Posts
Alteon Switched Firewall 6000 Installation - Part 3
Posted On Oct 31, 2008 at at 5:03 PM by DophiAfter the Part 1 and Part 2 have been done, it's time to expand the single NSF to a cluster. A redundant Firewall Accelerator and extra Firewall Directors can be added to create a high-availability firewall. Firewall Directors can be added seamlessly to the cluster, increasing firewall processing capacity without taking the system offline.
1. Configuring the second Firewall Accelerator: Before configure the second accelerator, use "/info/det" to verify the accelerator status.
------------------------------------------------------------
[Main Menu]
info - Information Menu
cfg - Configuration menu
boot - Boot menu
maint - Maintenance menu
diff - Show pending config changes [global command]
validate - Validate configuration [global command]
security - Display security status [global command]
apply - Apply pending config changes [global command]
revert - Revert pending config changes [global command]
paste - Restore saved config with key [global command]
help - Show command help [global command]
exit - Exit [global command, always available]
>> # /cfg/acc
>> Accelerator Configuration# ac2/mac 00:16:ca:51:72:00
>> Accelerator 1# addr 10.1.1.4
>> Accelerator 1# iap 8
2. Enable high-availability for the cluster:
>> Configuration# acc
------------------------------------------------------------
[Accelerator Configuration Menu]
auto - Set auto discovery
ha - Set high availability
vma - Set VMA-based performance
rearp - Set re-ARP period in minutes
passwd - Set accelerator password
ac1 - Accelerator 1 Menu
ac2 - Accelerator 2 Menu
master - Preferred HA master
det - Display detected accelerators
hc - Health Check Menu
mprlimit - MP Rate limiter Configuration Menu
mgmtnet - Set higher priority management network
>> Accelerator Configuration# ha y
3. Configure VRRP on each IP interface:
>> # /cfg/net/if 2/vrrp
>> VRRP Configuration# vrid 2
>> VRRP Configuration# ip1 20.1.1.252
>> VRRP Configuration# ip2 20.1.1.253
>> VRRP Configuration# /cfg/net/if 3/vrrp
>> VRRP Configuration# vrid 3
>> VRRP Configuration# ip1 30.1.1.252
>> VRRP Configuration# ip2 30.1.1.253
>> VRRP Configuration# /cfg/net/if 4/vrrp
>> VRRP Configuration# vrid 4
>> VRRP Configuration# ip1 40.1.1.252
>> VRRP Configuration# ip2 40.1.1.253
>> VRRP Configuration# /cfg/net/if 5/vrrp
>> VRRP Configuration# vrid 5
>> VRRP Configuration# ip1 50.1.1.252
>> VRRP Configuration# ip2 50.1.1.253
4. Configuring the second Firewall Director: Use "Join" command to join the second Firewall Director to the existing cluster.
------------------------------------------------------------
[Setup Menu]
join - Join an existing NSF cluster
new - Create a new NSF installation
restore - Restore this SFD from a backup
offline - Configure this SFD for offline maintenance
boot - Boot Menu
naap - Set NAAP VLAN id
exit - Exit
>> Setup# join
Setup will guide you through the process of manually joining an existing cluster.
Please make sure this SFD is plugged into the cluster and that the cluster
is operational before proceeding.
Enter cluster admin user password:
Enter what will be this SFD's IP: 10.1.1.2
Enter network mask (same mask given while new) or /bit count [255.255.255.0 or /24]: /24
Enter the cluster's Master IP (MIP): 10.1.1.5
Enter Check Point SIC one-time password:
Enter password again:
Joining cluster...ok
Configuring Check Point.............................................................................ok
Join complete.
Please relogin if any further setup is necessary
5. Configure the synchronization interface: A reboot is needed after enable sync.
>> Main# /cfg/fw/sync/net 60.0.0.0
>> Sync Configuration# ena y
Current value: n
Enabling sync may reboot all SFDs when you apply. Are you sure (y|n)? y
After the steps above have been done, the NSF is in cluster mode and both of them share only one image system. Therefore, no matter which one I login, I can use a single CLI to control two NSF's.
6. Create second gateway: Login to SrartCenter and repeat the steps mentioned previously in Part 2. Assign the IP address of NSF 2.
7. Establish the SIC on NSF 2: After the SIC has been established, change OS type to Linux and un-select "ClusterXL" in CheckPoint Products window.
8. Get the interfaces for NSF 2: SmartCenter gets any interface information including the "sync" interface (eth3).
9. Change the maximum concurrent connections of gateway: Select "Capacity Optimization" to change the maximum concurrent connections to 500,000.
10. Back to the first NSF and get interfaces: Due to the sync interface (eth3) is enabled, I have to get the latest interface information of NSF 1.
