cluster -High availabilty- testsetup

[devigadhanaraj]

Hi,can anyone explain me about the cluster setup .. like how many machines i require and what to install in each one ( like only VPN or with smartserver&VPN)...How is the communication happening ..with SIC or How.. i need the setup in dual NIC ... Thanks in advance

[pop_alex]

Hi,

It seems you are new to this stuff. Anyway, allow me to explain to you in brief on how to build a cluster enviroment for firewall.

What is cluster (or in this case - firewall cluster)?

Firewall or gateway cluster is a group of individual enforcement servers which shares same set up and configuration on each others. All these enforcement servers are connected on each other through a link called synchronization link or “heartbeat”. This links enables all enforcement servers in a cluster to be “aware” on each other for any changes occurred. Any changes or problem occurs in any enforcement at any time, other enforcement will “react” to it and adjust themselves accordingly.

This clusters are managed by one (or more) management servers which responsible to manage all individual enforcements in a cluster. Every logs generates by these individual enforcements will forwards to the management server. You can do cluster on management server (normally two) if you want to have a redundant and high-availability similar to firewall cluster.

SIC in a cluster

When you build a firewall cluster, you are required to set SIC on all enforcement/machine in a cluster in order to get manage by the management servers. You may use different SIC for each individual enforcement/machine but IMHO, it will better to use same SIC in every enforcement/machine. This SIC must 'register' in management server in order to manage the enforcement/machines.

For more information on SIC, please refer to Check Point user guide which comes together with the software purchase. If you have access to Check Point usercenter website, you may find a plenty of information about SIC and the rest.

How many machines required?

Minimum two machine, but there are company has three to four machine in a cluster. Normally, you might seeing this in financial institution, health organization and so on.

How many network interface (NIC) per machine?

Minimum two. if you have a few private LAN you wish to protect directly behind your machine, you may add a few network interface as you wish.

How does each enforcement/machine in a cluster communicate on each others?

Well, as explained earlier all enforcement are connected to a 'heartbeat' which all informations such as firewall's operational state and so on are shared among these enforcements. For example, if one of the enforcement/machine are unable to process the traffic due to the high-load, the rest of the enforcement will automatically take over some of the load from that enforcement and distribute it evenly across the cluster.

For more information about H.A/Load balancing on Check Point firewall, please consult the ClusterXL guide for more info. ClusterXL is Check Point own H.A/Load-balancing module. You may integrate with other 3rd party H.A/Load-balancing software such as Rainfinity RainWall or StoneBeat cluster product.

VPN on firewall cluster

You need a license for each enforcement/machine if you need a VPN. You need to configure this at management server. For more info, consult the user guide.

[devigadhanaraj]

tahnk u very much pop, i understood the concept... how to implement?... is there any document available for setting up the cluster

[pop_alex]

Refer to ClusterXL user guide on how to set up a firewall cluster.

How to implement?

Well, it depends on your security requirement (or what do you want to achieve in order private network are protected while the services are still up and running eventhough there is a downtime).