This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
HeikoAnkenbrand
Champion Champion
Champion
‎2024-02-15 12:54 PM
Jump to solution

R82 – Install ElasticXL Cluster

Overview


ElasticXL is a new cluster technology that enables simplified operation with a single management object with automatic configuration and software synchronisation between all cluster members.

ElasticXL is expected to be delivered with R82 or later versions. ElasticXL is based on similar technology to Maestro, but without MHOs. It is based on Check Point's SP versions for a scalable platform that allows you to increase the performance of the security gateways almost linearly.

I have tested it with the R82 EA version.

You can find more information about ElasticXL in this article:  R82 ElasticXL 

Install first ElasticXL gateway


1) Run the GAIA installation wizard on the appliance and select "ElasticXL" for clustering.
     If you want to use VSNext (replacement for the classic VSX), click the checkbox "Install as VSNext".

 Elastic1_frferg.png

 

 

 

 

 

 






2) Assign a SIC one-time password.

Elastic2_frferg.png

 

 

 

 

 

 

 

 

3) After installation, you will find the ElasticXL Gateway under the "Cluster Management" menu item.

Elastic3_frferg.png

 

 

 

 

 

 

 

 

4) Create a new gateway object (not CLusterXL object) in the SmartConsole.
5) Now establish a SIC connection to the ElasticXL gateway IP from the SmartDashboard.
6) Afterwards, install a policy on the gateway.

Add more ElasticXL gateways to the cluster.


1) Wire the next appliances via the switch infrastructure so that all sync interfaces are connected to same network.
     Normally the ElasticXl sync interface is the eth1 interface.

2) Start the appliance and do not run the installation wizard.

3) Log in to the appliance via console cable or via LOM interface.  
    You are now in the gclish (global clish). Execute the following command:
    g> show cluster member info

Elastic4c_frferg.png

 

 

 

 

  

    Copy the "Request ID" to the clipboard or to a text file.

4) Open a SSH session to the previously installed appliance and add the appliance with the following command in the gclish:
     g> add cluster member method request-id identifier 5aac9e10de7cd0e34cdf7fa368076b37 site-id 1 format json

5) The appliance should be installed automatically after approx. 5 minutes.
     The access policy is automatically synchronised by the first ElasticXL gateway (SMO).

6)  Both gateways should now be shown in the GAIA portal under the side 1.

Elastic5_frferg.png    

7) Open an SSH session on the first gateway and check if the ElasticXL cluster is working.
    You can check this with the following command in the expert mode:
# asg monitor

Elastic6_frferg.png

➜ CCSM Elite, CCME, CCTE
(2)
33 Replies
PhoneBoy
Admin
Admin
‎2024-03-13 08:26 AM
In response to Oliver_Fink
Jump to solution

Getting it to work in the lab and supported in production are two different things 🙂

R82 is still EA code and, from other information I've heard since posting, the ultimate "supported" status for this feature on VM is still under discussion.

0 Kudos
RamGuy239
Advisor
Advisor
‎2024-03-13 08:28 AM
In response to PhoneBoy
Jump to solution

@PhoneBoy Seems like this has changed with the latest R82 EA build. When applying it to my production environment, I used a previous one after the EA team ran into an issue with the newest build. So, I decided to use the same for my home/LAB. I just tested with the latest build, and with this build, I didn't have to do anything regarding interface mapping on VMware ESXi. Network Adapter 1 becomes Mgmt and a part of the MAGG bonding group, and Network Adapter 2 becomes eth1-Sync and SYNC bonding group. All that needs to be done is to ensure these two network adapters are placed in the correct VLAN.

Everything is working great, and I'm enjoying the new ElasticXL experience!

We might be tempted to re-install our appliances in production to have them run ElasticXL instead of ClusterXL. I suppose this will be more valuable to the R82 EA experience. VSnext used a lot of RAM when I was testing on VMware, so I won't opt for that on our appliances as they only feature 8GB RAM.

Certifications: CCSA, CCSE, CCSM, CCSM ELITE, CCTA, CCTE, CCVS, CCME
0 Kudos
HeikoAnkenbrand
Champion Champion
Champion
‎2024-03-13 12:24 PM
In response to RamGuy239
Jump to solution

@RamGuy239  There is a hack with which you can currently use ElasticXL under VMWare.

ElasticXL_5_645645645.png

But I don't want to write this in the public forum unless @_Val_ or @PhoneBoy  would agree that I can make this public.

Ask your local Check Point SE. He can certainly give you a tip.

➜ CCSM Elite, CCME, CCTE
0 Kudos
RamGuy239
Advisor
Advisor
‎2024-03-14 03:10 AM
In response to HeikoAnkenbrand
Jump to solution

@HeikoAnkenbrand, You could always toss me some tips on PM. 🙂

I've asked my EA contact for details but haven't received any.

I'm not entirely sure what hacks/tips this might involve. Using the latest build, I don't seem to have any issues with simply using the ISO to install and activate ElasticXL and/or VSnext during the first-time wizard to get it all working.

The only issue I'm currently facing is having multiple gateways active in an ElasticXL group, which is causing traffic issues. But I don't think this is Check Point, ElasticXL, or R82 causing issues, and it seems like my Ubiquiti UniFi switches are having problems with VSLS. I had the same problem when running R81.20. I had to force it back to ClusterXL HA mode, running VSLS, and my networking would go all over the place when rebooting a member. Regular HA mode works just fine.

Certifications: CCSA, CCSE, CCSM, CCSM ELITE, CCTA, CCTE, CCVS, CCME
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events