Вы находитесь на странице: 1из 17

How To Configure and

Optimize VSLS in VSX

10 April 2012

2012 Check Point Software Technologies Ltd.


All rights reserved. This product and related documentation are protected by copyright and distributed under
licensing restricting their use, copying, distribution, and decompilation. No part of this product or related
documentation may be reproduced in any form or by any means without prior written authorization of Check
Point. While every precaution has been taken in the preparation of this book, Check Point assumes no
responsibility for errors or omissions. This publication and features described herein are subject to change
without notice.
RESTRICTED RIGHTS LEGEND:
Use, duplication, or disclosure by the government is subject to restrictions as set forth in subparagraph
(c)(1)(ii) of the Rights in Technical Data and Computer Software clause at DFARS 252.227-7013 and FAR
52.227-19.
TRADEMARKS:
Refer to the Copyright page (http://www.checkpoint.com/copyright.html) for a list of our trademarks.
Refer to the Third Party copyright notices (http://www.checkpoint.com/3rd_party_copyright.html) for a list of
relevant copyrights and third-party licenses.

Important Information
Latest Software
We recommend that you install the most recent software release to stay up-to-date with the latest functional
improvements, stability fixes, security enhancements and protection against new and evolving attacks.

Latest Documentation
The latest version of this document is at:
http://supportcontent.checkpoint.com/documentation_download?ID=15061
For additional technical information, visit the Check Point Support Center
(http://supportcenter.checkpoint.com).

Revision History
Date

Description

4/10/2012

First release of this document

Feedback
Check Point is engaged in a continuous effort to improve its documentation.
Please help us by sending your comments
(mailto:cp_techpub_feedback@checkpoint.com?subject=Feedback on How To Configure and Optimize
VSLS in VSX ).

Contents
Important Information .............................................................................................3
How To Configure and Optimize VSLS in VSX .....................................................5
Objective .................................................................................................................5
Supported Versions ............................................................................................. 5
Supported Operating Systems ............................................................................. 5
Supported Appliances ......................................................................................... 5
Before You Start .....................................................................................................5
Related Documents and Assumed Knowledge .................................................... 5
Impact on Environment and Warnings ................................................................. 6
Configuring VSLS in VSX .......................................................................................6
Optimizing VSLS Distribution ................................................................................9
Index ......................................................................................................................17

How To Configure and Optimize VSLS in VSX

How To Configure and Optimize


VSLS in VSX
Objective
This document provides a simple way for the administrator to configure and optimize a Virtual System Load
Sharing (VSLS) configuration with different examples.

Supported Versions
VSX gateway versions

VSX R65

VSX R67

Management server

R70 and above

R71 and above

Provider-1

R70 and above

R71 and above

Supported Operating Systems


VSX Gateways

SecurePlatform

IPSO

XOS

Supported Appliances

VSX-1

IP Appliances

Crossbeam

Before You Start


Related Documents and Assumed Knowledge

VSX NGX R67 Administration Guide


(http://dl3.checkpoint.com/paid/fb/CP_NGX_R67_VSX_AdminGuide.pdf?HashKey=1333356901_262d0f
6dafd40477fddfe3fefa99099f&xtn=.pdf)

How To Configure and Optimize VSLS in VSX

| 5

Configuring VSLS in VSX

VPN-1 Power VSX R65 Administration Guide (http://dl3.checkpoint.com/paid/47/VPN1_Power_VSX_NGX_R65_Administration_Guide.pdf?HashKey=1333356630_074817eed032fe370064d


40b1c278eac&xtn=.pdf)

Knowledge of the VSX product

Knowledge of Management Products (SmartCenter Server or Provider-1)

Impact on Environment and Warnings


Before you use Load Sharing VSLS, be sure that the desired configuration is supported. Always read the
administration guide first.

VSLS is used to distribute the load over multiple cluster members (Currently there is a 13 member limit).
But keep in mind that in case of failover, the remaining member(s) should be able to sustain the load.

Each Virtual Switch must have a physical or VLAN interface that provides connectivity between cluster
members. Without a path between VSs, communication from one VS to another is broken. Even though
a synchronization link that connect the cluster members already exists, this network is not, and cannot
be used to pass VS to VS traffic between cluster members.

Do not use the vsx_util redistribute_vsls command when the cluster is under heavy load. The
redistribution process consumes resources.

When a failover occurs, connections may be lost. VSLS supports zero connectivity down-time, but there
may be events, external to the VSLS cluster, which might cause loss of connection.

Virtual Routers are not supported.

Configuring VSLS in VSX


Before you begin the configuration, enable ClusterXL.

To Enable ClusterXL:
1. If ClusterXL was not activated during the first time wizard, run: cpconfig
2. When prompted to choose a configuration option, enter 6 to select Enable cluster membership for
this gateway. A line that says what is selected appears.
3. When asked if you are sure that is the configuration you want, make sure the line mentions Enable
cluster membership for this gateway. If it does, enter y to approve. If it mentions something else,
reselect.
4. When a line that says the configuration is enabled appears, run: reboot for the change to take effect.
[VSX2:0]# cpconfig
Configuration Options:
(1) Licenses
(2) SNMP Extension
(3) PKCS#11 Token
(4) Random Pool
(5) Secure Internal Communication
(6) Enable cluster membership for this gateway
(7) Disable Check Point SecureXL
(8) Automatic start of Check Point Products
(9) Exit
Enter your choice (1-9) :6
Enable cluster membership for this gateway...
==============================================
You have selected to enable cluster membership for this
gateway.
Are you sure? (y/n) [y] ? y
Cluster membership for this gateway was enabled
successfully
How To Configure and Optimize VSLS in VSX

| 6

Configuring VSLS in VSX

Important: This change will take effect after reboot.


[VSX2:0]# reboot

To Enable Check Point Per Virtual System State:


1. Run: cpconfig
2. When prompted to choose a configuration option, enter 7 to select Enable Check Point Per Virtual
System State.
3. When asked if you want to enable that configuration, enter y to approve. A line that says the
configuration is changed appears.
4. When prompted to press Enter to continue, press Enter. A command line appears.
5. Run: reboot
[VSX2:0]# cpconfig
Configuration Options:
(1) Licenses
(2) SNMP Extension
(3) PKCS#11 Token
(4) Random Pool
(5) Secure Internal Communication
(6) Disable cluster membership for this gateway
(7) Enable Check Point Per Virtual System State
(8) Enable Check Point ClusterXL for Bridge
Active/Standby
(9) Disable Check Point SecureXL
(10) Automatic start of Check Point Products
(11) Exit
Enter your choice (1-11) :7
Enable Check Point Per Virtual System State...
===============================================
Per Virtual System state is currently disabled.
Would you like to enable Per Virtual System state (y/n)
[y] ? y
You have changed VPN-1 Power VSX Configuration.
Changes will take place after you reboot the machine.
Press 'Enter' to continue
[VSX2:0]# reboot

To Create a New VSLS Cluster:


1. From SmartDashboard, connect to the SmartCenter Server or Main CMA.
2. From the tree view, right click Check Point > VPN-1 Power VSX > Cluster. The VSX Cluster Wizard
window opens.
3. In the Enter the VSX Cluster Name field, enter the name. In the Enter the VSX Cluster IP Address,
enter the IP address. In the Select the VSX Cluster Version drop down list, select the version. In the
Select the VSX Cluster Platform drop down list, select Check Point ClusterXL Virtual System Load
Sharing.

How To Configure and Optimize VSLS in VSX

| 7

Configuring VSLS in VSX

4. Click Next. A warning appears.

5. Make sure the Check Point Per Virtual System State cpconfig option is enabled on all cluster members,
and click OK.

6. Follow the wizard to finish the gateway definition. For further information see NGX R67 VSX
Administration Guide
(http://dl3.checkpoint.com/paid/fb/CP_NGX_R67_VSX_AdminGuide.pdf?HashKey=1333356901_262d0f
6dafd40477fddfe3fefa99099f&xtn=.pdf) (Creating a New Cluster, page 93).

To Create VSs:
1. From the SmartDashboard tree view right click Check Point, and select VPN-1 Power VSX > Virtual
System. The Virtual System Wizard window opens.
2. In the Name field, enter the name. In the VSX Gateway/Cluster drop down list, select the VSX gateway
that hosts the Virtual System. If you want to create the Virtual System in the Bridge Mode, select the
Bridge Mode check box. If you want to be able to add additional interfaces, or modify the topology, or
other properties, select the Override Creation Template (Create Custom VS) check box, and click
Next.
3. Add/edit appropriate interfaces and routes, and click Next.
4. Click Finish to initiate the creation process
5. Push Policy on the VSs
For further information see VSX NGX R67 Administration Guide
(http://dl3.checkpoint.com/paid/fb/CP_NGX_R67_VSX_AdminGuide.pdf?HashKey=1333356901_262d0f6da
fd40477fddfe3fefa99099f&xtn=.pdf) (Working with Virtual Systems, page 42).

How To Configure and Optimize VSLS in VSX

| 8

Optimizing VSLS Distribution

Optimizing VSLS Distribution


In general, virtual systems should be distributed by their load, the most heavy VS should be on member 1,
the second most loaded on member 2, and the third on member 3 (in the case of 3 members), then the
fourth most loaded is on member 1, and so on. To determine the load, the resource control monitoring must
be enabled.
In some situations the distribution described above is not optimal. For example, when there is a lot of traffic
between certain VSs.
If VS 1 and VS 2 are the most loaded VSs in the cluster, they should normally reside on different members,
but when most of the load is direct traffic is inter VS traffic, for example: between VS 1 and VS 2 (in the
image below), this actually causes additional load on the systems because for the traffic to make its way
between different members, it passes through a virtual switch, and an external layer.

How To Configure and Optimize VSLS in VSX

| 9

Optimizing VSLS Distribution

In this case, it is better for VS 1 and VS 2 to reside on the same cluster member, even though they are the
most loaded VSs, to avoid the additional load caused by additional traffic through the external switch (in the
image below).

If the traffic is accelerated with SecureXL, the load is further reduced (sometimes to even less load than on
two single firewalls). A packet for an accelerated connection is directly forwarded between the inbound and
outbound interfaces. It does not even go through the VSs or the VSW.
Note - To make this work as in picture 2, a VSW is required, and each VS needs an
interface connected. Adjust the VSX configuration accordingly.
By default, all VSs are assigned a weight of 10 to distribute them equally on all VSX gateways.
This can be verified in two different ways:

On the gateway, run: cphaprob state


cphaprob state output on the gateway:
[VSX1:0]# cphaprob state
Cluster name: Cluster-VSX
Virtual Devices Status on each Cluster Member
=============================================
ID
| Weight| VSX1 | VSX2
| VSX3
|
| [local] |
|
-------+-------+-----------+-----------+----------1
| 0
| Active
| Active
| Active
2
| 10
| Active
| Standby | Backup
3
| 10
| Backup | Active
| Standby
4
| 10
| Standby | Backup | Active
5
| 10
| Active
| Backup | Standby
6
| 10
| Standby | Active | Backup
---------------+-----------+-----------+----------Active
| 3
| 3
| 2
Weight
| 20
| 20
| 10
Weight (%) | 40
| 40
| 20
How To Configure and Optimize VSLS in VSX

| 10

Optimizing VSLS Distribution

OR

On the management server, run: vsx_util vsls


Vsx_util vsls command output:
VS Load Sharing - Menu
1. Display current VS Load sharing configuration
2. Distribute all Virtual Systems so that each cluster
member is equally loaded
3. Set all VSes active on one member
4. Manually set priority and weight
5. Import configuration from a file
6. Export configuration to a file
7. Exit
Enter redistribution option (1-7) [1]: 1
VSID| VS name | VSX1
| VSX2
| VSX3
|
Weight |
2
| VS1
| 0
| 2
|
| 10
|
3
| VS2
| 1
| 0
|
| 10
|
4
| VS3
| 2
| 1
|
| 10
|
5
| VS4
| 0
| 1
|
| 10
|
6
| VS5
| 2
| 0
|
| 10
|
Total weight
| 20
| 20
| 10
| 50
|
Legend:
0 - Highest priority =ACTIVE
1 - Next priority = STANDBY
2 - Lowest priority = BACKUP

1
2
0
2
1

To Assign an Active VS to One Cluster Member:


In some cases, it is better to change the default behavior. For example, when you need to perform a manual
(controlled) fail-over between instances of the same Virtual System on different VSX cluster members in
VSLS mode.
Virtual System Priority is the preference of a member to host the Active, Standby, or Backup states of the
VS (shown in the output example of the vsx_util vsls command before).
1. To Change the distribution, run: vsx_util vsls
2. Enter 4 to select Manually set priority and weight.
3. Enter m to select [m]anually - update single Virtual System weight and priority.
4. Enter the VS name.
5. Enter y to change the priority.
6. Select member.
In this example, VS1 is moved from VSX1 to VS2X:
[Expert@P1]# vsx_util vsls
Enter SmartCenter Server/main CMA IP address (Hit 'ENTER'
for 'localhost'): 1.1.1.21 Enter Administrator Name: admin
Enter Administrator Password:
Enter VSX cluster object name: Cluster-VSX
VS Load Sharing - Menu
1. Display current VS Load sharing configuration
2. Distribute all Virtual Systems so that each cluster
member is equally loaded
3. Set all VSes active on one member
How To Configure and Optimize VSLS in VSX

| 11

Optimizing VSLS Distribution

4.
5.
6.
7.

Manually set priority and weight


Import configuration from a file
Export configuration to a file
Exit

Enter redistribution option (1-7) [1]: 4


Update Virtual System VSLS parameter can be done using one
of the following methods:
[m]anually - update single Virtual System weight and
priority
[a]utomatic - iterate each and every Virtual System and
update their weight
Please select update method (m|a) [m]:m
Enter the virtual system name: VS1
Would you like to change the virtual system's priority
list? (y|n) [y]: y
Select from the following members:
(1) VSX1
(2) VSX2
(3) VSX3
index of highest priority member: 2
VSX2
Select from the following members:
(1) VSX1
(2) VSX3
index of next member: 1
VSX1
index of lowest priority member: 2
VSX3
Output of cphaprob after one VS is moved to another member:
Cluster name: Cluster-VSX
Virtual Devices Status on each Cluster Member
ID
| Weight| VSX1
| VSX2
| VSX3
|
| [local]
|

-------+-------+-----------+-----------+----------1
2
3
4
5
6

|
|
|
|
|
|

0
10
10
10
10
10

|
|
|
|
|

| Active
Standby
Backup
Standby
Active
Standby

| Active
| Active
| Active
| Backup
| Active
| Standby
| Backup
| Active
| Backup
| Standby
| Active
| Backup

---------------+-----------+-----------+----------Active
Weight
Weight (%)

| 2
| 10
| 20

| 4
| 30
| 60

| 2
| 10
| 20

To Assign All Active VSs to One Cluster Member:


During maintenance or upgrade, it is sometimes required to move all VSs to one gateway.
This can be done in different ways:

choose redistribution option 3 - Set all VSs active on one member

OR

Choose redistribution option 4 - Manually set priority and weight and redistribute manually, one by one,
all VSs.
How To Configure and Optimize VSLS in VSX

| 12

Optimizing VSLS Distribution

OR

Run clusterXL_admin down on the desired gateway


The output after all VSs are moved to one member (option 3):
Cluster name: Cluster-VSX
Virtual Devices Status on each Cluster Member
ID
| Weight| VSX1
| VSX2
| VSX3
|
| [local]
|
|
-------+-------+-----------+-----------+----------1
| 0
| Active
| Active
| Active
2
| 10
| Backup
| Active
| Standby
3
| 10
| Backup
| Active
| Standby
4
| 10
| Backup
| Active
| Standby
5
| 10
| Backup
| Active
| Standby
6
| 10
| Backup
| Active
| Standby
Active
| 1
| 6
| 1
Weight
| 0
| 50
| 0
Weight (%)
| 0
| 100
| 0

To Optimize the VSLS Load Distribution:


Since all VSs are not equal in terms of load and traffic, VSLS allows assignment of different weights to VSs.
The weight of a Virtual System affects the dispersal pattern of other Virtual Systems across cluster
members. A heavier weight assignment to a Virtual System gives it a larger share of the resources of a
particular member, and accordingly, disperses the other Virtual Systems to other cluster members.
A VS that processes more traffic, consumes more resources. An administrator can determine how much
weight to assign to each VS, according to the CPU usage of each VS.
1. To assign weight:
a) Enable Resource Control to show the CPU usage. On the gateway, run: vsx resctrl stat
For further information see VSX NGX R67 Administration Guide
(http://dl3.checkpoint.com/paid/fb/CP_NGX_R67_VSX_AdminGuide.pdf?HashKey=1333356901_26
2d0f6dafd40477fddfe3fefa99099f&xtn=.pdf) (Working with VSX Resource Control, page 151)
Output of vsx restctrl stat when one VS processes more traffic than the others:
[Expert@VSX1:0]# vsx resctrl stat
Virtual Systems CPU Usage Statistics [%]
Number of CPUs: 1
Monitoring active time: 15h 28m 18s
ID
Name
|Weight| 1sec 10sec
1min 1hr
24hr*
=============================+======+=================
=================
0
VSX1
| N/A | 0.07
0.08
0.12 0.01
0.00
1
VSX1_VSW
| N/A | 0.00
0.01
0.07
0.0 0.00
2
VSX1_VS1
| 10 | 40.00 40.00 40.00
40.00 40.00
3
VSX1_VS2
| 10 | 8.00
7.00
8.00
8.00
8.00
4
VSX1_VS3
| 10 | 8.00
8.00
8.00
6.00
8.00
5
VSX1_VS4
| 10 | 8.00
8.00
9.00
8.00
8.00
6
VSX1_VS5
| 10 | 8.00
8.00
8.00
8.00
6.00
=============================+======+=================
=================
Total Virtual Devices CPU Usage

72

71

74

How To Configure and Optimize VSLS in VSX

| 13

Optimizing VSLS Distribution

70

70

As shown above VS1 consumes 5 times more resources than the other VSs
b) On the management server, run vsx_util vsls
c) Enter 4 to select Manually set priority and weight.
d) Enter m to select [m]anually - update single Virtual System weight and priority.
e) Modify the default weight as you want.
[Expert@P1]# vsx_util vsls
*********************************************************
*********************************
* Note: the operation you are about to perform changes
the information in the management *
* database. Back up the database before continuing. *
*********************************************************
*********************************
Enter SmartCenter Server/main CMA IP address (Hit 'ENTER'
for 'localhost'): 1.1.1.21
Enter Administrator Name: admin
Enter Administrator Password:
Enter VSX cluster object name: Cluster-VSX
VS Load Sharing - Menu
1. Display current VS Load sharing configuration
2. Distribute all Virtual Systems so that each cluster
member is equally loaded
3. Set all VSes active on one member
4. Manually set priority and weight
5. Import configuration from a file
6. Export configuration to a file
7. Exit
Enter redistribution option (1-7) [1]: 4
Update Virtual System VSLS parameter can be done using
one of the following methods:
[m]anually - update single Virtual System weight and
priority
[a]utomatic - iterate each and every Virtual System
and update their weight
Please select update method (m|a) [m]:m
Enter the virtual system name: VS1
Would you like to change the virtual system's priority
list? (y|n) [y]: n
Would you like to change the virtual system's weight?
(y|n) [n]: y
VS1 (1-100) [10]: 50
Do you wish to configure another Virtual System (y|n) [n]
:n
Policy installation is required to apply the
configuration. Make sure the cluster
members are up and reachable before continuing.
Save & apply configuration ? (y|n) [y]:y
In this output, the VS1 weight is modified. However, this VS is still on the same member, as the
redistribution is not yet performed:
Cluster name: Cluster-VSX
Virtual Devices Status on each Cluster Member
ID
| Weight| VSX1
| VSX2
| VSX3
|
| [local]
|
|
How To Configure and Optimize VSLS in VSX

| 14

Optimizing VSLS Distribution

1
2
3
4
5
6
Active
Weight
Weight

|
|
|
|
|
|

0
50
10
10
10
10

(%)

|
|
|
|
|
|
|
|
|

Active
Active
Backup
Standby
Active
Standby
3
60
66

|
|
|
|
|
|
|
|
|

Active
Standby
Active
Backup
Backup
Active
3
20
22

|
|
|
|
|
|
|
|
|

Active
Backup
Standby
Active
Standby
Backup
2
10
12

The total Weight percentage for this gateway is now 66%, and there are still 2 VSs on it.
2. To redistribute all VSs on the cluster members based on the new VSs weight:
a) Run: vsx_util vsls
b) Enter 2 to select Distribute all Virtual Systems so that each cluster member is equally loaded.
As shown in this output, only one VS is on the first member now. The redistribution is more equal than
before:
Cluster name: Cluster-VSX
Virtual Devices Status on each
ID
| Weight
| VSX1
|
| [local
1
| 0
| Active
2
| 50
| Active
3
| 10
| Backup
4
| 10
| Backup
5
| 10
| Backup
6
| 10
| Backup
Active
| 2
Weight
| 50
Weight (%)
| 55

Cluster Member
| VSX2
| VSX3
|
|
| Active
| Active
| Standby
| Backup
| Active
| Standby
| Standby
| Active
| Active
| Standby
| Standby
| Active
| 3
| 3
| 20
| 20
| 22
| 23

For example, if the amount of traffic of VS3 (ID=4), on VSX3 increases. Follow the same procedure as
described before to determine appropriate weight and redistribute VSs. This is the output:
Cluster name: Cluster-VSX
Virtual Devices Status on each Cluster Member
ID
| Weight| VSX1
| VSX2
| VSX3
|
| [local]
|
|
-------+-------+-----------+-----------+----------1
| 0
| Active
| Active
| Active
2
| 50
| Active
| Standby
| Backup
3
| 10
| Standby
| Backup
| Active
4
| 50
| Backup
| Active
| Standby
5
| 10
| Backup
| Standby
| Active
6
| 10
| Standby
| Backup
| Active
---------------+-----------+-----------+----------Active
| 2
| 2
| 4
Weight
| 50
| 50
| 30
Weight (%)
| 38
| 38
| 24

How To Configure and Optimize VSLS in VSX

| 15

Index
B
Before You Start 5

C
Configuring VSLS in VSX 6

H
How To Configure and Optimize VSLS in VSX
5

I
Impact on Environment and Warnings 6
Important Information 3

O
Objective 5
Optimizing VSLS Distribution 9

R
Related Documents and Assumed Knowledge
5

S
Supported Appliances 5
Supported Operating Systems 5
Supported Versions 5

Вам также может понравиться