Checkpoint Cluster Configuration R80.20

Topology

For create a Cluster setup it required 3 interface to be configure.

As per the above diagram we required 3 VMnet (Vmware Networks).

VMnet1: 192.168.1.0/24

VMnet2: 1.1.1.0/24
VMnet0: 172.16.100.0/24

IP Address Details

Gateway 1 (Active) IP : Internal (eth0) --> 192.168.1.2/24 | External (eth2) -->172.16.100.121/24
                      
Gateway 2 (Standby) IP : Internal (eth0) --> 192.168.1.3/24 | External  (eth2) -->172.16.100.122/24
                     
Cluster VIP (Virtual IP) : Internal --> 192.168.1.5/24 | External --> 172.16.100.125/24
                    
Sync IP : Active Gateway (eth1) ---> 1.1.1.2/24  ||  Standby Gateway (eth1) ---> 1.1.1.3/24  (NO VIP Required)

Route

Internal LAN (192.168.1.0/24) --->  Default Gateway (VIP : 192.168.1.5/24)

Gateway IP (172.16.100.121/24  & 172.16.100.122/24) ---> Default Gateway (VIP:172.16.100.1/24)

HOST Machine (Where VMware is running) ---> 192.168.1.1/24

VMNet Details

VMnet0 : Auto-Bridging  : External : 172.16.100.0/24
                       
VMnet1 : Host-Only : Internal  : 192.168.1.0/24
                       
VMnet2 : Host-Only : Sync : 1.1.1.0/24

STEP 01: Check the IP address of the HOST machine where the VMware is running. By default, it takes the First Host address.

So for cluster 3 interface is required so we check on 3 VMware Network Adapter (VMnet).

NOTE: VMnet0 is auto bridge, so basically that connected to my Wifi Network so I can’t give 172.16.100.1 because that already assign to my WiFi Router address so 172.16.100.1 is our default gateway.(Check “Route Section”)

VMware Hardware configuration Details.

Memory : 4GB (Minimum)
Processor : 2 (Minimum)

More details for VMware Hardware Configuration for Gateway1.

STEP 02: Start the Gateway1 virtual machine.

Asking for the IP address of the eth0 interface which comes on Vmnet1 (Network:192.168.1.0/24).

Click “OK”

STEP 03: Assign IP address.

IP Address : eth0 : 192.168.1.2

Netmask : 255.255.255.0

Default Gateway : Configure Later or you also configure now also. 

STEP 04: More details for VMware Hardware Configuration for Gateway2.

STEP 05: Start the Gateway2 virtual machine.

Asking for the IP address of the eth0 interface which come on Vmnet1 (Network:192.168.1.0/24).

Click “OK”

STEP 06: Assign IP address.

IP Address : eth0 : 192.168.1.3

Netmask : 255.255.255.0

Default Gateway : Configure Later or you also configure now also. 

STEP 07: After Power on the Gateway1 VM machine.

Login with below default credentials.

Username : admin | Password :admin

Check the IP address details.

command : Clish>lock database override
Clish>show configuration interface

STEP 08: After Power on the Gateway2 VM machine. 

Login with below default credentials.

Username : admin | Password :admin

Check the IP address details.

command : Clish>lock database override
                      Clish>show configuration interface

Asking for Run the First Time Configuration Wizard.

STEP 09: Open the GAIA WebUI for run the First Time Configuration Wizard.

Before that ping the IP address of “eth0” interface.

Give the login Credentials By Default

username : admin | password:admin  and Click “Login”

NOTE : Some time you may not able to ping to the IP address because default policy is applied to the Gateway so for that run the below command.

command: ClishorExpert>fw unloadlocal 

STEP 10: Open the GAIA WebUI for run the First Time Configuration Wizard

Before that ping the IP address of “eth0” interface.

Give the login Credentials By Default

username : admin | password:admin  and Click “Login”

NOTE: Some time you may not able to ping to the IP address because default policy is applied to the Gateway so for that run the below command.

command: ClishorExpert>fw unloadlocal 

STEP 11: Verify the IP address of Gateway1.

STEP 12: Verify the IP address of Gateway2.

STEP 13: Assign DNS address to Gateway1.

NOTE: DNS address may different as per your requirement.

STEP 14: Assign DNS address to Gateway2.

NOTE: DNS address may different as per your requirement.

STEP 15: Select ” Security Gateway and/or Security Management” in Gateway1.

Click “Next”.

STEP 16: Select ” Security Gateway and/or Security Management” in Gateway2.

Click “Next”.

STEP 17: UnMark “Security Management” in Gateway1.

Select “Unit is part of a cluster type” as “ClusterXL”

NOTE: The option “Unit is part of a cluster type” is optional if you did not select this option then also we able to configure this later but it will be good you select during First Time Configuration Wizard.

Mark “Automatically download Blade contracts and other important data (highly recommended)”

STEP 18: UnMark “Security Management” in Gateway2.

Select “Unit is part of a cluster type” as “ClusterXL”

NOTE: The option “Unit is part of a cluster type” is optional if you did not select this option then also we able to configure this later but it will be good you select during First Time Configuration Wizard.

Mark ” Automatically download Blade contracts and other important data (highly recommended)”

STEP 19: Give a Secure Internal Communication (SIC) key for Gateway1, this key is required during establish SIC between Security Management Server and Security Gateway 01.

STEP 20: Give a Secure Internal Communication (SIC) key for Gateway2, this key is required during establish SIC between Security Management Server and Security Gateway 02.

STEP 21: Set an Expert Password for Gateway1.

command : Clish Mode :Clich>set expert-password (Click Enter set Password for Expert Mode)

STEP 22: Set a Expert Password for Gateway2.

command : Clish Mode :Clich>set expert-password (Click Enter set Password for Expert Mode)

STEP 23: On Gateway 1 assign the IP address for remaining Sync interface “eth1″(VMnet2:1.1.1.0/24) and external interface “eth2” (VMnet0:172.16.100.0/24).

eth1 : 1.1.1.2/24 and eth2 : 172.16.100.121/24

command
clish>set interface eth1 ip4-address 1.1.1.2 mask-length 24
clish>set interface eth2 ipv4-address 172.16.100.121 mask-length 24

NOTE: You can also assign the IP address by GAIA WebUI.

STEP 24: State on the Interface “eth1” and “eth2”.

command:
clish_SG1>set interface eth1 state on
clish_SG1>set interface eth2 state on

STEP 25: On Gateway 02 assign the IP address for remaining Sync interface “eth1″(VMnet2:1.1.1.0/24) and external interface “eth2” (VMnet0:172.16.100.0/24).

eth1 : 1.1.1.3/24 and eth2 : 172.16.100.122/24

Open GAIA WebUI of Gateway2 ---> Network Interface ---> Mark "Enable" to UP the interface and assign the IP address with subnet mask.

STEP 26: Verify the IP address and interface status.

STEP 27: Assign IP address to the External Interface “eth2”.

STEP 28: Verify the Interface status with IP address.

STEP 29: Now Power on the Management Server if not.

We already configure the Management Server with IP: 192.168.1.10/24.

STEP 30: Open the SmartConsole by putting the Management Server IP address with Login credentials.

Smart Console is open Successfully.

STEP 31: Now Create a Cluster so for that need to create a Cluster Object.

Location : SmartConsole ---> *New ---> Network  Object ---> Gateway and Server ---> Cluster ---> Cluster...

STEP 32: Click “Wizard Mode”

Note: You can also choose Classic Mode as well.

STEP 33: Cluster Name: CLUSTER (Any Name)

Cluster IPv4 Address : 192.168.1.5  (Assign the Virtual IP Address)

Select  “High Availability” like Active/Standby (100%/0%)

Click on “Next”.

NOTE: You can also select “Load Sharing” (50%/50% and 70%/30%) but in R80.20 still not yet supported.

STEP 34: Add the Cluster Gateway Member so Select Add —> “New Cluster Member”.

Add Existing Gateway means if you already have Gateway and you want to add on Cluster.

STEP 35: Adding Gateway1.

Name: SG1

IPv4 Address : 192.168.1.2  (eth0 interface IP address)

Activation Key: **** (Put the SIC key that gives during First Time

Configuration Wizard).

Confirm Activation Key: **** (Put the Key again)

Click "Initialize".

SIC is Establish Successfully showing “Thrust established”.

STEP 36: Verify the Security Gateway is added or not.

Showing Gateway Name (SG1) with IP address with SIC Status (Trust established).

STEP 37: Add the Gateway2.

Name : SG2

IPv4 Address : 192.168.1.3  (eth0 interface IP address)

Activation Key : **** (Put the SIC key that give during First Time

Configuration Wizard).

Confirm Activation Key : **** (Put the Key again)

Click "Initialize".

STEP 38: Verify the Security Gateway is added or not.

Showing Gateway Name (SG2) with IP address with SIC Status (Trust established).

STEP 39: Click “Next”.

STEP 40: Click “Next” to configure the topology of the cluster.

STEP 41: Put the External Virtual IP Address: eth2: 172.16.100.125 | Net Mask: 255.255.255.0

Click “Next”.

NOTE: IPv4 Network Address: 172.16.100.0 will automatically come because I already define that IP address.

STEP 42: Select option “Cluster Synchronization” as “Primary” because we have only one sync interface.

Click: “Next”

STEP 43: Put the Internal Virtual IP Address: eth2: 192.168.1.5 | Net Mask: 255.255.255.0

Click “Next”.

NOTE: IPv4 Network Address: 192.168.1.0 will automatically come because I already define that IP address.

STEP 44: Select “Edit Cluster’s Properties”. and Click “Finish”.

STEP 45: Showing General Properties of Cluster.

Make sure that only Firewall blade should be enabled if another blade such as “IPSec VPN” is enabled then Unselect it.

STEP 46: Check the Cluster Member should be able to see both Gateway object.

Location : Cluster ---> Properties ---> Cluster Member

STEP 47: As I configure High Availability as ClusterXL (Active/Standby) with any priority configuration.

So select the “Maintain current active Cluster Member”.

Location : Cluster ---> Properties ---> ClusterXL and VRRP.

Showing IP address but still not showing the Interface name because still, we did not fetch the Topology.

Location : Cluster —> Properties  —> Network Management

STEP 48: Select “Get interface with Topology” to fetch topology.

NOTE: If you select “Get interface with Topology” then Anti-Spoofing mode will prevent in all interface. You also select the ” Get interface without Topology ” but this time Anti_spoofing will not work which will be a security risk. Don’t select this “Get interface with Topology “option on live Production when you fetch the topology without proper validation.

STEP 49: When select “Get interface with Topology” then pop up will select “Yes”.

STEP 50: Policy is fetched successfully.

STEP 51: Click the eth0 interface and check the Anti-Spoofing setting. It should be Prevent & Log.

Showing Network Type : Cluster with Cluster member’s IP address.

STEP 52: Click “Modify” for more details.

STEP 53: Click the “eth1” interface check the Anti-Spoofing configuration.

Showing Network Type : Sync with Member’s IP address.

STEP 54: Click the interface “eth2”

Showing Network Type :Cluster with Member’s IP address.

Click “Modify”.

STEP 55: Define as External and click “OK”.

STEP 56: Click “Ok”.

STEP 57: Verify the topology.

STEP 58: Click “OK”.

The dashboard of Smart Console.

STEP 59: Install the Database.

Location : Menu --> Install Database

STEP 60: Click “Install”.

STEP 61: Click “Publish and Install”.

STEP 62: Create a Network Object.

Name : Internal_LAN
Network : 19.168.1.0
Net Mask :255.255.255.0
Location :- SmartConsole ---> *New ---> More ---> Network Object ---> Network

STEP 63: Click ”OK”.

STEP 64: Create a Security policy.

Policy Package: Standard (Default ) (NOTE: You can also create a new policy package as well)

Click “+” in Source.

Adding Source: Network “Internal_LAN” (192.168.1.0/24) that we already created.

Policy : Source: Internal_LAN, Destination: Any, VPN: Any, Services & Application: Any, Action: Accept, Track: Log. 

STEP 65: Add Cleanup Rule.

Right click on the “Missing cleanup rule” and Select “Add Cleanup Rule”

Policy: Source: Any, Destination: Any, VPN: Any, Services & Application: Any, Action: Drop, Track: Log.

STEP 66: Install the Database.

Location : SmartConsole ---> Menu ---> Install Database

STEP 67: Install the Security Policy .

Select “Access Control”  Policy.

Select the “CLUSTER Object”

Select  “Install on each selected gateway independently”

Check Mark “For gateway cluster, if installed on a cluster member fails, do not install on all gateway of the same version”.

Click “Install”.

Policy Installation in process.

STEP 68: Policy Installed successfully.

STEP 69: Status is showing “OK”.

COMMAND

STEP 70: Check the cluster status.

command:
clish> or [Expert mode]#cphaprob stat or cphaprob state clish> or [Expert mode]#cphaprob stat or cphaprob state

Now SG1 becomes “Active” because 1.1.1.2 belongs to the Gateway1 (SG1) IP address and it’s showing that (local) means now we open the SG1 putty.

STEP 71: Check Cluster Interface status with Virtual IP address.

command:
[Expert]#cphaprob -a if

STEP 72: Check any pnotes in problem state or not.

command :
Expert]#cphaprob -ia list

STEP 73: Down the Cluster Member (Manual Failover Test).

command : [Expert]#clusterXL_admin down.

STEP 74: Showing Gateway1 (SG1)  down on Gateway2 (SG2) cluster status (command : cphaprob stat).

Now, Gateway2 (SG2) becomes Active.

STEP 75: Up the Cluster member Security Gateway1 (SG1).

command : [Expert]#clusterXL_admin up 

Now showing SG2 (Security Gateway 2) become STANDBY.

STEP 76: Check the Last Failover Time with all details.

command : Clish> and [Expert]#cphaprob stat

STEP 77: Down the SG2 to active the SG1.

STEP 78: Down the Cluster Member SG2 and UP again.

command : SG2 :
[Expert]#clusterXL_admin down
[Expert]#clusterXL_admin up

STEP 79: Load Sharing is not yet supported in R80.20.

Showing popup as not Supported.