Our first configuration steps aim to build a cluster consisting of just one enforcement module and test it by installing a policy:
1. In SmartDashboard, create a Gateway Cluster object (Manage | Network Objects | New | Check Point | Gateway Cluster.) You will see the Gateway Cluster Properties window pop up, as shown in Figure 6.13.
2. Fill in the name of the cluster. In our example, we called it fwcluster. We gave the object primary IP as the external VIP address—195.166.16.130. We then checked the boxes for FireWall-1(which is mandatory),VPN-1 Pro (because we plan to set up VPNs),ClusterXL (because we want to use the Check Point cluster solution), and SecureClient Policy Server (because we want to use SecureClients).
3. Click Cluster Members on the left side of the screen.This is where we add the enforcement modules into our new cluster. See Figure 6.14.
4. Clicking the New button will allow you to define a new firewall enforcement module that will be part of the cluster. In the Namefield, enter the hostname Figure 6.13 Gateway Cluster Properties Screen
of this module.The IP address is the one chosen as the primary IP for that module, and the hostname should resolve to this address consistently across all modules. Usually, the primary IP is that of the Internet-facing interface. In our example, the name is fw1 and the address is 195.166.16.131, as shown in Figure 6.15. Note that it would not be possible to use the external IP as the primary address if you were using HA Legacy mode, because the module’s only unique address is that of the secured interface.
Figure 6.14 The Cluster Members Screen Before Any Members Have Been Added
Figure 6.15 Defining the Cluster Member
WARNING
Always use the member hostname as the object name and then use the Get addressbutton to test that the management station resolves the member hostname correctly. If it does not, investigate this problem before proceeding further.
5. You now need to establish communication with the module. Click the Communicationbutton. Clicking this button will pop up a window shown in Figure 6.16, in which you need to enter the secret password that you used when you installed this enforcement module. (Make sure that the module is started at this point.) Use this password in the Activation Keyfield and the Confirm Activation Key field. At first the trust state is Uninitialized. Click the Initialize button to set up the trust between the management station and the firewall enforcement module. Wait a short while, and then you should then see the window change to update the trust state to Trust established, as shown in Figure 6.17. Once trust has been established, click the Closebutton.
Figure 6.16 Uninitialized Trust Between the Management Module and a Cluster Member
Figure 6.17 Trust Established Between the Management Module and a Cluster Member
NOTE
It’s a good idea to click the Test SIC Statusbutton to ensure that the trust is working. When you click this button, you should get a popup window that reads, “SIC Status for fw1: Communicating.” If you do not, you have a problem with the management station communicating with the firewall enforcement module and this situation will need to be rectified. Check routing and any intermediate firewall policies. If you manage intermediate firewalls from this management station, you should save the new cluster object without configuring communication, and then push a policy to those firewalls.
6. Click the Topology tab of the cluster, and click Get topology.This step should get the topology of your module, including IP addresses, netmasks, and IP addresses behind interfaces, where appropriate; an example is shown in Figure 6.18. Click the Accept button once you are happy with the topology obtained.
Now select the interface that you are going to use as your sync interface—referred to as the Secured Network in the Check Point manuals. In our example, our sync network is on 192.168.11.131, on interface hme0. Double-click this inter- face.You will be presented with a new popup window, as shown in Figure 6.19.
Figure 6.18 Module Topology
Figure 6.19 Defining the Secured Interface on One Member of the Cluster
In the popup window, make sure that you uncheck the Cluster Interface check box so that the firewall module knows that this network will not have a VIP address. If you don’t uncheck this box, you will receive a warning later in the configuration.
Click the Topologytab of this window.This allows you to define anti- spoofing for this interface. Select Network Defined by the interface and netmaskfor this example (see Figure 6.20).
Click OK when finished.You should now be on the Topology tab of the Cluster Members Properties window. Don’t worry about the VPN and NAT details for now. Click OKagain, and you should be looking at the Cluster Members screen (see Figure 6.21).You should see that the first cluster member has been defined.
Figure 6.20 Antispoofing Properties of the Secure Interface of a Module
Figure 6.21 Cluster Members Screen After First Member Has Been Defined
At this stage, you could add further cluster members using the New button, but we will use the Addbutton later to add an existing firewall enforcement module to the cluster.
7. Click ClusterXLon the left side of the screen.This screen shows you the mode that ClusterXL will work in (see Figure 6.22). In this example, the defaults are High Availability in New mode, which we have selected. We have also left the “Upon Gateway recovery” setting at Maintain current active gateway.This means that when a member in the cluster fails and then the member returns, all the traffic will still go through the second firewall member.The effect of this choice is that failback is a manual process.
8. Now click the Synchronizationtree item.This screen, as shown in Figure 6.23, allows you to define the sync network.The cluster members should have interfaces on this network that are not cluster interfaces (defined in the cluster member interfaces details). It is possible to define multiple sync networks here in order to provide resilience. In our example, we define a sync network 192.168.11.0, subnet mask 255.255.255.0.To do so, click the Addbutton. A popup window will appear (see Figure 6.24). Enter the network name (of your choice), network address, and subnet mask. Click OK when you’re done. Once this process is completed, you should see something similar to Figure 6.25.