Configuring High Availability

Background

ClusterClosed Two Quantum Spark Appliances connected to each other for High Availability. maintains connections in the organization's network when there is a failure in one of the Cluster Members. The cluster provides redundancy.

In SmartConsoleClosed Check Point GUI application used to manage a Check Point environment - configure Security Policies, configure devices, monitor products and events, install updates, and so on. connected to your Management ServerClosed A Check Point Security Management Server or a Multi-Domain Security Management Server., you configure a Small Office Cluster object and install a security policy on that cluster object.

Limitations

  • You cannot create a cluster when you have a switch defined in the network settings on the appliance. If necessary, change network settings in the Device > Local Network page.

  • In versions R81.10.10 and lower, it is not supported to configure a Cluster of Quantum Spark Appliances when an Internet connection is a Bond interface.

  • Cluster requires Static IP addresses on the physical cluster interfaces.

  • Cluster does not support pure IPv6 addresses on cluster interfaces (you must also configure IPv4 addresses).

Prerequisites

  • In WebUI > Device > Local Network, delete switch configurations before you start to configure a cluster.

  • The appliances in a cluster must have the same hardware, firmware, and licenses.

    Note - Connect the sync cables only after you complete the First Time Configuration Wizard and remove the switch on both appliances. No additional configuration is required on the members.

Best Practice - Designate the same LAN port for the Sync interface. The default Sync interface is LAN2/SYNC.

Notes:

  • In versions R81.10.00 - R81.10.10, you can use a Bond interface in the Active-Backup mode as a Sync interface only in Centrally Managed appliances.

    Starting in R81.10.15, this is also supported in Locally Managed appliances.

  • You can configure a maximum of two subordinate Bond ports when the Bond serves as a Sync interface.

  • The two subordinate Bond ports can be connected directly between the members or through a switch:

    • In a direct connection, the cable connects between the dedicated subordinate Sync ports on the appliances.

    • With a switch, the cables connect between the dedicated subordinate Bond ports on the appliances and the corresponding ports on a switch between the appliances.

  • It is supported to configure a cluster in the Bridge Active/Standby mode.

Configuring a Centrally Managed Cluster

Part 1 - On the appliances:

  1. For each gateway, run the First Time Configuration Wizard and for Security Management select Central and Next.

  2. On the One Time Password (SIC) page, set the one-time password.

  3. Select the option Connect to the Security Management Server later and click Finish.

  4. Finish networking configuration (LAN, WAN, and other interfaces).

Part 2 - In SmartConsole:

  1. Connect with SmartConsole to the Security Management ServerClosed A dedicated Check Point server that runs Check Point software to manage the objects and policies in a Check Point environment within a single management Domain. Synonym: Single-Domain Security Management Server. / Domain Management Server.

  2. From the left navigation panel, click Gateways & Servers.

    At the top, click New () > Cluster > Small Office Cluster > Classic mode.

  3. In the Gateway Cluster Properties window, configure the Name, IPv4 Address (Virtual IPv4 address of the Cluster), Hardware, Version, and Type.

  4. In the left navigation tree, click the Cluster Members page.

    Click Add > New Cluster Member to add the first cluster member.

  5. In the Cluster Member Properties window, configure the cluster member Name and IPv4 Address.

    Click Communication > enter the one-time password you configured on the appliances > click Initialize.

    You should see Trust established.

  6. In the left navigation tree, click the Cluster Members page.

    Click Add > New Cluster Member to add the second cluster member.

  7. In the Cluster Member Properties window, configure the cluster member Name and IPv4 Address.

    Click Communication > enter the one-time password you configured on the appliances > click Initialize.

    You should see Trust established.

  8. Configure the cluster member topology:

    1. In Cluster Object, go to the Topology tab > click Edit Topology.

    2. In the Edit Topology window, click Get... > select All Members' Interfaces with Topology.

      Configure the topology and set Network Objectives.

      Configure the Cluster IP address (Virtual IP). This address can be either within the same network as the physical interfaces or in a separate network.

  9. Finish the Cluster object configuration and click OK.

  10. At the top of SmartConsole, click Publish to save your changes.

  11. At the top of SmartConsole, click Install Policy and select this cluster object.

Part 3 - On the appliances:

In the WebUI > High Availability page to make sure the cluster was created.

Configuring a Cluster with a Single Routable IP Address in Central Management

You can configure a cluster with a Single Routable IP address where the cluster Virtual IP address is in a different subnet than the physical IP addresses of the Cluster Members. Only the cluster Virtual IP address is routable. Traffic sent from Cluster Members to internal or external networks is hidden behind the Cluster Virtual IP address.

Advantages of using different subnets:

  • Use only one Virtual IP address for the cluster.

  • Hide physical Cluster Members' IP addresses behind the cluster Virtual IP address.

  • Create a cluster in an existing subnet that has a limited number of available IP addresses.

On the Quantum Spark appliances:

  1. Configure all relevant internal interfaces as for a regular cluster.

  2. Configure the external interfaces (WAN) on both appliances to use dummy IP addresses (IP address and Default Gateway).

    For example, 2.2.2.1 and 2.2.2.2.

  3. Disable all probing options.

    In the Edit Internet Connection window, go to the Connection Monitoring tab and clear all the probing checkboxes on both cluster members.

  4. Follow the steps above for configuring a cluster.

  5. After policy installation (the last step in the WebUI of each cluster member), we configure a different default gateway which is not in the subnet of the dummy IP address.

    Go to Device > Network tab > Internet page > Edit internet configuration.

  6. Change the Default Gateway to the default gateway on the subnet of the external Cluster IP address.

    At this point you can re-enable the probing options.

    Important - In this case there is no direct access to the Standby cluster member from the Internet.

    Therefore, the Management Server must connect to cluster members from the internal network.