Advices for Checkpoint or nokia clustering

[eloiseau]

Hi,
I need a lot of advices about clustering


I will have 2 sites in the next six month ,with a 1 giga Link and 2 ISP,
I already have an IP380 with Checkpoint R60,

The purpose is to use redundancy between site with clustering of firewall, but which redundancy vrrp, clustering nokia or cluster XL.
Nokia or Secureplatform ?


And If it possible I want that site 1 and lan 1 prefer to use fw1 and lan 2 , site 2 prefer to use FW 2,

and in case of use of local firewall can I use policy base routing for both ISP (nokia) and for xl (load balancer)



Regards

[tk1000]

Well if your looking for high performance, go with the active/active clustering(aka load balancing), if high performance is not a huge issue, then VRRP is great for redundancy. and since you have a NOKIA ip380 already use the IPSO clustering or VRRP. If i had the choice of what platform to use I would be using SPLAT on the M-series boxes from checkpoint (aka firefly). the performance/cost is hard to ignore.

[rokudan]

Don't waste time with IPSO clustering.. It is a PITA and can make troubleshooting difficult.. VRRP is the way to go IMO...

[pat13b]

I would have to say, In my limmited experience, I have had the opposite results. I think IPSO clustering is the way to go, I had nothing but problems with VRRP and check point clusterXL. Maybe our environment played a role in this?? But I have been running IPSO clustering without a problem for a few months now, and it was very simple to implement and worked the first time.

-pat13b

[rokudan]

One problem with clustering though is troubleshooting. You have no way to know which box is going to pass what traffic. So you have to run captures on both...

[cciesec2006]

I've extensive experiences with Nokia VRRP, Checkpoint ClusterXL
Active/Active on SPLAT and limited experience with IPSO Clustering.
Here are my thoughts:

VRRP is very configure and troubleshoot, even though simplified VRRP is
full of bugs. With VRRP, traffics will go through one firewall thus making
troubleshooting much easier,

ClusterXL Active/Active unicast mode is good when everything is going well.
However, traffics will pass through both firewalls and if you need to
troubleshoot, you have to run tcpdump on both firewalls and then merge
the tcpdump files. It is a pain in the ass to troubleshoot and manage. If
I have to do it over again, I would NOT use ClusterXL Active/Active, only
ACtive/Standby,

IPSO Clustering presented the same problem as ClusterXL Active/Active;
however, the problem is much worse here because the load-sharing
is Nokia and the inspection is Checkpoint. There is potential for
"finger-pointing" between Nokia and Checkpoint when things go wrong.

For ease of troubleshooting and management, Active/Standby is the way
to go. Do not let anyone tell you otherwise. Put them in an environment
where they have to constantly troubleshoot issues in Active/Active mode.
I can assure that after that, no one will want to use Active/Active
anywhere.

[rokudan]

cciesec2006, Can you share some more info on what is buggy about the new Simplified VRRP? I am still using Legacy VRRP on my 530's, and have really had no intention on switching to Simplified, but I would be very interested in knowing what some of its issues are regardless.

[cciesec2006]

Hi rokudan,

At my previous job working for Managed Security Service Providers (MSSP),
an engineer working in product engineering spent eight months testing
IPSO 4.1 build 16 and Checkpoint NGx R61 with HFA_01 prior to deploying
for a lot of new and existing customers. I work in Network/Firewall
Engineering so that I was responsible for supporting this beast. We rolled
out NGx R61 w/ hfa-01 and IPSO 4.1 build 19 around March 2007. We
decided to use simplified vrrp because it is much easier to configure
than legacy vrrp.

I've run into numerous issues with simplified vrrp. The biggest issue with
simplified is when you have to add new vrrp and delete existing vrrp,
the firewalls just stop passing traffics for no reason at all. This has
happened to at least 10+ customers that I know of. I was able
to re-create this issue in my lab environment. It seemed like the only
solution for this fix is to reboot the firewall and even after that, sometimes
it still does not work. You basically had to remove ALL simplified vrrp,
reboot the firewall. When it comes back, recreated simplified vrrp, reboot
the box one more time then it works.

I escalated this case to nokia Product Line Support (PLS). They webex'ed
into my lab environment, saw the issue and confirmed that it is indeed an
issue. I was told by them that the fix will be included in IPSO 4.1 build 22
and higher. When build 22 came out, I tried it. Not only it did not work,
it introduced other problems that I could not recall. When I left my job
in June, it was still an issue and I know that nobody from my previous
job followed up with it. I think the case was closed shortly because
no one followed on it.

What I am saying is that, yes, simplied vrrp will make configuration
vrrp much easier than legacy, but it comes with a cost, UNSTABLE SYSTEMS.

Just be very careful when you use simplified vrrp. It is "simplifed" for a
reason.

My 2c.

[rokudan]

Thanks cciesec2006, that's definitely good info to have... I will be sticking with my nicely working Legacy VRRP... :)

[chuachongchee]

jus my 2cents.... if you are not really familiar with VRRP, you can use checkpoint clusterXL (Active/Standby), this way, all troubleshooting is done on the checkpoint, the hardware (nokia) will do only whats its supposed to do, provide l3 support...

This imho, is an easier approach

[mcnallym]

I have found that if you try and run ClusterXL with the Nokia rather then using Nokia VRRP or Nokia Clustering that the box just doesn't work properly and that traffic fails to pass through the box.

[chuachongchee]

Quote:

Originally Posted by mcnallym

I have found that if you try and run ClusterXL with the Nokia rather then using Nokia VRRP or Nokia Clustering that the box just doesn't work properly and that traffic fails to pass through the box.

Oh.. wow.. thats something new i have heard... I'm not doing Nokia so to speak... but what i said was as a rule of thumb..

[cciesec2006]

"if you are not really familiar with VRRP, you can use checkpoint clusterXL (Active/Standby), this way, all troubleshooting is done on the checkpoint, the hardware (nokia) will do only whats its supposed to do, provide l3 support".

This is the first time I've heard of it. Just about every place I work that
uses Nokia use VRRP or IPSO Clustering but NOT ClusterXL. I heard
similar stories as Mcnallym.

[chuachongchee]

Quote:

Originally Posted by cciesec2006

"if you are not really familiar with VRRP, you can use checkpoint clusterXL (Active/Standby), this way, all troubleshooting is done on the checkpoint, the hardware (nokia) will do only whats its supposed to do, provide l3 support".

This is the first time I've heard of it. Just about every place I work that
uses Nokia use VRRP or IPSO Clustering but NOT ClusterXL. I heard
similar stories as Mcnallym.

Thats jus my feeling and in terms of ease of management from user's perspective, next, i'm really no familiar with nokia systems, in fact, i deal with their direct competition.. I leave it to the users to decide which to use, ClusterXL or VRRP, let the users have the flexibility..

[cciesec2006]

Advantage of using Nokia VRRP:
- When you do "fw unloadlocal", at least your VRRP ip address does not
go away. If you have to enable routing, you just need to do "ipsofwd admin on".
Disadvantage of using Nokia VRRP:
- When things are not working right, you could see a potential of "finger
pointing" between Nokia and checkpoint

Advantage of using ClusterXL:
- If there are issues, checkpoint is repsonsible for the whole thing. There
is no finger-pointing. Ok, maybe at the hardware
Disadvantage of using ClusterXL:
- When you do "fw unloadlocal", the ClusterXL VIP also disappear as well.
The hosts behind the firewall can't go anywhere because there is NO default
gateway. This is a problem if you have VPN devices sitting behind the
firewall, not for NAT but for routing.