Summary:

Step 1. Follow the normal clusterXL Gaia R77.30 installation. 

Step 2. Create a CMA in SmartDomain

Step 3. Create a regular cluster object in CMA

Step 4. Convert the gateway cluster to VSX cluster

Step 5. Create Virtual System (aka virtual firewall)

Knowledge:

a virtual router is needed when we want to route the traffic among virtual systems

a virtual switch is needed when 2 or more virtual systems are sharing a physical interface

Details:

 

Step 1. Follow the normal clusterXL Gaia R77.30 installation. 

  • Make sure your hardware is compatible with VSX

  • Make sure you have a valid VSX license  

  • ​Only install gateway packages, not Management during first time install Wizard via Web UI (distributed)

  • ​Configure all interfaces including bond(s), default route

    • I prefer to use Web UI for this, once you convert the gateway to VSX you will lose the Web UI access

  • ​In clish, make sure "set management Mgmt" is in place.

    • Without this, you might see "ifconfig Mgmt" showing eth1's IP even you hard-coded the Mgmt with a correct IP.

  • If you ever need to change this while VSX is already configured, make sure you run the following or see:

        -clish

        -set virtual-system 0

        -set vsx off ## Please please make sure to "set vsx on" when you are done, or you will see mis-match IPs

  • Install hotfixes

Step 2. Create a CMA in SmartDomain

  • Make sure CMA's license supports enough domains (gateways) 

  • Make sure these ports are opened between VSX gateways/Virtual Systems and CMA: 18181-18300, tcp/udp 256-265, tcp22

Step 3. Create a regular cluster object in CMA

 

  • Use clusterXL

  • Push policy to cluster firewalls

  • Check HA status before converting to VSX cluster

Step 4. Convert the gateway cluster to VSX cluster 

Since I am not creating virtual switches this time, so I am going to use separate interfaces option

  • Enable trunk interface

Note:

Once you click OK, it automatically pushes VSX configuration to VSX gateways.

 

Possible Error:

===============================================================

Checking connection with VSX
Generating VSX Configuration for vxxx0000_VS on ABC002_Cluster.
Pushing VSX Configuration to ABC002_Cluster.
ABC002002: processed 33% of configuration...
ABC002001: processed 4% of configuration...
ABC002002: VSX configuration was applied successfully.
ABC002001 error :Route cannot be created  <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<

Virtual System Processing Completed Successfully
Establishing Trust with - ABC002001_vxxx0000_VS ...
The certificate is not valid.
Failed to establish trust with ABC002001_vxxx0000_VS -

Initiating trust with Virtual System operation has finished with warnings.
         Make sure that all Virtual Systems/Routers are accessible from the management server,
         and that you have a valid license. Edit the failed object and click OK.
         If the problem persists contact Check Point Technical Support.

Operation has finished with warnings.

===============================================================

 

Solution:

=========================================

CP - sk102274, mine was due to #2 Black Hole.

=========================================

Step 5. Create Virtual System (aka virtual firewall)

Possible Error:

===============================================================

Checking connection with VSX
Initializing SIC of - ABC002007_ABC002_VXXX0000 ...
SIC of ABC002007_ABC002_VXXX0000 has been initialized
Initializing SIC of - ABC002008_ABC002_VXXX0000 ...
SIC of ABC002008_ABC002_VXXX0000 has been initialized
Creating Virtual System...
Generating VSX Configuration for ABC002_VXXX0000 on ABC002_Cluster-SC.
Pushing VSX Configuration to ABC002_Cluster-SC.
ABC002007: processed 6% of configuration...
ABC002008: processed 6% of configuration...
ABC002008: VSX configuration was applied successfully.
ABC002007: VSX configuration was applied successfully.
Virtual System Processing Completed Successfully
Establishing Trust with - ABC002007_ABC002_VXXX0000 ...
The certificate is not valid.<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<
Failed to establish trust with ABC002007_ABC002_VXXX0000 -
Establishing Trust with - ABC002008_ABC002_VXXX0000 ...
The certificate is not valid.<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<
Failed to establish trust with ABC002008_ABC002_VXXX0000 -

Initiating trust with Virtual System operation has finished with warnings.
         Make sure that all Virtual Systems/Routers are accessible from the management server,
         and that you have a valid license. Edit the failed object and click OK.
         If the problem persists contact Check Point Technical Support.
Initiating trust with Virtual System operation has finished with warnings.
         Make sure that all Virtual Systems/Routers are accessible from the management server,
         and that you have a valid license. Edit the failed object and click OK.
         If the problem persists contact Check Point Technical Support.

Operation has finished with warnings.

===============================================================​

 

Solution:

===========

CP - sk97833, mine was due to port 18210 wasn't allowed between VSX gateways and CMA. I ran tcpdumps on both VSX gateways and CMA, only VSX can see port 18210, not CMA. Had to open the port for it.

===========

  • Add interface off bond, static routes, and default gateway for your particular virtual system 

  • Push policy to virtual firewall

 

External resource I found useful:

-Yu