PDA

View Full Version : disaster recovery site



*tomo*
2010-04-16, 08:43
Hi,

Maybe someone can point me in right direction. Our customer have NGX R65 UTM cluster in load sharing mode. Now, they plan to build disaster recovery site. Are there some documents, guidelines about designing checkpoint for such environment. Distributed cluster came to my mind first, but how can I have two modules in load sharing acting as one part of HA cluster. Is this possible? What are alternatives?

belvdr
2010-04-16, 10:09
Hi,

Maybe someone can point me in right direction. Our customer have NGX R65 UTM cluster in load sharing mode. Now, they plan to build disaster recovery site. Are there some documents, guidelines about designing checkpoint for such environment. Distributed cluster came to my mind first, but how can I have two modules in load sharing acting as one part of HA cluster. Is this possible? What are alternatives?

If it's a hot site, then build a separate cluster with a separate connection. Then use dynamic routing on the inside to fail it over to the new cluster.

*tomo*
2010-04-19, 02:39
If it's a hot site, then build a separate cluster with a separate connection. Then use dynamic routing on the inside to fail it over to the new cluster.

Hmm, I can't say I understood you, do you maybe have some links, case studies, something?

northlandboy
2010-04-19, 03:06
Hmm, I can't say I understood you, do you maybe have some links, case studies, something?

What's been suggested is a reasonably standard sort of setup. Have a look at some standard networking books, or perhaps dig around on cisco.com. It's probably more of a generic network design question, rather than a Check Point-specific one.

You need to think carefully about exactly what you're trying to do. If you want disaster recovery, then it's easy enough to have a cluster at the secondary site, and use dynamic routing to failover. Connections will have to be re-established.

Of course, it's a far bigger topic than just Check Point failover. What services do you have? How are they going to failover? How are you going to synchronise data between sites (do you even need to?).

Or do you want to split your cluster between sites? Can be done, if the latency is low enough between sites, with high enough bandwidth. Again, depends on how the services are handled. No point having a load sharing cluster split across sites if all the services are at one site.

Stuff to think about anyway.

*tomo*
2010-04-19, 14:33
What's been suggested is a reasonably standard sort of setup. Have a look at some standard networking books, or perhaps dig around on cisco.com. It's probably more of a generic network design question, rather than a Check Point-specific one.

You need to think carefully about exactly what you're trying to do. If you want disaster recovery, then it's easy enough to have a cluster at the secondary site, and use dynamic routing to failover. Connections will have to be re-established.

Of course, it's a far bigger topic than just Check Point failover. What services do you have? How are they going to failover? How are you going to synchronise data between sites (do you even need to?).

Or do you want to split your cluster between sites? Can be done, if the latency is low enough between sites, with high enough bandwidth. Again, depends on how the services are handled. No point having a load sharing cluster split across sites if all the services are at one site.

Stuff to think about anyway.

today I found out some more details, previously I heard that they plan to build DR site, and I was looking for some guidelines what are possible scenarios. They will have storage based replication (via dark fiber), and all services/servers (except checkpoint) are SAN booted, CP is configured with plenty of VLANs and it is used as default gateway for those VLANs (I know this is not best design, but they insist on it, I guess they like cp management more than cisco ACLs.) There is no routing protocol on the inside in which I can inject default route, only VLANs and cp as default gateway for them. So maybe distributed cluster is best option, but then in HA mode, not load shring.
Or I'm wrong again?

belvdr
2010-04-20, 09:04
If you're wanting a hot site, then you're going to want dynamic routing. Otherwise, you'll have to place a router before the firewalls with the old default gateway IP and then configure routing on it to the firewalls.

If they're getting serious about a DR hot site, then you'll seriously consider using something like iBGP to do the routing for you.