Checkpoint HA: How To Creat Cluster (HA) in Checkpoint Firewall.

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

five three I'm going to tell you about achieve high availability and get point so as you can see this diagram man I made so I will not explain the different types it's already mentioned here okay I will give you the brief about it plus Drechsel is up to type high ability at J and load sharing means it is having two modes H is further divided into new mode and legacy mode new mode we need a virtual IP to be settled up for new mode like here you can see there is a one virtual IP for land one words to life before well now the question is why we need virtual IP so this is my one firewall this is my second firewall and my one firewall is having land address this one and second is having this one we have to create the achieve between them if one Pharaoh will go down another has to act so in that case this should be the Gateway of my land pieces but if this will go down then I have to change the gateway so it is not possible for me to all the time go and change the default gateway I need type of IP address that will never go down so in that case I require a virtual IP that virtual IP I will define in my a change so that for shall I people decide which firewall is up and a primary acting as a fan B or active and to whom it has to send the packet all right so that's why we need virtual IP here so we need to virtual IP is when our virtual IP is required for inside that will act in the land side and one will be acting as a van side like when the connection is going outside so it will convert this van IP to a virtual IP where it will go outside all right so that I have splint so legacy more in that we do not require any virtual IP what was happening suppose Faro one is acting as a primary firewall if IRA one will go down the whole configuration will get shifted to here and firewall two like 21ip will get shifted to here in fire reduce its energy interface so our what will be the default gateway of PC default gateway or pcs will always be the primary firewalls land address so when the family this primary will go down this will become the primary and this will give its whole the configuration to this fire also always a family would be having this series I theater this IP address which we would have defined in the study so now this is not in use so we will not discuss it and also you cannot see this option in your check mind weight in instead of this legacy there is one option that is called vrrp has been introduced into nature alright so checkmate has done some modification in vrrp and they have come up with VR RPM see that i will explain in a different lecture another method in cluster excel is load sharing in low sharing it has been further divided into two parts one is unicast and the second is multicast multicast in which traffic is 50/50 percent divided family firewall will also take 50 percent load and secondary faro will also take 50 percent load but in favored firewall or unicast it is also called a favored unicast what happens the traffic is 30 70 percent divided the primary firewall will take care of 30 percent traffic whereas the secondary firewall will take care as a 70 percent traffic the primary firewall which is taking care of seven thirty percent load is also called a favorite firewall but it is not always that the secondary will carries a 30 percent and family will carry 30 percent and 95 percent it is same like that it depends on the primary firewall all the packet will be initiated from the primary firewall and it will hand over that factory to secondary firewall but if it wants then it can also tear down that packet from itself so it is not always 3070 but yeah maximum case it is 30 17 so please note that all right hmm so this is our diagram this is my one firewall one firewall is having two interfaces LAN interface and band interface and those are given these IP address my father too is also having the same LAN and ran same series IP address is given 21 and 22 here also same series IP address is given all right I need to define one HJ like I am trading at J so I need to define one sync interface that is called I have defined it Ethernet to that's think interface will do the syncing between two firewalls okay one will go down when we go up there those information will be shared here all right one will be my bandwidth one will be my language those will act as a gateway for inside and outside this is my SMS gateway SMS server sorry so this is my management server and this is having this IP address so all the connectivity I have already done all right I will show you that okay we will directly jump into configuring the clustering how to do that I have already configured that so first I will show you that cpha frog cpt probe space that is the command to check if your at j is working not working down something information regarding at j so here my h is working the clustering mode is high availability my primary is up with ICMP alright so local is this so I have access this firewall for to get one and just having IP address of 21 and it is down why it is showing down let's check the secondary fire his working as active and handling 100% load if I will go to secondary firewall let's check what it is showing here so here it is also saying the same thing this is down and that one has up 22 this is local it's saying for itself I'm up and I'm handling hundred percent load and I'm active all right there is one command to check that what is the problem why it is not working cpha probe list so here it will show the P nodes these are all P nodes we will start from the beginning interface active check is okay recovery delay is okay synchronization is okay everything is okay these all are P notes and second device cpha probe list okay okay synchronization is having the problem so we need to check what happens in synchronization so that's what I want to tell you that I have already configured and I also shut it down with some of the command and let's begin the configuration of the HEA your connectivity is done if you want to check your configuration of your interfaces then show interface to interface eth0 31 it is zero is 10 dot and dot 21 compare with our diagram zero is 21 a th one is 20 22 21 alright and the last one too is 11 is now 11 so this 11 is sync interface what I need to do is only I need to give the IP addresses to my peril 1 which I had given to second a firewall also I have done cloning and after that I have changed the IP addresses all right cloning is very simple and it is very easy instead of doing whole configuration you can just right click here manage and this clone before cloning you need to shut down your firewall all right so my 401 and 5 will - all done what I need to do is that it first CP config I need to run so this is option disabled cluster membership for this gateway here it should be enable in your firewall I will disable it and I will show you ok CP country so this is the sixth option enable secure cluster sorry enable cluster membership for this gateway when you are going to create the HJ the first thing that you have to check is this option if it is not enabled click 6 and enable it yes okay now check again this is saying that take effect after reboot ok that's reboot this flower oh yes yes ok this will get rebooted till the time we'll go to another thing right here this is my server okay I will delete all these policies add later all these policies also I will delete this cluster let's delete this yes this was cluster which I have created test cluster now there is no firewalls there is only one management and my this dashboard no firewall is here what I have to do is when my father will come up I have to create the ha1 another thing that I wish to do is unload the policy I'll go here after Lu unload locally it will detach the policy from this uninstalled I will also push the policy here first let that fire will come up 4:01 it is starting up okay let's see what error will come if I'll push okay there is no machine there is no machine so no need to push that at all because there is no file so I have deleted this all it will not affect much okay once my Faro one will come up I will run the same command - that is the time I will write down some of the command for you set interface eth0 ipv4 adress 10.10 dr. no 21 subnet mask 255.255.255.0 so this command you have to type 3 time okay interface will change 1 & 2 this IP will be 20 to 22 20.39 is my Faro one another thing set interface yes zero state up same thing I have to do for all this 3 okay you just need to copy paste write it down on your notepad and then just copy paste this all the come up okay this has come up admin admin one two three it's pinging so this is IP address of my SMS gateway my asterisk III has to be reachable before I configure the edge a the first step to configure the HEA that I have already told you is to check CP config go inside what happened to you okay CP config now you can see it is showing disabled it means it's enabled and second five also will free have checked I think we'll check again CP config so disabled in both the firewalls it is up also cpt probe state so you are seeing that is already showing here and in my third firewall okay it is not attached it is showing the active attention so what I need to do is that these flowers in hea okay there is no security gateway right now so once I have okay you assume that this is not showing here if I were disabled that it will go from here we will right-click here and we will go to security cluster and security cluster checkpoint appliance we have to select click on wizard mode and give name to your cluster test underscore cluster okay so here is options cluster Excel we can also select vrrp which I was discussing with you inspired a legacy there is a now VRA remote and the further we will not discuss this today we will discuss all across Excel and collects Excel therefore the two parts high availability and load sharing we will configure high availability and further we can change this I will show you so this IP address will be the WIPP virtual IP of your cluster your this will be defined here that will work as a gateway for all your devices click on next here I need to add my firewalls add existing there is no firewall in existing as I have already created click on new FW 1 the IP of a blue one is 21 activation key so this activation key earlier was admin at thread 1 2 3 4 4 TP is one time let's see it will take or not it should not take it so it has not taken it ODP sick-sick is only one time so we need to set it again CP config your first option is sick click on five yes please admin tag thread one two three ad em again one two three done it would only take effect when you will click on exit now you can see all the processes went to happen 22:18 ii firewall in my first firewall so I need to do the same thing v number okay yes yes all right and both the firewalls I just said that let's check it this connectivity has gone earlier I had just rebooted it that's why okay when this is done we will move on to our that configuration so we were typing something to you the time if our one firewall to travel to same copies taste this I enter this is a shame 22:22 and done SMS error I have configured only one interface this one and IP address voltages then dot tender tender 10 ok write the command to make it up so this is only configuration of your both of our goals and your SMS server nothing else you have to do ok so this is done the second one yeah you can see here hm module not started now it has shown the proper information here my system is hanging because I was told a lot of things here cpha ok this is what I wanted to show you this is in VMware so that's why the problem is coming it is taking effect very slowly but as I had to task my both of firewalls actually show as a module not started but earlier it was showing me the information of H because H it was configured so when we will configure that J after that this option should not come all right so let's move to our what a B we need to reset the OTP again ok now I departed trust established that is communicating close ok add another file new fw2 10.10 dot dot that was 22 right I had been anti 1 2 3 it's communicating ok click next next finish yes don't touch this option configure this later all right our H is done ok you want to check CPC Pokemon but I will say you that it will still not take effect what happened instead of 40 you can download secure SSH yeah I think that is the name secure assistance because it whenever if I will restart it connection out all the time but that doesn't happen in that cbhe fro state see still that same module has not started even though we have done the configuration because our configuration is not complete now here one by one I will show you this is the name of our cluster and this is the IP address of fluster hardware of one server that I have selected when I was I have installed our 77 because this platform is our 77 this is kya and this I think it has taken automatically I'm not sure about it and I go to class remember there are two members part of one and five or two I bring up to eight I can add I'm not sure about that if you are sure then please write on them comments from here I can increase and decrease the priority suppose I want my firewall to to become as a primary all that time I will click here increase the priority now map I will - will become the primary this is a question asked in the interview how to change the priority how to make your firewall and ring so what the answer is that I can change the priority by going to cluster member priority and there I will increase the priority of the firewall to whom I won to make active but that is the first step to make it active the second step is here plus text and via Rafi here upon recovery member upon cluster member recovery maintain current active cluster member so which ever is that active if suppose let's go back to our diagram this is my Faro one this is my five or to my Faro one is active and this is standby right now feral wolf one goes down my obviously my firewall two will become active now my Faro one came up it will again become active and that will become standby so this is what this first option is saying whosoever was active earlier that has to become active again maintain current active klostermann who is currently active maintain that second is switched to higher priority cluster member whosoever is having higher priority here make that member upon recovery so to force this option you need to restart your one of the cluster so in the live environment we don't do that it happens then the fire will be boots automatically or fails automatically or something happens okay so it's to higher priority upon that here are the some adoption high availability and low sharing I told you that cluster XL is having two option high ability and load sharing in high validity you have plus two excellent vrrp plus tech so we are configuring that is the new mode and vrrp is the mode I told you instead of legacy they have introduced vrrp now okay and legacy mode is a multicast and unicast we are not touching that tracking track changes in status of class remember from here you can track lock of mail alert these options you want mail to be sent to you when it is down so these are the options okay the main important thing when you are not completed your consecration as topology these are only three options for options for your attic you have to go to edit and here what you have to do is get all members which already it has first but we will also click on that so this is not our external Network this is your internal network what it is saying it external wow we have to change it will go here edit the interface and this interface should be if I into another interface not extranet and IP address - this was 50 I hope you remember 50 was IP address for my internal it required mask as well zero okay internal they should not create any problem okay all right this all become internal it's not zero and my this is external right click at it interface you saying that your IP address was then you can go 20 22 24 50 Sen mask to 5 5 to 5 5 to 4 4.0 now go to external ok click ok ok 10 is internal and it's an internet 0 as external in Ethernet 1 alright and this is my sink interface I will say it for sink ok that's alright done click OK oh that's great I didn't get in any other till now you will get at your model not started even though we have completed all the configuration what we have not done is that we have not installed the policy to enforce it ok let's install the policy and it will take some time till the time I think I should pause the video so as it has completed without any error when last time I have configured the at J it took me 1 hour I was getting continuously so many others I got but right now I didn't get any other I will tell you why I was getting error when I was configuring my H J here I have disabilities but H is recommending you to enable that and when I was going in topology I was messing with this here it is extra it was internal and I have given it external but earlier are given the same so this address was external written earlier and I have given external here and I was not able to change that then I deleted all the for all the policy I'd made that video also but that failure is messy but that contains lot of errors when I was configuring their first time okay that's done now successful let's see what is showing here now it is hanging all the time my ram is tells Eevee even though okay it will not work because I am not created any policy to make it work let's make policy I cannot see it is drop it is dropping everything ok I need to create one policy ne ne ne ne accept ok this is my clinic rules I prove this is my land rule ok I can also mix child true stress rules will be anyone should not access to my gateway or my firewalls destination is my firewall no one should fix is that ok for available to any it should be dropped and after that what is this oh my god rewrite some problem as game this is also not working I just wanted to show you if a che has worked or not I will troubleshoot that problem later okay ceviche bro state see you know where actually I started working and yeah it should not show none here that's why I just pressed again so my active is this one after ability is active and standby is 11 okay in my dashboard I think I have selected this higher priority for this I'll go to that is become active and now I want my active firewall to go down forcefully not I do not want to restart it but they should be up and this should become active so I have written one command to forcefully make other firewall active cluster excel underscore admin list cluster I will also show you one our class X underscore admin 10 list yes I shown other I was typing it small Excel earlier in my little app so that's what I wanted to show you it is capital X oh oh again it is faster excellent I think this command will run in export mode ed went down it was down not list Krister exhale down okay this will work only in expert mode so my Edwin is down now let's see what happened with my HJ cpha probe stared so you can see that my turn 12 is down and my this 111 has become active do we have to make that up also but yeah you can see it at higher priority my 12 become active again the reason is I have given the higher priority in that okay so that was the thing how you can make active and standby there is another command I come to know from Google this is very big command I need to open put T but I have not pushed the policy and something happened to my smart Ashwood worried that it will not open let's try ok that's good that's great ok you will go to policy and will create one policy okay okay let it be any any allow we will do fine tuning of the policies after that our disk drop it is not for creating the pulses this lecture is only for the clustering so let me push that and I can access my booty so it has ended with errors rule one conflict with Rule two for service any I expect except okay objects I should keep services ICEA ICMP and I think it should be clear request not reply and research okay as also we do till the time operated successful admin admin one two three I forgot okay state yet always active twelve is this one this one is still a problem so we have to run this command on active this what this command we do I will show u CP one thing I will show you CP g prob least so these are the list of devices these are called P nodes or also called critical devices these all are up if one of them will go down our primary will become the secondary right now this is prime B here I will run that come on oh oh this all just copied the check they should not be nothing should happen to our okay paste okay failure detection mechanism finicky not not is this a productive one this one has not worked invalid command okay guys that come on has not worked I have seen this Gordon Cooper now in expert mode it's not working okay so that command is not working so I would recommend you only to use one command to make it stand by to make this to I stand by that command is cluster excel underscore had been down there's not list down okay one more practical I want to do myself I have not done it earlier that is okay if I will change the priority priorities are probably too okay I just change the priority for everyone I clicked on okay nothing will happen that I know okay this will be my active only this one but from this command had been down obviously that will make it down but then I will make it up again will that again will become active or my second part will become active this is my question okay that is the connective again so that command is just you want to make your active device down okay forcefully you are making failover you are making your active device down but you or not you could not make your actual device to work as a standby if you will make that up that will again become your active okay so suppose this is facing some problem this is getting some connections and not getting some other connection or some other is this is misbehaving means this your active device you will make it down by this command now you will see that okay this has become active okay so suppose this has not worked your secondary device will already 40 you're now you're even not single collection is working but from this device at least your VPN was not working and rest of things were working so what it will do you will make that up again alright within single instead of time you can make your active again up and you can replace your secondary first you will make down your secondary and you will replace it and then again you will come up with this command this is the benefit of that you will forcefully make the down of primary and make secondary up and check if that freak is working fine if it's not working fine you will revert it back that is a uses I have never added three firewalls in @je shall we do that okay let's see this video is becoming so much long I don't know what wrong can happen but at least let's try I cannot give you currently ok to be 400k go to another firewall I have cloned it this is my remote file I thought to make VPN for that let it come up till the time I will pause the video ok guys that has we come up came up and - I cannot directly put that these IP because it is having this IP address so because I have loaded from 501 I have to manually give it set interface eth0 address and our 24 subnet mask is to be 20:24 with net1 okay and this to be 1410 not - okay set interface get zero state I think also we need to establish that research conflict sing six-five yes I need to pause to the time it will take time okay that flowers came up I am also able to ping let's go to our how do add the third file suppose your client now has said to you that I got my third firewall and I purchased third one just add it in cluster as well we cannot deny that we have to do that what we have to do is here there is option from where we can add existing nothing will show because we would have it to existing we are already added new cluster member you can also add directly here and then here you need to click existing okay remote now W 10.10 to ten dot it was 24 okay here you need to add one time password so you're sick is as OTP that is only one time trust established that's right that's six status it is communicating those close okay all right now you go to topology added and here you need to get the topology remote there is no interface click on get okay so eight had 124 to this all done click OK click OK again you want to see that before pushing the policy no it's your module we need to push the policy so policy is pushed successfully close now let's check that hmm now there are three firewalls all right yeah the IP was not coming I think this is a problem with our VMware local is 12 and that is now standby and this is our active 1111 ok why did you stand by let's check the priority here okay my para one is friendly so having higher party that's why it became as a primary one thing that need to be noticed is that another fiber is I recently added is down I do not have any document to check that if you have you can share it with me that if three firewalls are in aichi then only two will be primary or secondary third will be down cpt probe state here it is difficult on one is active and two other are standby ok let's see more fiber cpt probe state this is also giving one as active and to weatherize a standby three stat okay that was I think his action was going on now election has done and you're only one Farrell will be active and other two will be standby if you won power will go down then again the election will happen how that will happen let's make our primary down expert had been one two three okay cluster exhale school admin down seal itself off straight admins don't know my second revival which firework well has become active and the third one is standby ok guys hope you liked that video hope you enjoyed I don't think so I have missed anything logs if you want to see logs will show you what we are doing that could not reach down see Gateway this cluster problem this one is down that we have done down ok this is your management logs manager logs will show you that administrators admin who has it culprit he has installed the policy without approval so here you can come to know ok admin what changes sit on trust state just reset at the sake ok what else you want to see so what Smart View monitor I think the lecture has gone to one our monitor here if ro one is problematic that Lux Excel refers to notification and enter this is table it is saying that there is some problem ok you want to go to more synchronization ok ok admin down so this we have done status problem is at me no okay amber straight down member ID 1j working mode primary up primaries up that we have already seen that our second Avago has become the primary ok these are all up just to tears this is what information you can see from here but if you want to go to CPS a pro list more granular information you can see this over okay and I would like to show you in fact only one in that all will not be okay yet a prop list it has became so much of your synchronization will be down as I shown you in the story okay guys this is time now to close okay bye hope you enjoyed the video bye

Info

Channel: Technical_Scoop

Views: 922

Rating: undefined out of 5

Keywords: Checkpoint cluster xl, checkpoint ha, Checkpoint 3 firewalls, high availability, vrrp, load sharing.

Id: da6AAQ80Zi8

Channel Id: undefined

Length: 54min 8sec (3248 seconds)

Published: Mon Feb 12 2018