High Availability

Learning outcome

  • Configure Two Checkpoint Firewalls for High Availability

Diagram of your network

Table of IP addresses

Device Name

Cluster IP

Primary/Secondary IP Address

Sync Address

Checkpoint1

192.168.1.1

192.168.1.2/24

10.231.149.1/24

Checkpoint2

192.168.1.1

192.168.1.3/24

10.231.149.2/24

Introduction

This Lab document will detail the steps needed to establish a highly available firewall service with two Checkpoint devices. Our devices will be configured as either the primary or secondary member, then we will initiate trust between devices with secure internal communication to form a cluster. This configuration adds redundancy to our system, ensuring that critical services remain available. We will demonstrate that even if the primary firewall fails the secondary will become operational.

Steps

  1. Begin by wiring a connection from workstation to Firewall. Then navigate to https://192.168.1.1 :4434 to reach Checkpoint’s web portal and start the first time configuration wizard. Complete this wizard on both Firewalls participating in HA.

  2. Set an admin password that is secure but memorable.

  1. Set time settings.

  1. Provide name for appliance and optionally domain name.

  1. Choose local management.

  1. Choose configure internet connection later.

  1. It is important to note that a cluster cannot be created when a switch or bridge is included in network settings. We must unchecked the box labelled “Enable switch on LAN ports” located on page 6 or the set-up wizard.

  1. Provide admin access to LAN and VPN.

  1. Check point will ask for License activation, we will skip this for now by pressing “OK”

  1. The final step of this wizard activates selected software blades, we will use the default.

  1. Log into Checkpoint with the previously configured admin password.

Navigate to Device on the left-hand side of the GUI and then to High Availability in the Advanced section, start the “NEW CLUSTER WIZARD”.

  1. Configure Checkpoint1 as primary member and Checkpoint 2 as secondary member.

  1. Establish Trust between members using a shared password.

  1. Check “Enable High Available on Interface”, then finish so that configuration is applied and HA Cluster is activated.

  1. HA Cluster is now active. The following screenshots demonstrate a successful forced fail over from Primary to Secondary Check Point.

References:

  • https://sc1.checkpoint.com/documents/R81/WebAdminGuides/EN/CP_R81_Installation_and_Upgrade_Guide/Topics-IUG/Understanding-Full-HA-Cluster-on-Appliances.htm

  • https://sc1.checkpoint.com/documents/SMB_R80.20.50/AdminGuides/Locally_Managed/EN/Topics/Configuring-High-Availability-LocallyManaged.htm

TEAM A: Kieren MacKay, Russell Quirap, Adrian Morris, Winston Luey, Austin Mark

TEAM B: Paul, Austin, Wesley, DA, Kaiden

PreviousSite to Site CheckPoint FortiGate

Last updated