Thread: cluster -High availabilty- testsetup
View Single Post
  #2 (permalink)  
Old 2006-04-10
pop_alex pop_alex is offline
Senior Member
  
Join Date: 2005-12-12
Location: Malaysia
Posts: 122
Rep Power: 0
pop_alex has an average reputation (10+)
Default Re: cluster -High availabilty- testsetup
Hi,

It seems you are new to this stuff. Anyway, allow me to explain to you in brief on how to build a cluster enviroment for firewall.

What is cluster (or in this case - firewall cluster)?

Firewall or gateway cluster is a group of individual enforcement servers which shares same set up and configuration on each others. All these enforcement servers are connected on each other through a link called synchronization link or “heartbeat”. This links enables all enforcement servers in a cluster to be “aware” on each other for any changes occurred. Any changes or problem occurs in any enforcement at any time, other enforcement will “react” to it and adjust themselves accordingly.

This clusters are managed by one (or more) management servers which responsible to manage all individual enforcements in a cluster. Every logs generates by these individual enforcements will forwards to the management server. You can do cluster on management server (normally two) if you want to have a redundant and high-availability similar to firewall cluster.

SIC in a cluster

When you build a firewall cluster, you are required to set SIC on all enforcement/machine in a cluster in order to get manage by the management servers. You may use different SIC for each individual enforcement/machine but IMHO, it will better to use same SIC in every enforcement/machine. This SIC must 'register' in management server in order to manage the enforcement/machines.

For more information on SIC, please refer to Check Point user guide which comes together with the software purchase. If you have access to Check Point usercenter website, you may find a plenty of information about SIC and the rest.

How many machines required?

Minimum two machine, but there are company has three to four machine in a cluster. Normally, you might seeing this in financial institution, health organization and so on.

How many network interface (NIC) per machine?

Minimum two. if you have a few private LAN you wish to protect directly behind your machine, you may add a few network interface as you wish.

How does each enforcement/machine in a cluster communicate on each others?

Well, as explained earlier all enforcement are connected to a 'heartbeat' which all informations such as firewall's operational state and so on are shared among these enforcements. For example, if one of the enforcement/machine are unable to process the traffic due to the high-load, the rest of the enforcement will automatically take over some of the load from that enforcement and distribute it evenly across the cluster.

For more information about H.A/Load balancing on Check Point firewall, please consult the ClusterXL guide for more info. ClusterXL is Check Point own H.A/Load-balancing module. You may integrate with other 3rd party H.A/Load-balancing software such as Rainfinity RainWall or StoneBeat cluster product.

VPN on firewall cluster

You need a license for each enforcement/machine if you need a VPN. You need to configure this at management server. For more info, consult the user guide.
Reply With Quote