IP Cluster & Check Point NGX (IPSO 4.0 & Check Point NGX (R60)) 2007 7
IP Cluster & Check Point NGX...2 1 Gateway Cluster...6 1-1 cpconfig...6 1-2 Gateway Cluster...6 1-3 3rd Party Configuration...8 1-4 Topology...9 2 IP Cluster... 11 2-1 Cluster ID Cadmin Password...12 2-2...13 2-3...14 2-4 FireWall Related Configuration...15 2-5...15 2-6...16...17 3...18 3-1 Cluster Voyager...18 3-2...19 3-3...20 4 NTP...21 4-1 NTP FireWall-1...21 4-2 NTP...22 5 VPN-1/FireWall-1...23 5-1...23 5-2...23 Copyright 2006 Asgent, Inc. All rights reserved. 1
IP Cluster & Check Point NGX Nokia IP Check Point VPN-1/FireWall-1 TCP/IP UNIX Windows OS Nokia IP IP Clustering Check Point NGX IPSO 4.0 Check Point NGX (R60) IPSO 4.0 Build 030 Check Point NGX (R60) AaBbCc123 AaBbCc123 AaBbCc123 2
IP Cluster & Check Point NGX IP Cluster IPSO VPN-1/FireWall-1 IP2250 IP IP Cluster flash-based IP IP Cluster Gateway Cluster IP Cluster IP (Cluster IP ) ( IP ) VPN-1/FireWall-1 VPN-1/FireWall-1 cpconfig Would you like to install a Check Point clustering product (CPHA, CPLS or State Synchronization)? y (clustering product ) IP Cluster ( ) /L2 2 Check Point NGX IP Cluster Check Point NGX 100M/Full IP2250 100M/Full 2 3
IP Cluster & Check Point NGX 1: IP Cluster IP FW01 FW02 10.1.1.201 10.1.1.200 192.168.0.201 192.168.0.200 172.16.0.201 172.16.0.200 172.16.1.201 172.16.1.200 10.1.1.202 10.1.1.200 192.168.0.202 192.168.0.200 172.16.0.202 172.16.0.200 172.16.1.202 172.16.1.200 FW01 FW02 IPSO VPN-1/FireWall-1 4
IP Cluster & Check Point NGX Cluster ID IP (Cluster IP ) MAC ( ) VPN-1/FireWall-1 ARP MAC 5
IP Cluster & Check Point NGX 1 1 Gateway Cluster 1-1 cpconfig cpconfig Disable cluster membership for this gateway Enable 1-2 Gateway Cluster VPN-1/FireWall-1 SmartDashboard Gateway Cluster 1. VPN-1/FireWall-1 SmartDashboard Gateway Cluster 2. [General Properties] Gateway Cluster IP IP (Cluster IP ) 2:Gateway Cluster 6
IP Cluster & Check Point NGX 1 3. [Cluster XL] 4. [Cluster Members][Gateway Cluster] [New Cluster Member] Gateway IP SIC Gateway Gateway [Add Gateway to Cluster] 3:Cluster Member Cluster Member General IP ( ) ( ) Anti Spoofing Drop Gateway (FW01 FW02) 10.1.1.201/24 192.168.0.201 10.1.1.202/24 192.168.0.202 Cluster Member General IP VPN Cluster Member General IP IP 7
IP Cluster & Check Point NGX 1 1-3 3rd Party Configuration 3rd Party Configuration 1. [3rd Party Configuration] [Specify Cluster operating mode] [Load Sharing] 2. [3rd Party Solution] [Nokia IP Clustering] 4: [3rd Party Configuration] 8
IP Cluster & Check Point NGX 1 1-4 Topology IP IP (Cluster IP ) Anti Spoofing 5:Gateway Cluster Topology 1. [Topology] [Edit Topology] 2. Cluster Member [Get Topology] Topology [Get Topology] Topology [Interface Properties] 3. Gateway Cluster [Interface Properties] Topology 4. [Network Objective] Cluster: 1st Sync 2nd Sync 3rd Sync: Cluster+1st Sync Cluster+2nd Sync Cluster+3rd Sync : ( (DMZ ) ) Private: 9
IP Cluster & Check Point NGX 1 5. [OK][Gateway Cluster Properties] 6:Gateway Cluster [Edit Topology] 7:[Interface Properties] 10
IP Cluster & Check Point NGX 2 2 IP Cluster IP Cluster Cluster Performance ID Rating FW01 200 500 FW02 200 500 Cluster IP Primary Secondary 10.1.1.200 192.168.0.200 172.16.0.200 172.16.1.200 10.1.1.200 192.168.0.200 172.16.0.200 172.16.1.200 IP Cluster Voyager [Configuration] > [High Availability] > [Clustering] [Clustering Configuration] 8:[Clustering Configuration] 11
IP Cluster & Check Point NGX 2 2-1 Cluster ID Cadmin Password Cluster ID Cluster Voyager( ) ID ( ) Cluster Voyager IP Cluster Voyager Cluster Voyager IP (Cluster IP ) Voyager [cadmin] Cadmin Password 1. [Create IPSO Cluster] [Cluster ID] (0-65535) 2. [Cadmin Password] cadmin 9: [Create IPSO Cluster] 3. [Apply] ( ) 4. Cluster Member [Manually Configure IPSO Cluster] 10: [Manually Configure IPSO Cluster] 12
IP Cluster & Check Point NGX 2 2-2 11:[Cluster Status] Cluster ID: Cluster ID Cluster Protocol State: Uninitialized Initialized Joining Assert_master Master Member Time Since Join: / Number of Interfaces: Cluster State: Up Down Cluster Mode: Work Assignment: Static Dynamic 13
IP Cluster & Check Point NGX 2 Performance Rating: Performance Rating Failure Interval: ( ) 2-3 IP (Cluster IP ) IP Cluster (Primary Secondary) 12:[Interface Configuration] Interface: IP Ethernet Status: Green up Red down Blue Select: Cluster IP Address: Primary: IP Cluster Primary Secondary: IP Cluster Secondary 14
IP Cluster & Check Point NGX 2 2-4 FireWall Related Configuration VPN-1/FireWall-1 13[FireWall Related Configuration] Enable VPN-1/FW-1 monitoring: VPN-1/FireWall-1 VPN-1/FireWall-1 Enable Enable non-check Point gateways and Clients: Check Point Gateway Client Firewall Yes 2-5 [Save] [Cluster State] [Up] [Apply][Save] 14:[Cluster State] 15
IP Cluster & Check Point NGX 2 2-6 FW02(Member) 1. [Clustering Configuration] [Cluster ID] [Cadmin Password] [Appply] ( ) 2. [Join Existing IPSO Cluster] [Cluster member address] FW01(Master) IP 3. [Join] 4. Cluster Status [Save] 15: FW02(Member) 16
IP Cluster & Check Point NGX 2 17
IP Cluster & Check Point NGX 3 3 Cluster Voyager 3-1 Cluster Voyager Cluster Voyager 1. IP (Cluster IP ) 2. Voyager [cadmin] Cadmin Password 3. Cluster Voyager [Monitor] > [Clustering Monitor] 16:[Clustering Monitor] 18
IP Cluster & Check Point NGX 3 3-2 telnet admin 1 IP Cluster 19
IP Cluster & Check Point NGX 3 3-3 IP Cluster tcpdump IP Cluster Keep Alive 1 IP Cluster 20
IP Cluster & Check Point NGX 4 4 NTP VPN-1/FireWall-1 NTP 4-1 NTP FireWall-1 NTP Source Destination Service Action Gateway Cluster NTP_server ntp accept NTP_server Manage > Network Object 17: NTP 21
IP Cluster & Check Point NGX 4 4-2 NTP NTP Cluster Voyager 1. Cluster Voyager [Configuration] > [Router Service] > [NTP] 2. [NTP Global Settings] [Enable NTP] [Yes] [Apply] ( ) 18:[Cluster NTP Configuration] 3. [Add New Server Address] NTP IP 4. [Apply][Save] 19:NTP 22
IP Cluster & Check Point NGX 5 5 VPN-1/FireWall-1 5-1 Gateway Cluster tcpdump UDP/8116 5-2 #VALS 23