Академический Документы
Профессиональный Документы
Культура Документы
10 April 2012
Important Information
Latest Software
We recommend that you install the most recent software release to stay up-to-date with the latest functional
improvements, stability fixes, security enhancements and protection against new and evolving attacks.
Latest Documentation
The latest version of this document is at:
http://supportcontent.checkpoint.com/documentation_download?ID=15061
For additional technical information, visit the Check Point Support Center
(http://supportcenter.checkpoint.com).
Revision History
Date
Description
4/10/2012
Feedback
Check Point is engaged in a continuous effort to improve its documentation.
Please help us by sending your comments
(mailto:cp_techpub_feedback@checkpoint.com?subject=Feedback on How To Configure and Optimize
VSLS in VSX ).
Contents
Important Information .............................................................................................3
How To Configure and Optimize VSLS in VSX .....................................................5
Objective .................................................................................................................5
Supported Versions ............................................................................................. 5
Supported Operating Systems ............................................................................. 5
Supported Appliances ......................................................................................... 5
Before You Start .....................................................................................................5
Related Documents and Assumed Knowledge .................................................... 5
Impact on Environment and Warnings ................................................................. 6
Configuring VSLS in VSX .......................................................................................6
Optimizing VSLS Distribution ................................................................................9
Index ......................................................................................................................17
Supported Versions
VSX gateway versions
VSX R65
VSX R67
Management server
Provider-1
SecurePlatform
IPSO
XOS
Supported Appliances
VSX-1
IP Appliances
Crossbeam
| 5
VSLS is used to distribute the load over multiple cluster members (Currently there is a 13 member limit).
But keep in mind that in case of failover, the remaining member(s) should be able to sustain the load.
Each Virtual Switch must have a physical or VLAN interface that provides connectivity between cluster
members. Without a path between VSs, communication from one VS to another is broken. Even though
a synchronization link that connect the cluster members already exists, this network is not, and cannot
be used to pass VS to VS traffic between cluster members.
Do not use the vsx_util redistribute_vsls command when the cluster is under heavy load. The
redistribution process consumes resources.
When a failover occurs, connections may be lost. VSLS supports zero connectivity down-time, but there
may be events, external to the VSLS cluster, which might cause loss of connection.
To Enable ClusterXL:
1. If ClusterXL was not activated during the first time wizard, run: cpconfig
2. When prompted to choose a configuration option, enter 6 to select Enable cluster membership for
this gateway. A line that says what is selected appears.
3. When asked if you are sure that is the configuration you want, make sure the line mentions Enable
cluster membership for this gateway. If it does, enter y to approve. If it mentions something else,
reselect.
4. When a line that says the configuration is enabled appears, run: reboot for the change to take effect.
[VSX2:0]# cpconfig
Configuration Options:
(1) Licenses
(2) SNMP Extension
(3) PKCS#11 Token
(4) Random Pool
(5) Secure Internal Communication
(6) Enable cluster membership for this gateway
(7) Disable Check Point SecureXL
(8) Automatic start of Check Point Products
(9) Exit
Enter your choice (1-9) :6
Enable cluster membership for this gateway...
==============================================
You have selected to enable cluster membership for this
gateway.
Are you sure? (y/n) [y] ? y
Cluster membership for this gateway was enabled
successfully
How To Configure and Optimize VSLS in VSX
| 6
| 7
5. Make sure the Check Point Per Virtual System State cpconfig option is enabled on all cluster members,
and click OK.
6. Follow the wizard to finish the gateway definition. For further information see NGX R67 VSX
Administration Guide
(http://dl3.checkpoint.com/paid/fb/CP_NGX_R67_VSX_AdminGuide.pdf?HashKey=1333356901_262d0f
6dafd40477fddfe3fefa99099f&xtn=.pdf) (Creating a New Cluster, page 93).
To Create VSs:
1. From the SmartDashboard tree view right click Check Point, and select VPN-1 Power VSX > Virtual
System. The Virtual System Wizard window opens.
2. In the Name field, enter the name. In the VSX Gateway/Cluster drop down list, select the VSX gateway
that hosts the Virtual System. If you want to create the Virtual System in the Bridge Mode, select the
Bridge Mode check box. If you want to be able to add additional interfaces, or modify the topology, or
other properties, select the Override Creation Template (Create Custom VS) check box, and click
Next.
3. Add/edit appropriate interfaces and routes, and click Next.
4. Click Finish to initiate the creation process
5. Push Policy on the VSs
For further information see VSX NGX R67 Administration Guide
(http://dl3.checkpoint.com/paid/fb/CP_NGX_R67_VSX_AdminGuide.pdf?HashKey=1333356901_262d0f6da
fd40477fddfe3fefa99099f&xtn=.pdf) (Working with Virtual Systems, page 42).
| 8
| 9
In this case, it is better for VS 1 and VS 2 to reside on the same cluster member, even though they are the
most loaded VSs, to avoid the additional load caused by additional traffic through the external switch (in the
image below).
If the traffic is accelerated with SecureXL, the load is further reduced (sometimes to even less load than on
two single firewalls). A packet for an accelerated connection is directly forwarded between the inbound and
outbound interfaces. It does not even go through the VSs or the VSW.
Note - To make this work as in picture 2, a VSW is required, and each VS needs an
interface connected. Adjust the VSX configuration accordingly.
By default, all VSs are assigned a weight of 10 to distribute them equally on all VSX gateways.
This can be verified in two different ways:
| 10
OR
1
2
0
2
1
| 11
4.
5.
6.
7.
-------+-------+-----------+-----------+----------1
2
3
4
5
6
|
|
|
|
|
|
0
10
10
10
10
10
|
|
|
|
|
| Active
Standby
Backup
Standby
Active
Standby
| Active
| Active
| Active
| Backup
| Active
| Standby
| Backup
| Active
| Backup
| Standby
| Active
| Backup
---------------+-----------+-----------+----------Active
Weight
Weight (%)
| 2
| 10
| 20
| 4
| 30
| 60
| 2
| 10
| 20
OR
Choose redistribution option 4 - Manually set priority and weight and redistribute manually, one by one,
all VSs.
How To Configure and Optimize VSLS in VSX
| 12
OR
72
71
74
| 13
70
70
As shown above VS1 consumes 5 times more resources than the other VSs
b) On the management server, run vsx_util vsls
c) Enter 4 to select Manually set priority and weight.
d) Enter m to select [m]anually - update single Virtual System weight and priority.
e) Modify the default weight as you want.
[Expert@P1]# vsx_util vsls
*********************************************************
*********************************
* Note: the operation you are about to perform changes
the information in the management *
* database. Back up the database before continuing. *
*********************************************************
*********************************
Enter SmartCenter Server/main CMA IP address (Hit 'ENTER'
for 'localhost'): 1.1.1.21
Enter Administrator Name: admin
Enter Administrator Password:
Enter VSX cluster object name: Cluster-VSX
VS Load Sharing - Menu
1. Display current VS Load sharing configuration
2. Distribute all Virtual Systems so that each cluster
member is equally loaded
3. Set all VSes active on one member
4. Manually set priority and weight
5. Import configuration from a file
6. Export configuration to a file
7. Exit
Enter redistribution option (1-7) [1]: 4
Update Virtual System VSLS parameter can be done using
one of the following methods:
[m]anually - update single Virtual System weight and
priority
[a]utomatic - iterate each and every Virtual System
and update their weight
Please select update method (m|a) [m]:m
Enter the virtual system name: VS1
Would you like to change the virtual system's priority
list? (y|n) [y]: n
Would you like to change the virtual system's weight?
(y|n) [n]: y
VS1 (1-100) [10]: 50
Do you wish to configure another Virtual System (y|n) [n]
:n
Policy installation is required to apply the
configuration. Make sure the cluster
members are up and reachable before continuing.
Save & apply configuration ? (y|n) [y]:y
In this output, the VS1 weight is modified. However, this VS is still on the same member, as the
redistribution is not yet performed:
Cluster name: Cluster-VSX
Virtual Devices Status on each Cluster Member
ID
| Weight| VSX1
| VSX2
| VSX3
|
| [local]
|
|
How To Configure and Optimize VSLS in VSX
| 14
1
2
3
4
5
6
Active
Weight
Weight
|
|
|
|
|
|
0
50
10
10
10
10
(%)
|
|
|
|
|
|
|
|
|
Active
Active
Backup
Standby
Active
Standby
3
60
66
|
|
|
|
|
|
|
|
|
Active
Standby
Active
Backup
Backup
Active
3
20
22
|
|
|
|
|
|
|
|
|
Active
Backup
Standby
Active
Standby
Backup
2
10
12
The total Weight percentage for this gateway is now 66%, and there are still 2 VSs on it.
2. To redistribute all VSs on the cluster members based on the new VSs weight:
a) Run: vsx_util vsls
b) Enter 2 to select Distribute all Virtual Systems so that each cluster member is equally loaded.
As shown in this output, only one VS is on the first member now. The redistribution is more equal than
before:
Cluster name: Cluster-VSX
Virtual Devices Status on each
ID
| Weight
| VSX1
|
| [local
1
| 0
| Active
2
| 50
| Active
3
| 10
| Backup
4
| 10
| Backup
5
| 10
| Backup
6
| 10
| Backup
Active
| 2
Weight
| 50
Weight (%)
| 55
Cluster Member
| VSX2
| VSX3
|
|
| Active
| Active
| Standby
| Backup
| Active
| Standby
| Standby
| Active
| Active
| Standby
| Standby
| Active
| 3
| 3
| 20
| 20
| 22
| 23
For example, if the amount of traffic of VS3 (ID=4), on VSX3 increases. Follow the same procedure as
described before to determine appropriate weight and redistribute VSs. This is the output:
Cluster name: Cluster-VSX
Virtual Devices Status on each Cluster Member
ID
| Weight| VSX1
| VSX2
| VSX3
|
| [local]
|
|
-------+-------+-----------+-----------+----------1
| 0
| Active
| Active
| Active
2
| 50
| Active
| Standby
| Backup
3
| 10
| Standby
| Backup
| Active
4
| 50
| Backup
| Active
| Standby
5
| 10
| Backup
| Standby
| Active
6
| 10
| Standby
| Backup
| Active
---------------+-----------+-----------+----------Active
| 2
| 2
| 4
Weight
| 50
| 50
| 30
Weight (%)
| 38
| 38
| 24
| 15
Index
B
Before You Start 5
C
Configuring VSLS in VSX 6
H
How To Configure and Optimize VSLS in VSX
5
I
Impact on Environment and Warnings 6
Important Information 3
O
Objective 5
Optimizing VSLS Distribution 9
R
Related Documents and Assumed Knowledge
5
S
Supported Appliances 5
Supported Operating Systems 5
Supported Versions 5