ClusterXL R75.40 Administration Guide

ClusterXL R75.40 Administration Guide 20 February 2012 Classification: [Protected] © 2012 Check Point Software Technologies Ltd. All rights reserved. This product and related documentation are protected by copyright and distributed under licensing restricting their use, copying, distribution, and decompilation. No part of this product or related documentation may be reproduced in any form or by any means without prior written authorization of Check Point. While every precaution has been taken in the preparation of this book, Check Point assumes no responsibility for errors or omissions. This publication and features described herein are subject to change without notice. RESTRICTED RIGHTS LEGEND: Use, duplication, or disclosure by the government is subject to restrictions as set forth in subparagraph (c)(1)(ii) of the Rights in Technical Data and Computer Software clause at DFARS 252.227-7013 and FAR 52.227-19. TRADEMARKS: Refer to the Copyright page (http://www.checkpoint.com/copyright.html) for a list of our trademarks. Refer to the Third Party copyright notices (http://www.checkpoint.com/3rd_party_copyright.html) for a list of relevant copyrights and third-party licenses. Important Information Latest Software We recommend that you install the most recent software release to stay up-to-date with the latest functional improvements, stability fixes, security enhancements and protection against new and evolving attacks. Latest Documentation The latest version of this document is at: http://supportcontent.checkpoint.com/documentation_download?ID=13090 For additional technical information, visit the Check Point Support Center (http://supportcenter.checkpoint.com). For more about this release, see the home page at the Check Point Support Center (http://supportcontent.checkpoint.com/solutions?id=sk67581). Revision History Date 20 February 2012 Description First release of this document Feedback Check Point is engaged in a continuous effort to improve its documentation. Please help us by sending your comments (mailto:cp_techpub_feedback@checkpoint.com?subject=Feedback on ClusterXL R75.40 Administration Guide). Contents Important Information.............................................................................................3 Introduction to ClusterXL.......................................................................................8 The Need for Gateway Clusters........................................................................... 8 ClusterXL Gateway Cluster Solution.................................................................... 8 How ClusterXL Works ........................................................................................ 8 The Cluster Control Protocol........................................................................... 9 Installation and Platform Support......................................................................... 9 ClusterXL Licenses.............................................................................................. 9 Clock Synchronization in ClusterXL..................................................................... 9 Clustering Definitions and Terms........................................................................10 Synchronizing Connection Information Across the Cluster..............................11 The Check Point State Synchronization Solution................................................11 The Synchronization Network........................................................................11 How State Synchronization Works.................................................................12 Non-Synchronized Services...........................................................................12 Configuring Services not to Synchronize........................................................12 Duration Limited Synchronization...................................................................13 Non-Sticky Connections.................................................................................13 Non-Sticky Connection Example: TCP 3-Way Handshake.............................14 Synchronizing Non-Sticky Connections .........................................................14 Synchronizing Clusters on a Wide Area Network...........................................15 Synchronized Cluster Restrictions .................................................................15 Configuring State Synchronization......................................................................15 Configuring a Service Not to Synchronize......................................................15 Creating Synchronized and Non-Synchronized Versions...............................16 Configuring Duration Limited Synchronization ...............................................16 Sticky Connections...............................................................................................17 Introduction to Sticky Connections......................................................................17 The Sticky Decision Function .............................................................................17 VPN Tunnels with 3rd Party Peers and Load Sharing.........................................17 Third-Party Gateways in Hub and Spoke Deployments......................................18 Configuring the Sticky Decision Function............................................................19 Establishing a Third-Party Gateway in a Hub and Spoke Deployment................20 High Availability and Load Sharing in ClusterXL ...............................................22 Introduction to High Availability and Load Sharing..............................................22 Load Sharing.................................................................................................22 Example ClusterXL Topology.............................................................................23 Defining the Cluster Member IP Addresses ...................................................23 Defining the Cluster Virtual IP Addresses ......................................................24 The Synchronization Network........................................................................24 Configuring Cluster Addresses on Different Subnets .....................................24 ClusterXL Modes................................................................................................24 Load Sharing Multicast Mode.........................................................................25 Load Sharing Unicast Mode...........................................................................25 High Availability Mode....................................................................................26 Mode Comparison Table................................................................................27 Failover ..............................................................................................................28 When Does a Failover Occur?.......................................................................28 What Happens When a Gateway Recovers?.................................................29 How a Recovered Cluster Member Obtains the Security Policy.....................29 Implementation Planning Considerations............................................................29 High Availability or Load Sharing ...................................................................29 Choosing the Load Sharing Mode..................................................................29 IP Address Migration......................................................................................30 Hardware Requirements, Compatibility and Cisco Example...............................30 ClusterXL Hardware Requirements................................................................30 ClusterXL Hardware Compatibility .................................................................31 Example Configuration of a Cisco Catalyst Routing Switch............................32 Check Point Software Compatibility....................................................................33 Operating System Compatibility.....................................................................33 ClusterXL Compatibility (excluding IPS).........................................................33 ClusterXL Compatibility with IPS....................................................................34 Forwarding Layer...........................................................................................34 Configuring the Cluster Topology .......................................................................35 Configuring ClusterXL..........................................................................................36 Preparing the Cluster Member Machines............................................................36 Configuring Routing for Client Machines.............................................................37 Choosing the CCP Transport Mode on the Cluster Members.............................37 Configuring Cluster Objects & Members.............................................................37 Using the Wizard ...........................................................................................38 Classic Mode Configuration...........................................................................38 ClusterXL High Availability for IPv6 ....................................................................41 ClusterXL High Availability.............................................................................41 Configuring IPv6 Clusters..............................................................................42 Working with OPSEC Certified Clustering Products..........................................44 Introduction to OPSEC Certified Clustering Products .........................................44 Configuring OPSEC Certified Clustering Products..............................................44 Preparing the Switches and Configuring Routing...........................................44 Preparing the Cluster Member Machines.......................................................44 SmartDashboard Configuration for OPSEC Clusters .....................................45 CPHA Command Line Behavior in OPSEC Clusters ..........................................46 The cphastart and cphastop Commands in OPSEC Clusters.........................47 The cphaprob Command in OPSEC Clusters................................................47 UTM-1 Clustering..................................................................................................48 Overview............................................................................................................48 Configuring a Cluster on New Appliances...........................................................48 Configuring the IP Addresses ........................................................................48 Initial Configuration........................................................................................49 Configuring the Cluster in SmartDashboard...................................................50 Adding an Existing UTM-1 Appliance to a Cluster ..............................................51 Removing a Cluster Member..............................................................................52 Upgrading to a UTM-1 Cluster............................................................................52 Importing a Database to a Primary Cluster Member...........................................52 Migrating a Database to a UTM-1 Cluster...........................................................52 Supported Logging Options for UTM-1 Clusters.................................................53 Recommended Logging Options for High Availability.....................................53 Load Sharing.................................................................................................53 Monitoring and Troubleshooting Gateway Clusters ..........................................54 Verifying that a Cluster is Working Properly........................................................54 The cphaprob Command...............................................................................54 Monitoring Cluster Status...............................................................................55 Monitoring Cluster Interfaces.........................................................................57 Monitoring Critical Devices.............................................................................58 Registering a Critical Device..........................................................................59 Registering Critical Devices Listed in a File ...................................................59 Unregistering a Critical Device.......................................................................59 Reporting Critical Device Status to ClusterXL................................................60 Example cphaprob Script...............................................................................60 Monitoring Cluster Status Using SmartConsole Clients ......................................60 SmartView Monitor ........................................................................................60 SmartView Tracker........................................................................................61 ... - tailieumienphi.vn