Important Information
Introduction to ClusterXL
The Need for Gateway Clusters
ClusterXL Gateway Cluster Solution
How ClusterXL Works
The Cluster Control Protocol
Installation and Platform Support
ClusterXL Licenses
Clock Synchronization in ClusterXL
Clustering Definitions and Terms
Synchronizing Connection Information Across the Cluster
The Check Point State Synchronization Solution
The Synchronization Network
How State Synchronization Works
Non-Synchronized Services
Configuring Services not to Synchronize
Duration Limited Synchronization
Non-Sticky Connections
To configure duration limited synchronization:
Sticky Connections
Introduction to Sticky Connections 17
Introduction to Sticky Connections
The Sticky Decision Function
VPN Tunnels with 3rd Party Peers and Load Sharing
Third-Party Gateways in Hub and Spoke Deployments
Configuring the Sticky Decision Function
To configure the Sticky Decision Function:
Establishing a Third-Party Gateway in a Hub and Spoke Deployment
High Availability and Load Sharing in ClusterXL
Introduction to High Availability and Load Sharing
Load Sharing
High Availability
Example ClusterXL Topology
Defining the Cluster Member IP Addresses
Defining the Cluster Virtual IP Addresses
Configuring Cluster Addresses on Different Subnets
ClusterXL Modes
Load Sharing Multicast Mode
Load Sharing Unicast Mode
High Availability Mode
Mode Comparison Table
When Does a Failover Occur?
What Happens When a Gateway Recovers?
How a Recovered Cluster Member Obtains the Security Policy
Implementation Planning Considerations
High Availability or Load Sharing
Choosing the Load Sharing Mode
IP Address Migration
Hardware Requirements, Compatibility and Cisco Example
ClusterXL Hardware Requirements
Operating System Compatibility
ClusterXL Compatibility (excluding IPS)
ClusterXL Compatibility with IPS
Forwarding Layer
Configuring ClusterXL
Preparing the Cluster Member Machines
Configuring Routing for Client Machines
Choosing the CCP Transport Mode on the Cluster Members
Configuring Cluster Objects & Members
Using the Wizard
Classic Mode Configuration
Configuring General Properties
Defining Cluster Members
Configuring ClusterXL Properties
To Configure ClusterXL properties:
Configuring the Cluster Topology
Completing the Definition
Working with OPSEC Certified Clustering Products
Introduction to OPSEC Certified Clustering Products
Configuring OPSEC Certified Clustering Products
Preparing the Switches and Configuring Routing
To prepare the cluster member machines:
SmartDashboard Configuration for OPSEC Clusters
CPHA Command Line Behavior in OPSEC Clusters
The cphastart and cphastop Commands in OPSEC Clusters
The cphaprob Command in OPSEC Clusters
UTM-1 Clustering
Configuring a Cluster on New Appliances
Configuring the IP Addresses
Initial Configuration
Configuring the Cluster in SmartDashboard
Adding an Existing UTM-1 Appliance to a Cluster
Adding an Existing UTM-1 Appliance to a Cluster
Removing a Cluster Member
Upgrading to a UTM-1 Cluster
Importing a Database to a Primary Cluster Member
Migrating a Database to a UTM-1 Cluster
Supported Logging Options for UTM-1 Clusters
Recommended Logging Options for High Availability
Monitoring and Troubleshooting Gateway Clusters
Verifying that a Cluster is Working Properly
The cphaprob Command
Monitoring Cluster Status
Monitoring Cluster Interfaces
Monitoring Critical Devices
Registering a Critical Device
Registering Critical Devices Listed in a File
Unregistering a Critical Device
Reporting Critical Device Status to ClusterXL
Monitoring Cluster Status Using SmartConsole Clients
SmartView Monitor
SmartView Tracker
ClusterXL Configuration Commands
The cphaconf Command
The cphastart and cphastop Commands
How to Initiate Failover
Stopping the Cluster Member
Starting the Cluster Member
Monitoring Synchronization (fw ctl pstat)
Troubleshooting Synchronization
Introduction to cphaprob [-reset] syncstat
Output of cphaprob [-reset] syncstat
Synchronization Troubleshooting Options
Enlarging the Sync Timer
ClusterXL Error Messages
General ClusterXL Error Messages
SmartView Tracker Active Mode Messages
Sync Related Error Messages
TCP Out-of-State Error Messages
Platform Specific Error Messages
Member Fails to Start After Reboot
ClusterXL Advanced Configuration
Working with VPNs and Clusters
Configuring VPN and Clusters
Defining VPN Peer Clusters with Separate Security Management Servers
Working with NAT and Clusters
Cluster Fold and Cluster Hide
Configuring NAT on the Gateway Cluster
Configuring NAT on a Cluster Member
Working with VLANS and Clusters
VLAN Support in ClusterXL
Connecting Several Clusters on the Same VLAN
Monitoring the Interface Link State
Enabling Interface Link State Monitoring
Link Aggregation and Clusters
Link Aggregation - High Availability Mode
Fully Meshed Redundancy
Bond Failover
Creating an Interface Bond in High Availability Mode
Removing IP Addresses from Slave Interfaces
Setting Slave Interfaces as Disconnected
Defining the Interface Bond
Verifying that the Bond is Functioning Properly
Failover Support for VLANs
Link Aggregation - Load Sharing Mode
Workflow of Interface Bond in Load Sharing Mode
Setting Critical Required Interfaces
Configuring Cisco Switches for Load Sharing
Defining VLANs on an Interface Bond
Performance Guidelines for Link Aggregation
ClusterXL Commands for Interface Bonds
Troubleshooting Bonded Interfaces
Troubleshooting Workflow
Connectivity Delays on Switches
Advanced Cluster Configuration
How to Configure Gateway Configuration Parameters
How to Configure Gateway to Survive a Boot
Setting Module Variables in IPSO 6.1 and Later
Controlling the Clustering and Synchronization Timers
Blocking New Connections Under Load
Working with SmartView Tracker Active Mode
Reducing the Number of Pending Packets
Configuring Full Synchronization Advanced Options
Defining Disconnected Interfaces
Defining a Disconnected Interface on Unix
Defining a Disconnected Interface on Windows
Configuring Policy Update Timeout
Enhanced 3-Way TCP Handshake Enforcement
Enhanced 3-Way TCP Handshake Enforcement
Configuring Cluster Addresses on Different Subnets
Introduction to Cluster Addresses on Different Subnets
Configuration of Cluster Addresses on Different Subnets
Example of Cluster Addresses on Different Subnets
Limitations of Cluster Addresses on Different Subnets
Moving from a Single Gateway to a ClusterXL Cluster
On the Single Gateway Machine
On Machine 'B'
In SmartDashboard, for Machine 'B'
On Machine 'A'
In SmartDashboard for Machine 'A'
Adding Another Member to an Existing Cluster
Adding Another Member to an Existing Cluster
Configuring ISP Redundancy on a Cluster
Enabling Dynamic Routing Protocols in a Cluster Deployment
Components of the System
Dynamic Routing in ClusterXL
High Availability Legacy Mode
Introduction to High Availability Legacy Mode
Example Legacy Mode Deployment
Shared Interfaces IP and MAC Address Configuration
The Synchronization Interface
Planning Considerations
Security Management server Location
Routing Configuration
Switch (Layer 2 Forwarding) Considerations
Configuring High Availability Legacy Mode
SmartDashboard Configuration
Moving from High Availability Legacy with Minimal Effort
Moving from High Availability Legacy with Minimal Effort
On the Gateways
From SmartDashboard
Moving from High Availability Legacy with Minimal Downtime
The clusterXL_monitor_process script
