Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
HeikoAnkenbrand
Champion Champion
Champion
Jump to solution

R82 – Install ElasticXL Cluster

Overview


ElasticXL is a new cluster technology that enables simplified operation with a single management object with automatic configuration and software synchronisation between all cluster members.

ElasticXL is expected to be delivered with R82 or later versions. ElasticXL is based on similar technology to Maestro, but without MHOs. It is based on Check Point's SP versions for a scalable platform that allows you to increase the performance of the security gateways almost linearly.

I have tested it with the R82 EA version.

You can find more information about ElasticXL in this article:  R82 ElasticXL 

Install first ElasticXL gateway


1) Run the GAIA installation wizard on the appliance and select "ElasticXL" for clustering.
     If you want to use VSNext (replacement for the classic VSX), click the checkbox "Install as VSNext".

 Elastic1_frferg.png

 

 

 

 

 

 






2) Assign a SIC one-time password.

Elastic2_frferg.png

 

 

 

 

 

 

 

 

3) After installation, you will find the ElasticXL Gateway under the "Cluster Management" menu item.

Elastic3_frferg.png

 

 

 

 

 

 

 

 

4) Create a new gateway object (not CLusterXL object) in the SmartConsole.
5) Now establish a SIC connection to the ElasticXL gateway IP from the SmartDashboard.
6) Afterwards, install a policy on the gateway.

Add more ElasticXL gateways to the cluster.


1) Wire the next appliances via the switch infrastructure so that all sync interfaces are connected to same network.
     Normally the ElasticXl sync interface is the eth1 interface.

2) Start the appliance and do not run the installation wizard.

3) Log in to the appliance via console cable or via LOM interface.  
    You are now in the gclish (global clish). Execute the following command:
    g> show cluster member info

Elastic4c_frferg.png

 

 

 

 

  

    Copy the "Request ID" to the clipboard or to a text file.

4) Open a SSH session to the previously installed appliance and add the appliance with the following command in the gclish:
     g> add cluster member method request-id identifier 5aac9e10de7cd0e34cdf7fa368076b37 site-id 1 format json

5) The appliance should be installed automatically after approx. 5 minutes.
     The access policy is automatically synchronised by the first ElasticXL gateway (SMO).

6)  Both gateways should now be shown in the GAIA portal under the side 1.

Elastic5_frferg.png    

7) Open an SSH session on the first gateway and check if the ElasticXL cluster is working.
    You can check this with the following command in the expert mode:
# asg monitor

Elastic6_frferg.png

➜ CCSM Elite, CCME, CCTE ➜ www.checkpoint.tips
(2)
47 Replies
PhoneBoy
Admin
Admin

Getting it to work in the lab and supported in production are two different things 🙂

R82 is still EA code and, from other information I've heard since posting, the ultimate "supported" status for this feature on VM is still under discussion.

0 Kudos
RamGuy239
Advisor
Advisor

@PhoneBoy Seems like this has changed with the latest R82 EA build. When applying it to my production environment, I used a previous one after the EA team ran into an issue with the newest build. So, I decided to use the same for my home/LAB. I just tested with the latest build, and with this build, I didn't have to do anything regarding interface mapping on VMware ESXi. Network Adapter 1 becomes Mgmt and a part of the MAGG bonding group, and Network Adapter 2 becomes eth1-Sync and SYNC bonding group. All that needs to be done is to ensure these two network adapters are placed in the correct VLAN.

Everything is working great, and I'm enjoying the new ElasticXL experience!

We might be tempted to re-install our appliances in production to have them run ElasticXL instead of ClusterXL. I suppose this will be more valuable to the R82 EA experience. VSnext used a lot of RAM when I was testing on VMware, so I won't opt for that on our appliances as they only feature 8GB RAM.

Certifications: CCSA, CCSE, CCSM, CCSM ELITE, CCTA, CCTE, CCVS, CCME
0 Kudos
HeikoAnkenbrand
Champion Champion
Champion

@RamGuy239  There is a hack with which you can currently use ElasticXL under VMWare.

ElasticXL_5_645645645.png

But I don't want to write this in the public forum unless @_Val_ or @PhoneBoy  would agree that I can make this public.

Ask your local Check Point SE. He can certainly give you a tip.

➜ CCSM Elite, CCME, CCTE ➜ www.checkpoint.tips
0 Kudos
RamGuy239
Advisor
Advisor

@HeikoAnkenbrand, You could always toss me some tips on PM. 🙂

I've asked my EA contact for details but haven't received any.

I'm not entirely sure what hacks/tips this might involve. Using the latest build, I don't seem to have any issues with simply using the ISO to install and activate ElasticXL and/or VSnext during the first-time wizard to get it all working.

The only issue I'm currently facing is having multiple gateways active in an ElasticXL group, which is causing traffic issues. But I don't think this is Check Point, ElasticXL, or R82 causing issues, and it seems like my Ubiquiti UniFi switches are having problems with VSLS. I had the same problem when running R81.20. I had to force it back to ClusterXL HA mode, running VSLS, and my networking would go all over the place when rebooting a member. Regular HA mode works just fine.

Certifications: CCSA, CCSE, CCSM, CCSM ELITE, CCTA, CCTE, CCVS, CCME
0 Kudos
Jeff
Contributor

Will it be possible to add gateways via the GUI?

0 Kudos
Peter_Elmer
Employee
Employee

Hello @Jeff ,

in the current software - even before public EA - all ElasticXL functions are managed by Gaia WebUI, Gaia CLI or Gaia API. Adding a new node to an existing ElasticXL cluster is done by a single command or Gaia WebUI action: you cable the new appliance to the mgnt and sync network and power it on. Once R82 has started, the machine will use LLDP to advertise itself to existing ElasticXL nodes 'hey, I am new, you can join me to the cluster'

On the existing ElasticXL you then just run the 'add node' command. Then the new node is getting software JHFs, configuration and security policy.

On the SmartConsole you only need one regular gateway object. Using this object, all physical nodes forming the ElasticXL cluster are managed. It's the Single-Management-Object principle that applies here and make things so easy.

greetings

peter

 

0 Kudos
Jeff
Contributor

Thank you for detailed comment. I'd like to clarify, for adding a new node to ElasticXL cluster via GUI I should use "Action" button? I don't see any buttons to add nodes in GUI in the screenshot. The fact is that the solution taken from Maestro is a brilliant. But we often receive negative feedback from customers that the syntax of commands in CLI is not clear, and it is not convenient to use part of the functionality in the GUI and another part in the CLI. Recently, the customers prefer products with more clear and friendly interface without using the CLI. 

0 Kudos
Peter_Elmer
Employee
Employee

Hello @Jeff,

for CPX we ran a video and I share a screenshot here. You see a new member is pending and when you click on it, you can join the pending member to the existing or a new site.

ElasticXL_EA_Add_Member.GIF

Please stay tuned for more details as the development of R82 proceeds. 

best regards

peter 

Robert_Gilbert
Participant
Participant

Hi there,

Many thanks for this. Will mix-and-match of appliance models in a Security Group be supported in any capacity under ElasticXL, as it is for Maestro deployments to an extent (sk162373)?

0 Kudos
Peter_Elmer
Employee
Employee

Hello @Robert_Gilbert ,

by the time of CPX Vienna mix-and-match was not planned being supported on ElasticXL. By that time, it was seen as a Maestro specific capability. To my observation this is the case even now - the time of this writing 27-June-2024. 

Certainly you can contact your local Sales representative and raise a request for enhancement on the topic. RFE's are driving R&D plans and that's why all my comments here need to be seen in the context of the time they are made.

best regards

peter

 

0 Kudos
GigaYang
Contributor

Has anyone successfully set up ElasticXL in an ESXi environment? In my Lab, two Cluster members will take turns competing for  Active member.

 

0 Kudos
_Val_
Admin
Admin

As stated above, not supported

0 Kudos
(1)
GigaYang
Contributor

Hi Val,

Thanks for your kindly help.

0 Kudos
ShaiF
Employee
Employee

You can simplify adding the member by using hostname/serial-number method. This way you will not need any console access to the other member in order to get the request-id.

0 Kudos
the_rock
Legend
Legend

Will send what it gives me as soon as I reinstall, should be fast.

0 Kudos
Jeff
Contributor

Hello everyone. Where should we connect our networks? WAN, DMZ, LAN? I mean, without orchestrator. Another question, all gateways connect each other via switch (need some requirements, vlans) ?

0 Kudos
ShaiF
Employee
Employee

Hi Jeff,
Lab cabling is exactly the same as you connect regular ClusterXL.

you should connect all gateways with all cabling to external switches (aka , Mgmt, Sync, and data interfaces).
Regards,

Shai.

0 Kudos
Niels_van_Sluis
Contributor

Hi @HeikoAnkenbrand,

Thanks for sharing. Great stuff!

Step 3 and 4 don't seem to be necessary anymore. If you wire the appliance you want to add correctly, it will automatically  will appear in the GAiA portal as a pending gateway.

r82-pending-gateway.png

r82-pending-gateway2.png

This makes it a lot easier.

Have fun,

     --Niels

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events