indicating successful or unsuccessful completion of the process.

    If the process ends unsuccessfully, click View Report to view the error messages.

    Refer to the troubleshooting steps for more information - VSX Diagnostics and Troubleshooting.

  2. In SmartConsole, double-click the new VSX Cluster object.

  3. Configure the applicable settings.

  4. Click OK.

  5. Install the Access Control Policy.

  6. Install the Threat Prevention Policy.