IMPLEMENTATION OF CLONING GROUP on Gaia R77

Cloning Groups

Supported OS and Versions: Gaia R77
Note:Gaia "Cloning Groups" are not supported on Security Gateway in VSX mode.
A Cloning Group is a collection of Gaia gateways that synchronize their OS configurations and settings for a number of shared features, for example DNS or ARP. A configuration change in one of the members is automatically propagated to other members. This is useful in ClusterXL. If the ClusterXL members are also members of a Cloning Group, static routes can be synchronized.

You can:

-->  Manually define an independent Cloning Group through the Gaia WebUI. To do this, use Manual mode. In manual mode, the administrator creates the Cloning Group and separately adds each member.

-->  Configure a ClusterXL cluster as a Gaia Cloning Group. To do this, use ClusterXL mode. All the ClusterXL members become members of the same Cloning Group. 

Note:  A VRRP Cluster has to be manually defined. 

Important: Synchronization between members of a Cloning Group requires TCP Port 1129 to be open and communication through the port allowed by the firewall. When the gateways are part of a cluster in SmartDashboard, an implied rule in the rule base allows this connection. When the gateways are not part of the same Cluster, the implied rule does not apply. If the gateways are not part of the same cluster object in SmartDashboard, make sure there is a rule that allows connections on TCP port 1129.


Configuring Cloning Groups – WebUI 
Cloning Groups are configured from the gateway WebUI.

1. Open the Gaia gateway WebUI.

     

2. In System Management > Cloning Group, click Start Cloning Group Creation Wizard.
   The Cloning Group Creation Wizard opens.
    
3. Select Create a new Cloning Group.
The New Gaia Cloning Group window opens.
> Enter a name for the Cloning Group
> Select an IP address for synchronizing settings between member gateways. Select an address on a secure internal network.
> Enter a password for the administration account (cadmin). This password is necessary to:
> Manage the Cloning Group
>Add other gateways to the Cloning Group
> encrypted traffic between members of the Cloning Group 
    

4. In the Shared Features screen, select features to clone to other members of the group.

    Pay attention to which features you want to clone.
    

5. Click Next for the Wizard Summary and then click Finish. 

    

6. Verify the cloning Group Created:

    

Join a Cloning Group

1. Open the Gaia gateway WebUI of another Gateway.

2. In System Management > Cloning Group, click Start Cloning Group Creation Wizard.

   The Cloning Group Wizard opens.

3. Select join an existing Cloning Group. 

    

4.  The Join Existing Cloning Group window opens.

 >  Enter the IP address of a remote member of the Cloning Group.

 >  Select an IP address for synchronizing the settings between gateways. Select a secure internal address. 

> Enter the password of the Cloning Group administration account (cadmin). (The same password you entered when creating the group.) 

    

5. Click Next for the Wizard Summary and then click Finish.

6. Verify the Cloning Group Joined:

     

Manage the Cloning Group

1. Sign in to the WebUI of any Clone Group Members/VIP using the cadmin account and password.

Important: No unique URL or IP address is needed to access the Cloning Group WebUI, Use the URL or IP address of the member gateway/VIP.

    

2. In System Management > Cloning Group, selecting features from the Shared Features list propagates the settings to all members of the group.

    

3. We can edit shared features and set them :

    

Editing and setting Shared feature 

Here We are taking an example of static route to be shared on all clone Group Members:

1. Sign in to the WebUI of any Clone Group Members/VIP using the cadmin account and password.

2. Implement Default Gateway and some more static routes :

    

3. Verify on both Group Members for  the same entries. On Members Gateways Sign in to the WebUI using the admin account and password and Check the static Routes Entries, All entries are there :

 a. On first member:

    

 b. On Second Gateway:

    

Note: All shared features can be configured and set on all Group Members in the same way.

IPv6 Configuration on Splat Gateway and Windows Machine

  IPv6:

The Check Point architecture gives administrators a smooth and secure migration path to IPv6.
Many networks still use IPv4, and some applications cannot be upgraded to support IPv6.
For this reason, the Check Point IPv6 solution includes full support for legacy IPv4. In fact,
while IPv6 support is optional, you cannot disable IPv4 support.

The Check Point IPv6 solution includes Dual Stacks, which support the two IP versions.
It does this by using different IPv4 and IPv6 stacks simultaneously. The Check Point Dual
Stack also solution uses two different kernel drivers: One for IPv4 traffic and one for IPv6 traffic.

 Supported Check Point Features:

 Supported Platforms: Gaia, SecurePlatform and IPSO.

 Access Control Rules - IPv6 Hosts and IPv6 networks can be configured in Firewall Rule base.

 User defined ICMPv6 services.

 Anti-Spoofing.

  IPS protections:Port Scan,Aggressive Aging,Max Ping Size Limit,Small PMTU.

  Acceleration by SecureXL (SecurePlatform and Gaia only).

  ClusterXL High Availability (SecurePlatform and Gaia only).

  CoreXL (SecurePlatform and Gaia only).

  SmartView Tracker support with IPv6 filtering.

 IPv6 Specific Functionality:

  IPv6 extension headers can be allowed or blocked.

  IPv6 Fragmentation headers are fully inspected.

  6in4 tunnel traffic can be allowed or blocked.

  IPv6 traffic in 6in4 tunnels can be inspected (SecurePlatform and Gaia only).

 Non-Supported Features:

  IPS (except for protections shown above).

  **NAT.

  Application & URL Filtering.

  IPSec VPN (This feature was previously supported R70 IPv6Pack).

  Anti-Spam & Mail.

  Anti-Virus.

  DLP.

  QoS.

**NAT is not a concept of IPv6.

  IPV6 address configuration on Gateway:

*******************************************************************************

1. Log in to SecurePlatform (expert mode).



2. Go to the /etc/rc.d/rc3.d directory and create a new script, named S11ipv6.:
# vi S11ipv6



3.add the following lines in S11ipv6 script:
#!/bin/sh
modprobe ipv6
/sbin/ip -6 addr add ipv6-address/subnet-mask dev Interface-name
/sbin/ip -6 addr add ipv6-address/subnet-mask dev Interface-name

Example:
#!/bin/sh
modprobe ipv6
/sbin/ip -6 addr add 2001:1:1::1/64 dev eth0
/sbin/ip -6 addr add 2001:1:1:1::1/64 dev eth1

Note: The command is required for each interface that is configured with an IPv6 address.
-- Save the script.



4.Assign the S11ipv6 script execute permission :
# chmod 777 S11ipv6



5.Run the S11ipv6 file
# sh S11ipv6



6.Enable IPv6 by running the command :
#$FWDIR/scripts/fwipv6_enable on



7.Turn on IPv6 forwarding by running the command :
# echo 1 > /proc/sys/net/ipv6/conf/all/forwarding



8. Verify IPV6 address using commmand:
#ifconfig

  IPV6 address configuration on Windows Machine:

******************************************************************

  On Windows 7:

1.Go to Control Panel.
2.Open "Network and sharing center".
3.Click on "Change adapter Settings".
4.Double Click on Adapter , select and open "IPV6 address configuration on"
5.Configure the IPV6 address, ipv6 Gateway address in the properties window and save.

  On Windows XP:

1. Open Command Prommpt.
2. run following command :
> ipv6 install



3.Assign ipv6 address using command:
>netsh interface ipv6 add address "Local Area Connection" [ipv6 address]



4. Add default Gateway by:
> netsh interface ipv6 add route ::/0 "Local Area Connection" [ipv6 address](Gateway ipv6 address)



5. Verify IPV6 address by:
>ipconfig

 Ping IPv6 Address:

  Ping test on windows Machine using Command prompt:

> Ping [ipv6 address](ipv6 address of another devices)

  Ping Test on Splat:

# Ping6 (ipv6 address of another Devices)