Configuring Gateway and Cluster Objects

This section contains procedures for defining a gateway or a gateway cluster in SmartConsole.

Do the procedures that match your requirements, then install the policy.

Defining a Gateway Object

Options to define a gateway object:

  • Management First

    Define the gateway object in SmartConsole before you configure and set up the actual appliance on site. This is commonly used for remotely deployed appliances or appliances that connect to the Security Management Server with a dynamic IP address (assigned by a DHCP server or an ISP), as the IP address is not known at the time of the configuration of the object in SmartConsole. You can prepare a policy that the appliance pulls when it is configured.

    Workflow:

    1. In SmartConsole:

      1. Create the required objects and configure the required settings:

        Before you enable the IPSec VPN Software Blade, you must configure the VPN community and optionally, a VPN domain.

      2. Create the necessary gateway or cluster objects for your appliances.

      3. Install the Security Policy on the gateway object.

    2. Configure the appliance with the First Time Configuration Wizard.

      Alternatively, you can use a USB drive to quickly configure many appliances without the First Time Configuration Wizard.

      For more details, see Deploying from a USB Drive or SD Card.

    3. In SmartProvisioning, manage the gateway object settings.

  • Gateway First

    Configure and set up the appliance first. It then tries to communicate with the Security Management Server (if this is configured) at 1 hour intervals. If there is connectivity with the gateway during object creation in SmartConsole, the wizard can retrieve data from the gateway (such as topology), and then help in configuration.

    Workflow:

    1. Configure the relevant appliances with the First Time Configuration Wizard.

      Alternatively, you can use a USB drive to quickly configure many appliances without the First Time Configuration Wizard.

      For more details, see Deploying from a USB Drive or SD Card.

    2. In SmartConsole:

      1. Create the required objects and configure the required settings:

        Before you enable the IPSec VPN Software Blade, you must configure the VPN community and optionally, a VPN domain.

      2. Create the necessary gateway or cluster objects for your appliances.

      3. Install the Security Policy on the gateway object.

    3. In SmartProvisioning, manage the gateway object settings.

To define a single gateway object:

  1. Connect with SmartConsole to the Security Management Server.

  2. From the Objects menu, click More object types > Network Object > Gateways and Servers > New Gateway.

    The Check Point Security Gateway Creation window opens.

  3. Click Wizard Mode.

  4. On the General Properties page:

    1. In the Gateway name field, enter a name for the Security Gateway object.

    2. In the Gateway platform field, select the correct appliance series for the Quantum Spark appliance.

    3. The Version field automatically shows R80.20.

    4. In the Platform Type field, select the correct appliance type for the Quantum Spark appliance.

    5. Configure the IP address for the Quantum Spark appliance in one of these ways:

      • Select Static IP address and enter the IP address.

      • Select Dynamic IP address to get the gateway's IP address from a DHCP server.

    6. Click Next.

  5. On the Trusted Communication page, configure how the Security Management Server and the Quantum Spark appliance authenticate each other and click Next:

    • If on the previous General Properties page you selected Static IP address:

      1. In the Authentication section, select Initiate trusted communication securely by using a one-time password or Initiate trusted communication without authentication (less secure).

      2. If you selected Initiate trusted communication securely by using a one-time password, enter a one-time password and confirm it.

        This password is only used to establish the initial trust. After it is established, trust is based on security certificates.

        Important - This password must be identical to the one-time password you define for the appliance in the First Time Configuration Wizard.

      3. In the Trusted Communication section, select Initiate trusted communication automatically when the Gateway connects to the Security Management server for the first time or Initiate trusted communication now.

      4. Click Connect.

        A status window appears.

    • If on the previous General Properties page you selected Dynamic IP address:

      1. In the Gateway Identifier section, select one identifier: Gateway name, MAC address, or First to connect.

      2. In the Authentication section, select Initiate trusted communication securely by using a one-time password or Initiate trusted communication without authentication (less secure).

      3. If you selected Initiate trusted communication securely by using a one-time password, enter a one-time password and confirm it.

        This password is only used for establishing the initial trust. After it is established, trust is based on security certificates.

        Important - This password must be identical to the one-time password you define for the appliance in the First Time Configuration Wizard.

  6. On the Blade Activation page, select Activate and configure software blades now or Activate and configure software blades later.

    If you selected Activate and configure software blades now:

    1. Select the check boxes next to the Software Blades you want to activate.

    2. Click Next.

  7. On the Blade Configuration page, configure the required options and click Next:

    Note - This page appears only if on the previous Blade Activation page you selected Activate and configure software blades now.

    • NAT - The Hide internal networks behind the Gateway's external IP checkbox is selected by default.

    • IPSec VPN - In the Participate in a site to site community field, select a VPN community that this gateway participates in (you must create this VPN community before you start the wizard). If it is a star community, this gateway becomes a VPN satellite gateway.

    • QoS - Select the applicable inbound and outbound bandwidth rates.

  8. On the VPN Domain page, configure the VPN Encryption Domain settings and click Next:

    Note - This page appears only if on the previous Blade Activation page you selected the IPSec VPN Software Blade.

    Available options:

    • Hide VPN domain behind this gateway's external IP

      Select this option only if you want to hide all internal networks behind this gateway's external IP. All outgoing traffic from networks behind this gateway to other sites that participate in VPN community is encrypted.

      With this option, connections that are initiated from other sites that are directed to hosts behind this gateway are not encrypted. If you need access to hosts behind this gateway, select other options (define VPN topology) or make sure all traffic from other sites is directed to this gateway's external IP address and define corresponding NAT port-forwarding rules, such as: translate the destination of incoming HTTP connections that are directed to this gateway's external IP address to the IP address of a web server behind this gateway.

    • Create a new VPN domain

      1. In the Name field, enter a name for the group.

      2. From the Available objects list, select the applicable objects and click Add. The objects are added to the VPN domain members list.

        Note - To select multiple separate objects, press and hold the Ctrl key while you click them. To select multiple adjacent objects, press and hold the Shift key while you click the first and the last of them.

    • Select an existing VPN domain

      You must create this VPN domain before you start the wizard.

  9. On the Installation Wizard Completion page:

    You see a summary of the configuration parameters you set.

    If you want to configure more options of the Security Gateway, select Edit Gateway properties for further configuration.

    Click Finish.

  10. The General Properties window of the newly defined object opens.

    Configure the applicable settings and click OK.

  11. Install the Security Policy on the gateway object.

Defining a Gateway Cluster Object

A Quantum Spark appliance Security Gateway cluster is a group of two members. Each represents a separate Quantum Spark appliance which has High Availability software installed. ClusterXL is the Check Point clustering solution. Third party OPSEC Certified clustering products are not supported.

High Availability

High Availability allows organizations to maintain a connection when there is a failure in a cluster member. Only one machine is active (Active/Standby operation) in this configuration. Load sharing is not supported on this appliance.

Prerequisites

You must first configure and set up the two gateways with their actual IP addresses. Only afterward you can create the cluster object in SmartConsole or SmartProvisioning. The policy installation from the Security Management Server alerts the gateways that they are configured as cluster members.

Workflow

  1. Do not connect the two Quantum Spark appliances to the power source.

  2. Connect the required cables.

  3. On the first appliance:

    1. Turn it on.

    2. Configure it with the First Time Configuration Wizard.

    3. Reboot it.

    4. Shut it down.

    Note - If you do not follow these instructions, you cannot use the http://my.firewall URL correctly and you need to connect with the gateway's actual IP address. (That IP address is initially 192.168.1.1 on LAN1 before you change it on the Quantum Spark appliance).

  4. On the second appliance:

    1. Turn it on.

    2. Configure it with the First Time Configuration Wizard.

    3. Reboot it.

  5. Turn on the first appliance.

  6. In SmartConsole:

    1. Configure the cluster object.

    2. Install the Security Policy on the cluster object.

  7. In SmartProvisioning, manage the appliance settings for the cluster object.

Creating a Cluster for New Gateways

Note - See your Quantum Spark appliance Getting Started Guide for full instructions to set up and connect the Quantum Spark appliance.

The configuration procedure consists of two parts:

  1. Initial configuration of two new Quantum Spark appliance gateways

  2. Creating and configuring a cluster object

Part 1 - Initial configuration of two new Quantum Spark appliance gateways:

  1. Do not connect the two Quantum Spark appliances to the power source.

  2. Connect the required cables to the two Quantum Spark appliances and between them.

  3. Connect the first Quantum Spark appliance to the power source and turn it on.

  4. Connect your computer to the first Quantum Spark appliance to the LAN1 interface.

  5. Configure your computer to get an IP address automatically.

  6. With a web browser on your computer connect to: http://my.firewall

  7. Follow the steps to configure the first Quantum Spark appliance with the First Time Configuration Wizard.

    Important:

    • The WAN interface:

      When you create the cluster object in SmartConsole in Wizard Mode, it assumes that the WAN interface is part of the cluster.

      Make sure the WAN interfaces on the two appliances are configured with a static IP address of a matching subnet.

    • The cluster SYNC interface:

      • Use an Ethernet cross-cable to connect SYNC interfaces on the two appliances.

      • By default, the LAN2 interfaces are used for cluster synchronization.

      • It is not necessary to configure an IP address on the LAN2 interface at any stage of the gateway side configuration.

        If you do not configure an IP address on the LAN2 interface, the IP addresses of the SYNC interfaces are automatically set to 10.231.149.1 and 10.231.149.2.

      • If you manually configure IP addresses on the SYNC interfaces, you must configure these IP addresses to be on the same subnet.

      • You can use a different SYNC interface other than LAN2. For more information, see sk52500.

    • To configure IP addresses on interfaces other than WAN and LAN1, do so in each gateway's WebUI - on the Internet or Local Network pages. Make sure that for each interface that is part of the cluster, you configure an IP address in the same subnet as the peer cluster member.

    • One-time password:

      • Remember this one-time password. You need it to configure the cluster object in SmartConsole.

      • The one-time password must be the same on the two cluster members to create the cluster object in Wizard Mode.

      • If the one-time password is not the same on the two cluster members, you must create the cluster object in Classic Mode.

  8. Reboot the first Quantum Spark appliance.

  9. Shut down the first Quantum Spark appliance.

  10. Connect the second Quantum Spark appliance to the power source and turn it on.

  11. Connect your computer to the second Quantum Spark appliance to the LAN1 interface.

  12. Renew the dynamic IP address on your computer.

  13. With a web browser on your computer connect to: http://my.firewall

  14. Follow the steps to configure the second Quantum Spark appliance with the First Time Configuration Wizard.

    Important:

    • The WAN interface:

      When you create the cluster object in SmartConsole in Wizard Mode, it assumes that the WAN interface is part of the cluster.

      Make sure the WAN interfaces on the two appliances are configured with a static IP address of a matching subnet.

    • The cluster SYNC interface:

      • Use an Ethernet cross-cable to connect SYNC interfaces on the two appliances.

      • By default, the LAN2 interfaces are used for cluster synchronization.

      • It is not necessary to configure an IP address on the LAN2 interface at any stage of the gateway side configuration.

        If you do not configure an IP address on the LAN2 interface, the IP addresses of the SYNC interfaces are automatically set to 10.231.149.1 and 10.231.149.2.

      • If you manually configure IP addresses on the SYNC interfaces, you must configure these IP addresses to be on the same subnet.

      • You can use a different SYNC interface other than LAN2. For more information, see sk52500.

    • To configure IP addresses on interfaces other than WAN and LAN1, do so in each gateway's WebUI - on the Internet or Local Network pages. Make sure that for each interface that is part of the cluster, you configure an IP address in the same subnet as the peer cluster member.

    • One-time password:

      • Remember this one-time password. You need it to configure the cluster object in SmartConsole.

      • The one-time password must be the same on the two cluster members to create the cluster object in Wizard Mode.

      • If the one-time password is not the same on the two cluster members, you must create the cluster object in Classic Mode.

  15. Reboot the second Quantum Spark appliance.

  16. Turn on the first Quantum Spark appliance (connect it to the power source).

Part 2 - Creating and configuring a cluster object

  1. Connect with SmartConsole to the Security Management Server.

  2. From the Objects menu, click More object types > Network Object > Gateways and Servers > New Small Office Cluster.

    The Check Point Security Gateway Cluster Creation window opens.

  3. Click Wizard Mode.

  4. On the Cluster General Properties page:

    1. In the Cluster name field, enter a name for the Cluster object.

    2. In the Hardware field, select the correct appliance series for the Quantum Spark appliance.

    3. Click Next.

  5. On the Cluster Members page:

    • In the First Member section:

      1. In the Member name field, enter a name for the first Cluster Member object.

      2. In the Member IPv4 address field, enter the IPv4 address for the first Cluster Member object. By default, this must be the IPv4 address assigned to the WAN interface.

    • In the Second Member section:

      1. Clear the Define the second cluster member now check box only if you want to check the communication and connectivity.

        This allows you to complete the wizard definitions for the first cluster member only.

      2. In the Member name field, enter a name for the second Cluster Member object.

      3. In the Member IPv4 address field, enter the IPv4 address for the second Cluster Member object. By default, this must be the IPv4 address assigned to the WAN interface.

    • In the Secure Internal Communication section:

      In the Password field, enter the same one-time password you entered in the First Time Configuration Wizard on each appliance.

      Click Next.

      The wizard establishes trust between the Security Management Server and the appliances.

      Note - After trust is established, it is based on security certificates.

  6. On the Cluster Interface Configuration page, define if a network interface on the Quantum Spark appliance is part of the cluster:

    This window appears for each network interface that was configured on the Quantum Spark appliance.

    The total number of interfaces configured for the gateway appears in the window title. For example, if 3 interfaces are configured for the gateway, a total of 3 windows require configuration. The breadcrumb image at the top of the window shows you the interface you are currently configuring. The name of the interface you are currently configuring appears in the Interface column. The image at the bottom of the page shows if the interface is set for High Availability. When you configure High Availability, the physical IP addresses of both Cluster Members meet at a point indicated by the cluster's virtual IP address.

    Each network interface (on both Cluster Members) has a unique IP address.

    When High Availability is enabled on the interface, then the cluster requires an additional unique virtual IP address. This virtual IP address is visible to the network and ensures that cluster failover events are transparent to all hosts on the network.

    When High Availability is disabled on the interface, the interface is considered non-monitored private (not part of the cluster configuration).

    You can configure High Availability for all network interfaces except for the WAN interface. By default, the WAN interface is always part of the cluster. If you do not want the WAN interface to be part of the cluster, edit the Cluster object in SmartConsole after you complete the wizard.

    If the WAN interface was not defined, edit the Cluster object in SmartConsole and select a correct main IP address for the cluster object. (This IP address is used, for example, in VPN as one of the Link Selection options).

    You do not configure the LAN2 interface as it is automatically configured by the wizard and is used only for the SYNC interface. Make sure a cable is connected between the two LAN2/SYNC ports of both appliances.

    Note - The LAN2/SYNC interface supports only IPv4 addresses.

    Configuration:

    1. Enter a virtual IP Address and Net Mask for the cluster. The virtual IP address is applied in the next policy installation.

    2. Click Next.

    3. To enable High Availability on the interface, select the Enable High Availability on <name> interface checkbox.

      The <name> shows the network interface defined in the Quantum Spark appliance.

      When High Availability is selected, enter a virtual IP Address and Net Mask for the cluster. The virtual IP address is applied in the next policy installation.

    4. Click Next.

    5. Repeat the above steps for each defined interface.

    6. Click Next.

  7. On the Installation Wizard Completion page:

    You see a summary of the configuration parameters you set.

    If you want to configure more settings in the Cluster object, select Edit Cluster in Advanced mode.

    Click Finish.

  8. The General Properties window of the newly defined object opens.

    Configure the applicable settings and click OK.

  9. Install the Security Policy on the cluster object.

  10. Renew the dynamic IP address on the computer connected to a one of the Cluster Members.

    You can then use https://my.firewall to access the Active Cluster Member.

Converting an Existing Quantum Spark Appliance to a Cluster

Do these procedures to convert an existing Quantum Spark Appliance to a cluster.

The procedures require some downtime.

Important - If it is necessary to add a new cluster interface after the cluster is already configured and running, follow the procedure in sk176369 (no downtime is required).

Terms used:

  • GW - The existing Quantum Spark Appliance gateway object that has already established trust and has an installed policy.

  • Cluster - The new Quantum Spark Appliance cluster object that you create.

  • GW_2 - The new cluster member object that joins the existing gateway.

To configure the new appliance GW_2 with the First Time Configuration Wizard:

  1. Make sure to configure the actual IP addresses and not the virtual IP addresses that are used by the existing gateway GW.

  2. Clear the Enable switch on LAN ports checkbox.

    If you do not do this, the default switch configuration is automatically removed during the cluster's first policy installation, as it is not supported in a cluster configuration.

    Note - It is more secure to remove the switch configuration before initial policy installation.

  3. Configure the LAN2 port (used for cluster synchronization) with an IP address that is in the same network as the other cluster member.

    It is recommended to assign a static IP address for the sync interface.

  4. Do not fetch the policy from the Security Management Server.

To create and configure the cluster in SmartConsole:

  1. Use the wizard to create a new Quantum Spark appliance cluster.

  2. Define the IP address as the IP address used by the existing gateway GW.

  3. Define the first member with GW_2's IP address.

    Important - Do not define the second cluster member using the wizard.

  4. Establish trusted communication.

  5. Define all the IP addresses of the clustered interfaces.

    Use the existing gateway GW IP address as the virtual IP address of the cluster.

  6. At the end of the wizard, select the Edit the cluster in Advanced Mode checkbox.

  7. In Advanced Mode, enter all the applicable configuration settings from the GW to the cluster object.

To reconfigure the existing Quantum Spark appliance:

  1. In the WebUI, go to the GW and connect to it.

  2. Reconfigure the IP addresses of the clustered interfaces with the actual IP addresses that is used by the gateway as a member of the cluster.

    Important - Downtime starts.

To configure the cluster in SmartConsole:

  1. Change the main IP address and the IP addresses that appear in the topology table of the GW object.

  2. Install policy on Cluster.

    Important - Downtime ends. At this point, the cluster contains only one member, GW_2.

  3. Go to Cluster Members > Add > Add existing gateway and edit the Cluster object.

  4. If GW does not show in the list, press Help and make sure GW does not match any of the categories that prevent it from being added to a cluster.

    Note - Use the information on this Help page to determine if there are any configuration settings you want to copy to the new Cluster object.

  5. Under the new GW object, click Topology > Get Topology to edit the topology of the Cluster object.

  6. Install policy on the cluster object.

Viewing Cluster Status in the WebUI

After you complete policy installation on the Quantum Spark appliance gateway and the gateway works as a cluster member, you can view cluster status in the WebUI application (Device > High Availability).