 | ||
 Maximum no. of firewall in a cluster | ||
| CPUG | |
| The Check Point User Group | |
| A Resource For The Check Point Community. Fast. Useful. Independent. | |
|
| |||||||
 |
| | LinkBack | Thread Tools | Display Modes |
 2008-01-28 | |||
| |||
 Maximum no. of firewall in a cluster Is there any limitation in the no. of firewalls in a cluster. l was told that the max. no. of firewall in a cluster is 5 when running on Crossbeam X80. Is this a limitation on Checkpoint firewall?  |
| 2008-01-28 | |||
| |||
| Re: Maximum no. of firewall in a cluster After 5 members are in a cluster, the noise and effort of synchronisation traffic eliminates any performance benefits. I don't think it's a hard-coded limitation, but a pragmatic one based on performance. Why would you need a cluster of more than 5 members???? |
| 2008-01-28 | |||
| |||
| Re: Maximum no. of firewall in a cluster I was told 8 months ago from a Checkpoint SE during a checkpoint NGx R65 presentation that you can cluster up to either 16 nodes or 32 nodes with Checkpoint. Granted, most of the times, information provided by Checkpoint SEs are faulty. my 2c |
| 2008-01-28 | |||
| |||
| Re: Maximum no. of firewall in a cluster I was told by another engineer anything over 3 members in a cluster was not really worth it. I would think cluster xl is going to take care of performance issues and all you will need a cluster for is redundancy. mike |
| 2008-01-28 | |||
| |||
| Re: Maximum no. of firewall in a cluster I was one of those who really likes ClusterXL Active/Active and IPSO Clustering until I have to deploy it in a production environment. Let say you cluster 5 firewalls together in Cluster Active/../../../Active mode. If there is a problem and you have to troubleshoot an issue, you have to run 5 tcpdump. Ouch... Active/Active.../Active sound good in theory but in actual implementation, people need to understand the aspect of mantenance and support. |
| 2008-01-28 | |||
| |||
| Re: Maximum no. of firewall in a cluster It really depends on your environment but in general the practical limit is 4 nodes to a cluster before sync traffic starts to degrade performance. There is a lot that can be tuned to increase performance (Like you really don't need to sync http in most cases) but a 4-node cluster still seems to be as far as you can go. Pre-R65 (I haven't checked R65 yet) the limit was 6 nodes. IIRC ClusterXL on VPN-1 (Not VSX, which is very different) was QA'ed to 8-nodes. As cciesec2006 points out, think before you jump into the active/active... clustering vs just a simple HA design as it is harder to debug. |
|
| Thread Tools | |
| Display Modes | |
| |
Linear Mode
