Thursday, December 9, 2010

Multicast Firewall Load Sharing on Checkpoint ClusterXL Firewalls with Cisco Devices

Configuring multicast load sharing on Checkpoint Firewalls running ClusterXL when the routers/switches on either side of the firewalls are Cisco devices has always been a mystery. Checkpoint has support articles on how to configure them but there is no straight forward direction on their website or documentation. The documentation points to older Cisco models. This techtorial will try to give a brief overview of the commands and procedure involved in getting multicast load sharing working.

Consider the simple network shown below:


You have three firewall enforcement points in a cluster whose internal and external VIPs (Virtual IP addresses) are as given. Traffic flows from internal network via the internal router and switch to firewall cluster and on to the external network. All three firewalls are supposed to receive the traffic and any one of them will process the traffic depending on the ClusterXL load sharing algorithm. And same happens for traffic in the opposite direction. At least theoretically thats what is supposed to happen. But when its comes to Cisco devices which are involved in the traffic processing, Cisco routers do not like to forward a frame to a mulitcast MAC address if they get that MAC address back while sending an arp request for the next hop. In the diagram shown above, the next hop for the Cisco router is the internal VIP of the firewall cluster (going out to the internet). If the MAC address returned to the router in its arp query is a mulitcast address it will not take it and put it in the arp table and forward the frame. Same is true on the external side of the firewall too where the external VIP of the firewall cluster is the next hop for the Cisco router when traffic is coming back into the network.

The only way to resolve this issue is to configure static MAC address entries on the Cisco routers and switches and also disable IGMP snooping on the vlans to which the the firewall cluster interfaces and the router interfaces are connected. So for the above show diagram you would have to do the following:

  1. Configure the following command on the internal router:
    •  arp 192.168.20.2 0100.5e16.0de2 arpa
  2. Configure the following commands on the internal switch where the port numbers shown below are the port numbers to which your firewall interfaces are connected:
    • mac address-table static 0100.5e16.0de2 vlan 10 interface gi1/0/2 gi1/0/3 gi1/0/4
    • no ip igmp snooping vlan 10
  3. The multicast mac address of the firewall cluster's internal VIP (shown above in the commands) is obtained by looking at the topology information of the cluster in the SmartDashboard and clicking on the edit option for the cluster IP and then clicking on the advanced button. That should show you the mulitcast MAC address. Checkpoint has an sk technote which shows a different way of getting the MAC address using the cphaconf debug_data command on the command line. This DOES NOT work as it gives you the wrong MAC address.
  4. The same configuration commands (with the correct IP and MAC for the external cluster) are performed on the external router pointing to the external VIP:
    •  arp 192.168.15.2 0100.5e16.0de3 arpa
  5. And the same configuration command on the external switch:
    • mac address-table static 0100.5e16.0de3 vlan 20 interface gi1/0/5 gi1/0/6 gi1/0/7
    • no ip igmp snooping vlan 20
Above configurations should help getting the traffic flowing from the internal router to the external router via the firewall which is now doing multicast load sharing. The devices used in the above configurations are Cisco 3750 switch series, Cisco 7200 router series and Dell servers running SecurePlatform and Checkpoint R71.

3 comments:

  1. Thanks for this scripts on multi-cast firewall setting. I can say that this hierarchy model suites the firewall structure.

    ReplyDelete
  2. really clean documentation which i have not seen anywhere as clear as this

    ReplyDelete
  3. You can also obtain the multicast MAC address of each interface with "cphaprob igmp"

    ReplyDelete