Difference between revisions of "Gaia VRRP setup guide"

From cpwiki.net
Jump to: navigation, search
Check Point Profressional Services
(Checking your configuration)
(Proxy arps)
 
(One intermediate revision by one user not shown)
Line 11: Line 11:
 
  Expert@chkpfw1]# '''clish'''
 
  Expert@chkpfw1]# '''clish'''
 
  chkpfw2> '''add mcvr vrid 100 priority 100 priority-delta 10'''
 
  chkpfw2> '''add mcvr vrid 100 priority 100 priority-delta 10'''
  chkpfw2> '''add mcvr vrid 100 backup-address 172.16.31.1'''
+
  chkpfw2> '''add mcvr vrid 100 backup-address 172.16.31.11'''
 
  chkpfw2> '''add mcvr vrid 100 backup-address 192.168.175.1'''
 
  chkpfw2> '''add mcvr vrid 100 backup-address 192.168.175.1'''
 
  chkpfw2> '''save config'''
 
  chkpfw2> '''save config'''
Line 17: Line 17:
 
  Expert@chkpfw2]# '''clish'''
 
  Expert@chkpfw2]# '''clish'''
 
  chkpfw2> '''add mcvr vrid 100 priority 95 priority-delta 10'''
 
  chkpfw2> '''add mcvr vrid 100 priority 95 priority-delta 10'''
  chkpfw2> '''add mcvr vrid 100 backup-address 172.16.31.1'''
+
  chkpfw2> '''add mcvr vrid 100 backup-address 172.16.31.11'''
 
  chkpfw2> '''add mcvr vrid 100 backup-address 192.168.175.1'''
 
  chkpfw2> '''add mcvr vrid 100 backup-address 192.168.175.1'''
 
  chkpfw2> '''save config'''
 
  chkpfw2> '''save config'''
Line 45: Line 45:
 
== Proxy arps ==
 
== Proxy arps ==
  
If you have NATs with associated proxy arps, then you will need to adjust this to match the new VRRP configurationVRRP by default uses a multicast MAC.  Most likely, if you are upgrading from SPLAT and CPHA, your proxy arps were using unicast MACs.
+
If you have NATs with associated proxy arps, then you will need to adjust(is switching over from CPHA) the config to match the new VRRP MACs.   
  
 
The VMAC will be 00:00:5e:00:01:xx, where xx = the hexadecimal form of you VRID.  So, in this example our VRID is 100, so the VMAC is 00:00:5e:00:01:64.  You can view this by running...
 
The VMAC will be 00:00:5e:00:01:xx, where xx = the hexadecimal form of you VRID.  So, in this example our VRID is 100, so the VMAC is 00:00:5e:00:01:64.  You can view this by running...
Line 51: Line 51:
 
  [Expert@chkpfw1]# '''clish -c "show vrrp interfaces" | grep -i vmac'''
 
  [Expert@chkpfw1]# '''clish -c "show vrrp interfaces" | grep -i vmac'''
 
             VMAC Mode:                VRRP                VMAC:                    00:00:5e:00:01:64   
 
             VMAC Mode:                VRRP                VMAC:                    00:00:5e:00:01:64   
             VMAC Mode:                VRRP                VMAC:                    00:00:5e:00:01:64
+
             VMAC Mode:                VRRP                VMAC:                    00:00:5e:00:01:64
 
+
  
 
== Checking your configuration ==
 
== Checking your configuration ==

Latest revision as of 01:59, 18 February 2016

Contents

create VRID and backup-addresses

from clish prompt, create vrid, add backup-addresses, save config. The commands run are basically the same except for the priority.


Expert@chkpfw1]# clish
chkpfw2> add mcvr vrid 100 priority 100 priority-delta 10
chkpfw2> add mcvr vrid 100 backup-address 172.16.31.11
chkpfw2> add mcvr vrid 100 backup-address 192.168.175.1
chkpfw2> save config
Expert@chkpfw2]# clish
chkpfw2> add mcvr vrid 100 priority 95 priority-delta 10
chkpfw2> add mcvr vrid 100 backup-address 172.16.31.11
chkpfw2> add mcvr vrid 100 backup-address 192.168.175.1
chkpfw2> save config

configure cluster object

If upgrading from SecurePlatform, you will need to set the O.S. verions. When you do this, the "ClusterXL" option on the left side will expand to read "ClusterXL and VRRP"

chkp vrrp cluster config-1.png


Select VRRP as your HA method. Also, I like to enable the "Forward Cluster Incoming traffic..." option. Otherwise you cannot ping your VRRP backup / cluster IPs to see if they are working.


chkp vrrp cluster config-1.png

Add rule to allow vrrp adverstisements

Failure to do so will cause master/master status.

chkp vrrp rule.png


Proxy arps

If you have NATs with associated proxy arps, then you will need to adjust(is switching over from CPHA) the config to match the new VRRP MACs.

The VMAC will be 00:00:5e:00:01:xx, where xx = the hexadecimal form of you VRID. So, in this example our VRID is 100, so the VMAC is 00:00:5e:00:01:64. You can view this by running...

[Expert@chkpfw1]# clish -c "show vrrp interfaces" | grep -i vmac
           VMAC Mode:                VRRP                 VMAC:                     00:00:5e:00:01:64  
           VMAC Mode:                VRRP                 VMAC:                     00:00:5e:00:01:64

Checking your configuration

[Expert@chkpfw1]# clish -c "show vrrp summary"

VRRP State VRRP Router State: Up Flags: On Interface enabled: 2 Virtual routers configured: 2 In Init state 0 In Backup state 0 In Master state 2
[Expert@chkpfw2]# clish -c "show vrrp summary"

VRRP State VRRP Router State: Up Flags: On,MonitorFirewall Interface enabled: 2 Virtual routers configured: 2 In Init state 0 In Backup state 2 In Master state 0


Verify your vrrp backup address is in effect. It will NOT show up in ifconfig output.

Expert@chkpfw1]# ip addr show eth0
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast qlen 1000
   link/ether 00:0c:29:d8:3e:56 brd ff:ff:ff:ff:ff:ff
   inet 172.16.31.9/28 brd 172.16.31.15 scope global eth0
   inet 172.16.31.11/28 brd 172.16.31.15 scope global secondary flags 10 eth0   <<< this line is the vrrp backup-address

Failover

To control which firewall is master, adjust the priorities. In the beginning we set chkpfw1 priority to 100, and chkpfw2 to 95. If we elevate the priority of the latter, it will become master.

Example:

chkpfw2> set mcvr vrid 100 priority 105

If you want to leave it that way and have it survive a reboot, you will have to also run a "save config"