4
198 Nokia Network Voyager for IPSO 4.0 Reference Guide
When you use the Check Point cpconfig program (at the command line or using Network
Voyager), follow these guidelines:
Install Check Point NGX as an enforcement module only on each node. Do not install Check
Point NGX as a management server and enforcement module.
After you choose to install Check Point NGX as an enforcement module, you are asked if
you want to install a Check Point clustering product. The screen displays the following
question:
"Would you like to install a Check Point clustering product (CPHA,
CPLS or State Synchronization)? (y/n) [n] ?
The default is no; be sure to enter yes.
If you plan to use SecureXL, enable it when you are prompted to do so.
You then create and configure a gateway cluster object with the external VRRP IP address.
Use the Check Point SmartDashboard application to create a gateway cluster object.
Set the gateway cluster object address to the external VRRP IP address, that is, the VRRP IP
address of the interface that faces the external network.
Add a gateway object for each Nokia appliance to the gateway cluster object.
In the General Properties dialog box for the gateway cluster object, do not check ClusterXL.
Configure interfaces for each member of the VRRP cluster. Click the Topology tab for each
VRRP cluster member and click Get.
Configure interfaces for the VRRP cluster. Click the Topology tab for the gateway cluster
object, and click Get.
Enable state synchronization and configure interfaces for it.
Note
The firewall synchronization network should have bandwidth of 100 mbps or greater.
The interfaces that you configure for state synchronization should not be part of VLAN or
have more than one IP address assigned to them.
When you finish configuring the gateway cluster object, you must also specify settings under the
3rd party configuration tab as described in the following procedure.
Configure settings under the 3rd party configuration tab
1. In the Specify Clustering Mode field, check High Availability.
2. From the Third-Party Solution drop-down list, select Nokia VRRP.
3. Check all the available check boxes.
4. Click OK to save your configuration changes.
Note
If you use different encryption accelerator cards in two appliances that are part of a VRRP
group or an IP cluster (such as the Nokia Encrypt Card in one appliance and the older Nokia
Encryption Accelerator Card in another appliance), you should select encryption/
authentication algorithms that are supported on both cards. If the encryption/authentication
algorithm is supported in the master and not supported by the backup and you also use NAT,