Creating a Cluster managed by Smart-1 Cloud

Abbas_Khumanpur · ‎2020-07-11

Hi All,

If you are using Smart-Cloud to manage your Security Gateways and are looking to deploy a Cluster - You will need to do this using the ADD EXISTING GATEWAY option.

When you provision/add a new gateway from Smart Cloud, this will create the Gateway Object within Smart Console. Now if these gateways need to be part of a cluster, then you will have to add them using the ADD EXISTING GATEWAY option.

Login into Smart Console (connecting to your management Instance in Smart Cloud).
Create a New Cluster
Give it a Name and IP Address
Then under Cluster members --> Add --> SELECT Add existing Gateway.

Additionally the topology will now have the maas_tunnel interface also detected as part of the GET INTERFACES with TOPOLOGY.

I had my interface topology configured as below to work successfully.

Hope this is helpful.

Tomer_Noy · ‎2020-07-11

Thank you for sharing this. This is indeed the way to do it today in Smart-1 Cloud.

Since Cluster is a very common deployment, I also wanted to share that we are working on a simpler way to do this, which will be similar to the way you connect a regular gateway.

This will be rolled out automatically for Smart-1 Cloud users.

BenMorris · ‎2021-01-13

When will this new deployment be ready?

KonstantinosT · ‎2020-12-10

Hello Abbas,

Thanks for sharing this, as I'm trying to setup my first cluster in Smart-1 Cloud.

I successfully connected the gateways and establish communication with Management Server with SIC Trust, and so far I have the maas_tunnel, inside, outside and sync interfaces for each GW. However when I try to setup a cluster following the wizard / or even classic mode as you suggest above, can you please advise what IP do we configure as a Cluster VIP IPv4 address ?

I also read the documentation, but all it says is not to use an IP from 100.64.x.x network. Still I don't figure out what IP I should use as a Cluster VIP.

Our deployment is in R80.40

Thanks for your help in advance,

Konstantinos

Anat_Eytan-Davi · ‎2020-12-12

Hello Konstantinos,

The gateways get the automatic IP when establishing the maas tunnel, for the Cluster itself, you should provide your own virtual IP. Similar when connecting a cluster to an on-prem management, nothing special here for Smart-1 Cloud.

If you still have some challenges, please let me (@Anat_Eytan-Davi) or @Amiad_Stern know and we will be happy to assist,

BR,

Anat.

KonstantinosT · ‎2020-12-16

Hello Anat,

Thanks for your explanation. I understood that once you connect the GWs to the smart-1 Cloud, those get their 100.64.x.x/32 IPs ( MaaS tunnel IP). For the cluster VIP, I figured I could use the VIP of the inside interface ( cluster ).

Once the cluster was setup, in the Network Topology, the Inside / Outside / Sync interfaces, would be appear as it should. Nevertheless, there would be 2 entries, each for a different GW, where there would be the maas tunnel /32 IP.

I’m not sure if this is the expected outcome, to have in the Cluster Network Topology, different maas interface / per GW

Unfortunately, I cannot provide you with any screenshots, as finally we deployed the Management Server on premise ( VM-Open Server).

However, if there will be a case where I’ll need to setup a cluster on Smart-1 Cloud, I’ll return back to the same post.

Anyhow, thanks for your contribution and support on this case.

Kind Regards,

Konstantinos

Infinigate_Sup · ‎2020-12-13

Nice info!

Akira_Yagi · ‎2021-02-26

Hello,

I need to move an on prem cluster to the cloud, I imported the management with success but now it's not clear what to do with the gateways: I added my two gateways and they created their new maas_tunnel interfaces 100.64.x.x/32, but how can I define the vip for them?

Or is it not necessary?

The whole process is not explained anywhere, do I have to add rules for the 100.64.x.x IPs?

Can you helping me in the steps to migrate my on premise cluster to be managed from the SMS Cloud?

Thanks

Anat_Eytan-Davi · ‎2021-02-27

Hi,

You can create a new Cluster object, or use an existing Cluster object.

The Cluster Virtual IP is not automatically given by the system, and you need to assign one.

Make sure not to give an IP address from this subnet: 100.64.x.x

Next phase is to navigate to Cluster Members > click Add > click Add Existing Gateway > select the Security Gateway object.

You need to allow the communication between the Security Gateway and the service:

HTTPS (TCP 443) to your domain at Smart-1 Cloud:

<Service-Identifier>.maas.checkpoint.com
For Smart-1 Cloud deployments in Europe:

cloudinfra-gw.portal.checkpoint.com
For Smart-1 Cloud deployments in the United States:

cloudinfra-gw-us.portal.checkpoint.com

I do recommend to check the admin guide, especially the section for advanced configuration: Smart-1 Cloud Advanced Configuration (checkpoint.com)

Please feel free to reach out if the process is still unclear or for any additional question to me (anate@checkpoint.com) or to maas@checkpoint.com

Anat.

Dan_Cannon · ‎2021-05-28

I'm seeing some differences in the information here when setting up a new Azure R81 IaaS cluster connected to MaaS.

The mass_tunnel interfaces are 100.100.0.*/32 while the management service is on 10.64.0.* This is causing traffic to head out the external interface. For the primary member this is not an issue, but the secondary keeps disconnecting when the policy is applied. Looking at the connection it is hiding behind the cluster VIP which we don't want it to do. I have tried sk34180 as a workaround/fix for this, but to no avail, as it keeps reverting to hiding the standby's traffic via the VIP.....

But should the traffic for the management service go via the MaaS tunnel?

Garbo

Hello,

What is the best practice to overcome the Standby cluster member can communicate via the MaaS Tunnel?

Thank you!

Are you a member of CheckMates?

Creating a Cluster managed by Smart-1 Cloud