Technical data

Managing VSX Clusters
Check Point VSX Administration Guide NGX R67 | 124
To enable monitoring of all VLANs, enable the fwha_monitor_all_vlans property in
$FWDIR/boot/modules/fwkern.conf.
Note - Monitoring all VLANS is enabled automatically when the Per
VLAN state option is enabled.
Enabling Dynamic Routing Protocols
ClusterXL supports Dynamic Routing (Unicast and Multicast) protocols as an integral part of the
SecurePlatform VSX installation. As the network infrastructure views the clustered gateway as a single
logical entity, failure of a cluster member will be transparent to the network infrastructure and will not result
in a ripple effect.
Components of the System
Virtual IP Integration
All cluster members use the cluster IP address.
Routing Table Synchronization
Routing information is synchronized among the cluster members using the Forwarding Information Base
(FIB) Manager process. This is done to prevent traffic interruption in case of failover, and to support VSLS.
The FIB Manager is the responsible for the routing information.
Failure Recovery
Dynamic Routing on ClusterXL avoids creating a ripple effect upon failover by informing the neighboring
routers that the router has exited a maintenance mode. The neighboring routers then reestablish their
relationships to the cluster, without informing the other routers in the network. These restart protocols are
widely adopted by all major networking vendors.
The following table lists the RFC and drafts compliant with Check Point Dynamic Routing:
Protocol
RFC or Draft
OSPF LLS
draft-ietf-ospf-lls-00
OSPF Graceful restart
RFC 3623
BGP Graceful restart
draft-ietf-idr-restart-08
Dynamic Routing in ClusterXL
The components listed above function "behind-the-scenes." When configuring Dynamic Routing on
ClusterXL, the routing protocols automatically relate to the cluster as they would to a single device.
When configuring the routing protocols for each cluster member, define each member identically, and use
the cluster IP address (not the member's physical IP address). In the case of OSPF, the router ID must be
defined and identical on each cluster member. When configuring OSPF restart, you must define the restart
type as signaled or graceful. For Cisco devices, use type signaled.
Use command line interface in SecurePlatform to configure each cluster member. The table below is an
example of the proper syntax for cluster member A.
Enabling OSPF on cluster member A