Hi Val,

thanks for the quick response but it doesn't answer my question yet. I fully agree with your approach w.r.t. the first time wizard, but I meant to enquire about the setup in SmartConsole and only after the FTW has completed and whether or not to tick the ClusterXL tickbox and what difference it makes:

You can configure VRRP as the clustering protocol either way, with or without ClusterXL tickbox enabled.

Thanks

Albert

I fail to understand what you are asking.

If you set up VRRP, you should use VRRP for clustering in SmartConsole, exactly as it is shown in your screenshots. There is nothing else to do. You only set up your cluster to ClusterXL if you set it up as such through FTW on each of the GWs.

... yet the SK (see the screenshot from my first post) explicitly states that you have to enable the ClusterXL tickbox when using VRRP wheras you seem to indicate you shouldn't choose ClusterXL anywhere unless I am misunderstanding you?

I think the difference is in the OS used.

If you are using some old systems with IPSO or XOS (Crossbeam), than 3rd Party Clustering (ClusterXL disabled) will be correct.

But if you are using Gaia with VRRP, you should enable it as stated in the documentation.

Hi Norbert, thanks for chiming in:

I would have intuitively agreed with you and @_Val_ Val who also suggests that CXL is adding functionality for session sync, but session sync works even after I removed the CXL from the GW properties, I'll explain more in my post to Val below, as it matches both your and Val's statements. I would also fully see why an unusual OS choice could impact the choice of whether or not to tick CXL.

hmm, you've indeed pointed me to somthing I didn't see before and maybe the clue is indeed in the OS: when CXL tickbox is DISABLED, it specifically says Check Point IPSO VRRP. This clouds everything for me even more...

• Not sure if you agree but shouldn't this trigger a verification warning when your (as per the "IPSO" label) OS-specific clustering mechanism doesn't match the selected OS (which is Gaia)?
• The policy installation worked and VRRP seemed to work fine - what's the IPSO-specific part of it at all?

These questions are not meant to criticise your post, quite the opposite. They are meant as a challenge for the community as I really can't get my head around whether this is just highly unintuitve and results in identical behaviour, or whether one is a "bad" or at least "functionally different" configuration that CP just doesn't alert you to, even if incompatible to your device.

Uh, finally got the source of confusion.

That is the step you are asking about, right?

So, for sync to work, you need to enable ClusterXL kernel module of your FW. It is being done for a cluster object at the General Properties tab.

As I have mentioned before ClusterXL is still required for FW, but not for OS to form a cluster with VRRP.

Personally, I do not see any reason other than habit, to use VRRP and not full ClusterXL solution. But the final decision is up to you.

Yep, that ClusterXL exactly the tickbox that changes the menu and both with and without having it ticked your failover mechanism can be VRRP. Now the question for me is whether the CXL tickbox choice will make any functional difference at all.

As stated in my initial post:

Initially I was suspicious whether VRRP without CXL would potentially not do session sync but testing this revealed that CCP packets are going across the sync link which seem to transfer the traffic tables between cluster members.

To explain the background of this whole post better, it's based on my customer's (I work at a reseller) question who used to have his old VRRP cluster with CXL ticked and now found that the cluster was migrated to a different CP object that had CXL unticked, so he asked me about which one is correct and whether there is any difference in functionality. There is no current issue, just headscratching on all sides.

So I did the following:

1. created my R80.40 lab cluster as VRRP, played around somewhat
2. then ticked CXL (but left the clustering mechanism as VRRP in the pane labled "ClusterXL and VRRP")
3. disabled the CXL tickbox again,
4. pushed policy

...only to find out that session sync STILL worked to my surprise (as verified with fw tab -t connections -u -f). I rebooted but it didn't change, session sync and the typical 8116/udp CCP packets were still happening on the sync link. Maybe I tainted my cluster by enabling CXL and disabling doesn't really work? If you agree that this is the only explanation why CCP packets are on the sync link even after disabling CXL, I'll be testing this again in 10days after some days off again with a fresh cluster that NEVER had CXL enabled (i.e. "3rd party configuration") to see whether it will already sync sessions, contrary to what I think is everybody's expectations unless there is any other suggestions.

I admire your curiosity. 

I suspect the checkbox in question is related to some legacy settings. Once upon a time, we have supported many different platforms and OSs, and things on Gaia might be more fool-proof than on third party. Anyhow, please stick to the book to be on the safe side. 

You say stick to the book... That's exactly the problem: The VRRP On Gaia sk92061 and the admin guide provide opposite configuration instructions as per my initial post. I have commented to the documentation team using the SK comment field as follows:

This SK states "If 'ClusterXL' checkbox is cleared, then select it."
In contrast,
https://sc1.checkpoint.com/documents/R80.30/WebAdminGuides/EN/CP_R80.30_ClusterXL_AdminGuide/html_fr... states that you should clear the tickbox.
"To work with VRRP on Gaia cluster, clear ClusterXL.
Go to VRRP pane and configure the applicable settings."

I have tried the community forum to find out what this tickbox does (is it only opening/changing the SmartConsole menu or actually changing the behaviour of the firewall?) and why the configuration instructions contradict each other. Could you provide guidance on these two questions?

https://community.checkpoint.com/t5/General-Topics/interaction-between-VRRP-and-CXL-why-is-there-a-t...

I have to say, I respect your attention to the details, @Albert_Wilkes

You are right, there is a contradiction. The admin manual is incorrect, the SK is correct. When removing ClusterXL, you end up with IPSO VRRP. That is legacy and no longer support config.

I will take it with the relevant team to fix

Yes, a passage that explains the difference:

Hi Uri,

many thanks for clarifying this, it's good to get confirmation.

Given that from a functionality POV, my cluster seemed to have worked identically in terms of backup IPs and session sync whether the tickbox was enabled or not at least as far as my quick test went, therefore my questions remain:

Session sync already works, failover IPs are provided by VRRP, so what "other" functionality is put into action by just ticking the box and pushing policy?

To put it differently, does anything functionally change on the firewall by JUST ticking the box or does it initially only unlock other menus in SmartConsole - which then in turn allow you to configure things differently, e.g. disable session sync if you wanted to do so?

I hope I am not overcomplicating things, it's just that the behaviour didn't change in a way that I could recognize between pushing policies with and without the CXL tickbox.

Cheers

Albert

Hi Albert

This is a good question, I don't know what the implication are but I don't think there are any. When testing this on an already configured ClusterXL running on Gaia (the ClusterXL checkbox was cleared and IPSO VRRP selected) I was not able to push the policy.

When this checkbox is clear - this means the underlying high availability protocol is either IPSO VRRP or an OPSEC high availability solution (e.g. F5) but like mentioned above policy installation failed so there are no implications.

When working with ClusterXL there shouldn't be any implications other than the way the HA protocol is implemented if using ClusterXL or VRRP

HTH,

Uri

In the R80.30 Dashboard, checking/unchecking the tickbox for ClusterXL changes the title of the configuration page from ClusterXL and VRRP to 3rd Party Configuration 8)...

One point out of my experience with VRRP in combination with the central deployment tool and this setting.

If you don't tick ClusterXL in the general Properties and then select VRRP under "ClusterXL and VRRP", CDT won't detect the cluster correctly as VRRP cluster and you can't update/upgrade the cluster automatically.

If everything is set as above, CDT will perform the upgrade on the backup member, fail-over and the upgrade the former active member.

Cheers

Markus

Hi Sergei,

thanks for the update,  but I find the section is still unchanged - or at least not changed to resolve the discrepancy with the SK. It reads...

To work with VRRP on Gaia cluster, clear ClusterXL.
Go to VRRP pane and configure the applicable settings.

Shouldn't it read:

• To work with ClusterXL or VRRP on Gaia, select ClusterXL.
  Go to ClusterXL or ClusterXL and VRRP pane and configure the applicable settings.
• To work with VRRP on IPSO or other 3rd party OPSEC cluster, clear ClusterXL.
  Go to VRRP pane and configure the applicable settings.

Cheers

Albert

The admin guide has now changed indeed and all looks good and consistent now:

Configure the desired cluster type:

• To work with ClusterXL or with VRRP on Gaia, select ClusterXL.

  Go to the ClusterXL and VRRP pane and configure the applicable settings.

• To work with any other cluster mode, clear ClusterXL.

  Go to the 3rd Party Configuration pane and configure the applicable settings.