4

When you use the Check Point cpconfig program (at the command line or using Network Voyager), follow these guidelines:

„Install Check Point NGX as an enforcement module only on each node. Do not install Check Point NGX as a management server and enforcement module.

„After you choose to install Check Point NGX as an enforcement module, you are asked if you want to install a Check Point clustering product. The screen displays the following question: "Would you like to install a Check Point clustering product (CPHA, CPLS or State Synchronization)? (y/n) [n] ? The default is no; be sure to enter yes.

„If you plan to use SecureXL, enable it when you are prompted to do so.

You then create and configure a gateway cluster object with the external VRRP IP address.

„Use the Check Point SmartDashboard application to create a gateway cluster object.

„Set the gateway cluster object address to the external VRRP IP address, that is, the VRRP IP address of the interface that faces the external network.

„Add a gateway object for each Nokia appliance to the gateway cluster object.

„In the General Properties dialog box for the gateway cluster object, do not check ClusterXL.

„Configure interfaces for each member of the VRRP cluster. Click the Topology tab for each VRRP cluster member and click Get.

„Configure interfaces for the VRRP cluster. Click the Topology tab for the gateway cluster object, and click Get.

„Enable state synchronization and configure interfaces for it.

Note

The firewall synchronization network should have bandwidth of 100 mbps or greater.

The interfaces that you configure for state synchronization should not be part of VLAN or have more than one IP address assigned to them.

When you finish configuring the gateway cluster object, you must also specify settings under the 3rd party configuration tab as described in the following procedure.

Configure settings under the 3rd party configuration tab

1.In the Specify Clustering Mode field, check High Availability.

2.From the Third-Party Solution drop-down list, select Nokia VRRP.

3.Check all the available check boxes.

4.Click OK to save your configuration changes.

Note

If you use different encryption accelerator cards in two appliances that are part of a VRRP group or an IP cluster (such as the Nokia Encrypt Card in one appliance and the older Nokia Encryption Accelerator Card in another appliance), you should select encryption/ authentication algorithms that are supported on both cards. If the encryption/authentication algorithm is supported in the master and not supported by the backup and you also use NAT,

198

Nokia Network Voyager for IPSO 4.0 Reference Guide

Page 197 Page 199
Page 198
Image 198
Nokia IPSO 4.0 manual Configure settings under the 3rd party configuration tab, 198
Page 197 Page 199
Top Page Image Contents