CPUG: The Check Point User Group

Resources for the Check Point Community, by the Check Point Community.


Tim Hall has done it again! He has just released the 2nd edition of "Max Power".
Rather than get into details here, I urge you to check out this announcement post.
It's a massive upgrade, and well worth checking out. -E

 

Results 1 to 6 of 6

Thread: disaster recovery site

  1. #1
    Join Date
    2008-08-13
    Posts
    87
    Rep Power
    12

    Default disaster recovery site

    Hi,

    Maybe someone can point me in right direction. Our customer have NGX R65 UTM cluster in load sharing mode. Now, they plan to build disaster recovery site. Are there some documents, guidelines about designing checkpoint for such environment. Distributed cluster came to my mind first, but how can I have two modules in load sharing acting as one part of HA cluster. Is this possible? What are alternatives?

  2. #2
    Join Date
    2009-06-10
    Location
    NE Ohio
    Posts
    1,202
    Rep Power
    12

    Default Re: disaster recovery site

    Quote Originally Posted by *tomo* View Post
    Hi,

    Maybe someone can point me in right direction. Our customer have NGX R65 UTM cluster in load sharing mode. Now, they plan to build disaster recovery site. Are there some documents, guidelines about designing checkpoint for such environment. Distributed cluster came to my mind first, but how can I have two modules in load sharing acting as one part of HA cluster. Is this possible? What are alternatives?
    If it's a hot site, then build a separate cluster with a separate connection. Then use dynamic routing on the inside to fail it over to the new cluster.

  3. #3
    Join Date
    2008-08-13
    Posts
    87
    Rep Power
    12

    Default Re: disaster recovery site

    Quote Originally Posted by belvdr View Post
    If it's a hot site, then build a separate cluster with a separate connection. Then use dynamic routing on the inside to fail it over to the new cluster.
    Hmm, I can't say I understood you, do you maybe have some links, case studies, something?

  4. #4
    Join Date
    2006-07-28
    Location
    San Francisco, USA
    Posts
    2,494
    Rep Power
    16

    Default Re: disaster recovery site

    Quote Originally Posted by *tomo* View Post
    Hmm, I can't say I understood you, do you maybe have some links, case studies, something?
    What's been suggested is a reasonably standard sort of setup. Have a look at some standard networking books, or perhaps dig around on cisco.com. It's probably more of a generic network design question, rather than a Check Point-specific one.

    You need to think carefully about exactly what you're trying to do. If you want disaster recovery, then it's easy enough to have a cluster at the secondary site, and use dynamic routing to failover. Connections will have to be re-established.

    Of course, it's a far bigger topic than just Check Point failover. What services do you have? How are they going to failover? How are you going to synchronise data between sites (do you even need to?).

    Or do you want to split your cluster between sites? Can be done, if the latency is low enough between sites, with high enough bandwidth. Again, depends on how the services are handled. No point having a load sharing cluster split across sites if all the services are at one site.

    Stuff to think about anyway.

  5. #5
    Join Date
    2008-08-13
    Posts
    87
    Rep Power
    12

    Default Re: disaster recovery site

    Quote Originally Posted by northlandboy View Post
    What's been suggested is a reasonably standard sort of setup. Have a look at some standard networking books, or perhaps dig around on cisco.com. It's probably more of a generic network design question, rather than a Check Point-specific one.

    You need to think carefully about exactly what you're trying to do. If you want disaster recovery, then it's easy enough to have a cluster at the secondary site, and use dynamic routing to failover. Connections will have to be re-established.

    Of course, it's a far bigger topic than just Check Point failover. What services do you have? How are they going to failover? How are you going to synchronise data between sites (do you even need to?).

    Or do you want to split your cluster between sites? Can be done, if the latency is low enough between sites, with high enough bandwidth. Again, depends on how the services are handled. No point having a load sharing cluster split across sites if all the services are at one site.

    Stuff to think about anyway.
    today I found out some more details, previously I heard that they plan to build DR site, and I was looking for some guidelines what are possible scenarios. They will have storage based replication (via dark fiber), and all services/servers (except checkpoint) are SAN booted, CP is configured with plenty of VLANs and it is used as default gateway for those VLANs (I know this is not best design, but they insist on it, I guess they like cp management more than cisco ACLs.) There is no routing protocol on the inside in which I can inject default route, only VLANs and cp as default gateway for them. So maybe distributed cluster is best option, but then in HA mode, not load shring.
    Or I'm wrong again?

  6. #6
    Join Date
    2009-06-10
    Location
    NE Ohio
    Posts
    1,202
    Rep Power
    12

    Default Re: disaster recovery site

    If you're wanting a hot site, then you're going to want dynamic routing. Otherwise, you'll have to place a router before the firewalls with the old default gateway IP and then configure routing on it to the firewalls.

    If they're getting serious about a DR hot site, then you'll seriously consider using something like iBGP to do the routing for you.

Similar Threads

  1. Disaster Recovery for Enpoint Security
    By Themanknownassting in forum Secure Access
    Replies: 5
    Last Post: 2014-03-01, 06:30
  2. Disk Backup Software for Disaster Recovery
    By ChiefW in forum Full Disk Encryption (FDE) (Formerly Pointsec)
    Replies: 0
    Last Post: 2009-10-07, 21:38
  3. Disaster Recovery for SmartCenter
    By ksteidle in forum Installing And Upgrading
    Replies: 2
    Last Post: 2009-03-11, 11:00
  4. Firewall Manager Disaster Recovery
    By avilT in forum Check Point Backup Procedures
    Replies: 11
    Last Post: 2007-02-09, 04:40
  5. Backup of rulebase for Disaster Recovery
    By lnx32 in forum Check Point Backup Procedures
    Replies: 1
    Last Post: 2006-08-09, 20:47

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •