CPUG: The Check Point User Group

Resources for the Check Point Community, by the Check Point Community.


Tim Hall has done it yet again - That's right, the 3rd edition is here!
You can read his announcement post here.
It's a massive upgrade focusing on current versions, and well worth checking out. -E

 

Results 1 to 18 of 18

Thread: Active-Active Failover

  1. #1
    Join Date
    2010-02-23
    Posts
    47
    Rep Power
    0

    Default Active-Active Failover

    Hi Guys,

    I have two units of Power-1 5075 appliances with UTM softwares blades.I need to configure them in active-active ie,need to configure them for load sharing.

    Can you please provide me the configuration/how to configure them in active-active mode or please provide me the link for the same.

    Looking for your quick response.

    Thanks

  2. #2
    Join Date
    2009-04-30
    Location
    Colorado, USA
    Posts
    2,252
    Rep Power
    14

    Default Re: Active-Active Failover

    You may want to rethink why you need Active-Active on your environment. Active-Passive will do the job very well 95% of the time, and is much easier to set up and troubleshoot. If the cluster is primarily routing traffic to and from the Internet, chances are you will run out of Internet bandwidth well before the CPU utilization on a single firewall is even dented (unless of course you have a multi-gigabit connection to the Internet). If you have numerous Gigabit or 10 Gigabit connections that will be passing a huge amount of traffic through the firewall at full LAN speeds Active-Active might be justified.

    If you want to use Active-Active because you think it will provide faster failovers, it just "sounds cool", or it will provide some huge performance boost at sub Gigabit speeds, you will be introducing a huge amount of complexity for little or no gain. Troubleshooting a lack of stickiness and intermittent asymmetric routing in an Active-Active scenario is not fun.

  3. #3
    Join Date
    2005-11-25
    Location
    United States, Southeast
    Posts
    857
    Rep Power
    15

    Default Re: Active-Active Failover

    I agree. There are few reasonable justifications, if any, to do Active/Active with only two nodes. I'd certainly like to hear some.

    My points of reason and opinion:

    1. Regardless of the Active/Active method, you can never get more bandwidth through the cluster as a whole, than you could through a single node. In my testing Active/Active added up to 15% to the cpu, and lowered overall cluster throughput by 5% to 15%.

    2. If you have a requirement for full throughput during a failure, then you can never allow a given node to exceed 50% of its capabilities. If both nodes are doing 70% and one fails, then the remaining node is suddenly having to do 140% of it's capabilities.

    3. Troubleshooting is far more complicated for a Active/Active cluster than an Active/Standby cluster.

    4. Configuration is exponentially more complicated. If you're going to do true Active/Active, then you're need to prepare/configure the switches around the cluster. The switches will need to be mid to high end switches that allow static cam entries, static ARP, IGMP disabling etc. If the firewalls and network gear are managed by two different teams, then you're looking at a political nightmare.

    5. Causes interoperability issues between the Active/Active cluster and Layer 2 sticky devices (Cisco ASA, Cisco WLC, Cisco CSM, most Load Balancers) within directly connected VLANs.

    At the end of the day, Active/Active, without Hardware load balancers, is a complete waste of time/effort. And adds time and effort for care and feeding, adds/moves/changes, troubleshooting etc.
    Last edited by alienbaby; 2012-03-14 at 15:40.

  4. #4
    Join Date
    2005-08-29
    Location
    Upstate NY
    Posts
    2,720
    Rep Power
    17

    Default Re: Active-Active Failover

    Well to answer the question, all of the information is in the ClusterXL Admin guide. The short form (this is NOT the full instructions, read the guide):

    Have 3 sets of IP's for each clustered interface ready and one otherwise unused network for sync.
    Configure the members (IP's, routes, etc)
    Create a Cluster Object and use the wizard
    Add in the two gateways
    Follow the bouncing ball.

    As for Clustering vers HA. The main two reasons to use active/active clusters are if you are heavily using security servers, then a/a will buy you something and because the boss doesn't want the HA box just sitting there doing nothing.

    There are a few outliers where A/A is needed for performance, but then you really need to go to a three node cluster to avoid overloading one node in a failover condition.

    I'm not sure I agree that configuration is that much more complicated, but then again I've done a lot of them over the years so that could just be experience, but trouble shotting is a royal pain if you have to track down a given connection that's not working.

  5. #5
    Join Date
    2010-02-23
    Posts
    47
    Rep Power
    0

    Default Re: Active-Active Failover

    Thanks a ton for all your valuable comments and sharing your experence.


    I will re-consider it before configuring it.But my security gateways are going to be placed at my internet access point ie, almost 2k-4k concurrent connection at a time as more than 2k branch office will access the internet through this so in this scenario also active-standby is recommended or I can go with active-active?

    @chillyjim:-The cluster admin guide available at checkpoint that would work? and please guide me what other methods are recommended for active-active config.
    Note:-I am having Power-1 5075 appliance(UTM blades) which comes with Secureplatform (R70) pre installed in it ie, we just need to power plug in and run the first time installation wizard so in this scenario which configuration is recommended for active-active.Also I am having SMART-1 appliance as Security Management server for policy management that too comes with SPLAT R70.I have configured standalone box this my first time I need to configure two units in active-active so I just need to make sure that I dont make any mistakes.


    Please share your valuable comments and your exp when configuring these appliances.As you guys are having lot of exp and configured it many times so if you have any Plan of action or if you have any document that you follow while configuring new set ups then please share it with me if possible.

    Thanks in advance for your support.You can mail me the doc on fauzzi10@gmail.com

  6. #6
    Join Date
    2006-07-28
    Location
    San Francisco, USA
    Posts
    2,494
    Rep Power
    16

    Default Re: Active-Active Failover

    Quote Originally Posted by fauzzi View Post
    I will re-consider it before configuring it.But my security gateways are going to be placed at my internet access point ie, almost 2k-4k concurrent connection at a time as more than 2k branch office will access the internet through this so in this scenario also active-standby is recommended or I can go with active-active?
    2k-4k concurrent connections is not many. Many of us here have worked with systems with over 50k concurrent connections.

    Presumably those 2,000 branch offices will be accessing the internet through proxies, not direct?

  7. #7
    Join Date
    2005-08-29
    Location
    Upstate NY
    Posts
    2,720
    Rep Power
    17

    Default Re: Active-Active Failover

    Quote Originally Posted by fauzzi View Post
    @chillyjim:-The cluster admin guide available at checkpoint that would work
    Yes that's the one.

    As for connections, active/active does not add to the total number of connections you can have. Also with a 507X, you don't need to even think about below 500,000 concurrent.

  8. #8
    Join Date
    2006-02-09
    Location
    Charleston, SC
    Posts
    1,172
    Rep Power
    16

    Default Re: Active-Active Failover

    I concur fully with my peers, active/passive is king for <500k connections. Do yourself and your support team a favor and stick to active/passive, there is no need for active/active based on the information you've provided.
    There's no place like 127.0.0.1

  9. #9
    Join Date
    2006-12-04
    Posts
    1,316
    Rep Power
    15

    Default Re: Active-Active Failover

    Quote Originally Posted by alienbaby View Post
    My points of reason and opinion:

    1. Regardless of the Active/Active method, you can never get more bandwidth through the cluster as a whole, than you could through a single node. In my testing Active/Active added up to 15% to the cpu, and lowered overall cluster throughput by 5% to 15%.

    2. If you have a requirement for full throughput during a failure, then you can never allow a given node to exceed 50% of its capabilities. If both nodes are doing 70% and one fails, then the remaining node is suddenly having to do 140% of it's capabilities.

    3. Troubleshooting is far more complicated for a Active/Active cluster than an Active/Standby cluster.

    4. Configuration is exponentially more complicated. If you're going to do true Active/Active, then you're need to prepare/configure the switches around the cluster. The switches will need to be mid to high end switches that allow static cam entries, static ARP, IGMP disabling etc. If the firewalls and network gear are managed by two different teams, then you're looking at a political nightmare.

    At the end of the day, Active/Active, without Hardware load balancers, is a complete waste of time/effort. And adds time and effort for care and feeding, adds/moves/changes, troubleshooting etc.
    We also do not use Active/Active Cluster XL due to the same 4 reasons...

    PS: Thanks for confirmation that Active/Active has less throughput than Active/Standby, we also have the same numbers in our Lab, it is a pity that we could not replicate CP labs in real world..

  10. #10
    Join Date
    2005-08-29
    Location
    Upstate NY
    Posts
    2,720
    Rep Power
    17

    Default Re: Active-Active Failover

    Quote Originally Posted by serlud View Post
    PS: Thanks for confirmation that Active/Active has less throughput than Active/Standby
    This is one of those "it depends" things. If you are in a spot where you really need Active/Active then it can really improve performance. If you are in a condition where you are just hammering the gateways with packets then it will hurt (though it can be improved greatly with adjustments to sync settings).

    Load sharing clusters in general just are not worth it, until they are needed, then they can really be a great thing.

    note -- none of this applies to VSX. That is a very different conversation.

  11. #11
    Join Date
    2006-12-04
    Posts
    1,316
    Rep Power
    15

    Default Re: Active-Active Failover

    Quote Originally Posted by chillyjim View Post
    This is one of those "it depends" things.[/b]
    Yes, we known *it is depend on..*, that is why we do not use it, we just have no rigth dependence in our current production environment..
    Last edited by serlud; 2010-12-06 at 12:55.

  12. #12
    Join Date
    2010-02-23
    Posts
    47
    Rep Power
    0

    Default Re: Active-Active Failover

    Thanks again for all your support.This is very encouraging that you guys reply so instant. My last query is I am just getting confused with configuration part. As I mentioned I have 2 units of Power-1 appliances so while running the first time configuration wizard putting all the baisc configuration it ask for cluster config ie , primary cluster member or secondary. So if I ll configure it through dashboard as suggested in cluster admin guide will it work or I need to do some configuration for it in appliance also? Can you please guide me the right steps while configuring the Power-1 appliance in cluster. Thanks

  13. #13
    Join Date
    2006-02-09
    Location
    Charleston, SC
    Posts
    1,172
    Rep Power
    16

    Default Re: Active-Active Failover

    On clustered gateways you configure the local interfaces and enable the gateway for HA (ClusterXL).

    In dashboard, you configure IPs for the cluster in the topology section.
    There's no place like 127.0.0.1

  14. #14
    Join Date
    2010-02-23
    Posts
    47
    Rep Power
    0

    Default Re: Active-Active Failover

    Hi Guys, Thanks for all your support, I just need your expertise one last time to assure successfull implementation of Appliance.I have made one Plan of Action which I am going to use in implementation of two Power-1 Appliance in ClusterXL(Active-Active mode) I request you to please go through it and let me know if there is any mistake and whether this will take me to successfull implementation or not.Note:-Please check Cluster Configuration:-

    POA For Power-1 Appliance in Active-Active Mode:-

    Configuring Power-1 The workflow for configuring Power-1 is:

    1. Mount the Power-1 in the rack.

    2. Connect the cables and power on.

    3. Perform the initial configuration.

    4. Add the Power-1 object in Smart Dashboard and install a policy.
    •Mounting Power-1 in a Rack Mount the system in the rack with the network ports facing the front of the rack.
    •Connecting the Power Cables and Power On

    1. Connect the power cables.

    2. On the back panel, turn on the Power button to start the appliance.
    Note - When a power supply fails or is not connected to the outlet, an alarm sounds continuously. If you hear the alarm, replace the faulty power supply immediately, and connect the new unit to an A/C outlet 3. Wait for the appliance to initialize and boot. The appliance is ready for use when the model number is displayed.

    •Using the First Time Configuration Wizard :-

    1. Connect a standard network cable to the appliance's management interface and to your management network. The management interface is marked Internal. This interface is preconfigured with the IP address 192.168.1.1.

    2. Connect to the management interface by connecting from a computer on the same network subnet as the management interface (for example, with IP address 192.168.1.x and netmask 255.255.255.0). This can be changed later through the management interface.

    3. To access the administration interface, initiate a connection from a browser to the default administration IP address: https://192.168.1.1:4434. Note - Pop-ups must always be allowed on https://<appliance_ip_address>. The login page appears.

    4. Log in with the default system administrator login name/password: admin/admin, and click Login.

    5. Change the administrator password, as prompted. The default password gives you initial access to Power-1. Change it to a more secure password. In the Password recovery login token section, you can download a Login Token that can be used in the event a password is forgotten. It is highly recommended to save and store the password recovery login token file in a safe place.

    6. The First Time Configuration Wizard runs. The Wizard presents a number of windows, in which you configure the Date and Time, Network Connections, Routing, DNS Servers, Host and Domain Name, and Deployment Type of Power-1. Note - The features configured in the wizard are accessible after completing the wizard via the WebUI menu. The WebUI menu can be accessed by navigating to https://<appliance_ip_address>:4434. Click Next.

    7. Configure date and time in the Appliance Date and Time Setup window. Click Apply. Click Next.

    8. Configure Network Connections in the Network Connections page. If you modify the Mgmt address, a secondary interface is automatically created to preserve connectivity. This secondary interface can be removed on the Network > Network Connections page after the wizard is completed. Click Next.

    9. Configure Routing on the Routing Table page. Click Next.

    10. Set the Host and Domain on the Host and Domain Name page. The host name must start with a letter and cannot be named Com1, Com2....Com9. Set the DNS servers on the DNS Servers page. Click Next.

    11.Click Next and The Management Type page opens. Select Centrally Managed from the option. Note:-Before selecting this option make sure that your Smart Center Server is up/running and connected. Click Next.

    12. Configure the gateway type as a member of a cluster, Click Next

    13. Establish Secure Internal Communication (SIC) with the Smart Center server that will manage the Power-1 appliance. SIC must be initialized or re-initialized on the Smart Center server as well as on the gateway. In Smart Dashboard, on the General Properties window of the gateway object, enter the activation key that you specified here. Click Next.

    14.Configure client access in the Web/SSH window. Define which IP addresses are allowed to connect using Web or SSH Clients. These clients will be able to manage the appliance using a web or SSH connection. Enter a comma-separated list of IP addresses from which you will manage Power-1. Type Any to manage Power-1 from any computer These and other advanced configuration options are available via the WebUI menu.

    15. The Summary page will appear.

    16.Click Finish to complete the First Time Configuration Wizard. The machine will automatically restart (this may take several minutes). The configuration process runs Note - It is recommended to backup the system configuration. The backup menu can be accessed via the WebUI interface under the Appliance menu.
    17. Wait until the completed message appears, and click OK.

    18. Reboot the gateway.

    19. Repeat the same steps on secondary appliance and enter an activation key when prompted. Note - Remember the activation key. You will need it later when configuring the Cluster in SmartDashboard. Remember to configure the cluster SYNC interface on the same subnet as the SYNC interface on the First Appliance.
    You now have two Power-1 appliances.

    Cluster Configuring(Active-Active) on Dashboard:-

    1.Login to Security Management Server which is already up/running.

    2.Open the Smart Dashboard which you have downloaded while configuring the Smart Appliance on your windows machine. When configuring a ClusterXL cluster in SmartDashboard, you use the Cluster object Topology page to configure the topology for both cluster and cluster member. The cluster IP addresses are virtual, in other words, they do not belong to any physical interface. One (or more) interfaces of each cluster member will be in the synchronization network.

    3. Define a new Gateway Cluster object, right click the Network Objects tree, and choose New Check Point > Gateway Cluster
    •Select Classic Mode Configuration
    1. In the General tab of the Gateway Cluster object, check ClusterXL as a product installed on the cluster.

    2. Define the general IP address of the cluster. Define it to be the same as the IP address of one of the virtual cluster interfaces.

    3. In the Cluster Members page, click Add > New Cluster Member to add cluster Members to the cluster. Cluster members exist solely inside the Gateway Cluster object. For each cluster member:
    • In the Cluster Members Properties window General tab, define a Name and IP Address. Choose an IP address that is routable from the Security Management server so that the Security Policy installation will be successful. This can be an internal or an external address, or a dedicated management interface.
    • Click Communication, and Initialize Secure Internal Communication (SIC).
    • Define the NAT and VPN tabs, as required.

    4. In the ClusterXL page, select Load Sharing Unicast Mode.
    Note:- Load Sharing configurations require synchronization between cluster members, and this option is checked, and grayed out.

    6. In the Topology page, define the virtual cluster IP addresses and at least one synchronization network.
    In the Edit Topology window:
    • Define the topology for each cluster member interface. To automatically read all the predefined settings on the member interfaces, click Get all members’ topology.
    • In the Network Objective column, define the purpose of the network by choose one of the options from the drop-down list (Cluster, 1st Sync., etc.).

    7. Still in the Topology page, define the topology for each virtual cluster interface. In a virtual cluster interface cell, right click and select Edit Interface. The Interface Properties window opens.
    • In the General tab, Name the virtual interface, and define an IP Address
    • In the Topology tab, define whether the interface is internal or external, and set up anti-spoofing.
    • In the Member Networks tab, define the member network and its netmask if necessary.

    8. Define the other pages in the cluster object as required (NAT, VPN, Remote Access, and so on).

    9. Install the Security Policy on the cluster.

    Please provide your feedback and recommendations.

    Thanks
    Last edited by fauzzi; 2010-12-10 at 03:53.

  15. #15
    Join Date
    2010-02-23
    Posts
    47
    Rep Power
    0

    Default Re: Active-Active Failover

    Guys,

    Can you please help me out here.

  16. #16
    Join Date
    2006-12-04
    Posts
    1,316
    Rep Power
    15

    Default Re: Active-Active Failover

    Quote Originally Posted by fauzzi View Post
    Guys, Can you please help me out here.
    Sorry, we could not help, we are not using soo expensive hardware as Power-1 Appliance.

    In our env. we are using only open server platform like HP DL380 (exception - serveral UTM-1 132--1073 with terrible low FW trhougput due to Celeron M CPU performance) ,
    and our installation is quit different - we are using only ssh connection and do not need ANY additional https connections for first config ...
    Last edited by serlud; 2010-12-11 at 15:08.

  17. #17
    Join Date
    2009-04-14
    Location
    Ohio
    Posts
    405
    Rep Power
    11

    Default Re: Active-Active Failover

    If it were me, I'd set everything up in a lab/test environment and make sure it works there first before putting it in the datacenter. I didn't see any steps about configuring the Sync interface along with the other interfaces you'll be using. Otherwise, the steps look like they should work.

    Also, as mentioned by others, I agree that active/active is a bad idea. alienbaby made some very good points

  18. #18
    Join Date
    2005-11-25
    Location
    United States, Southeast
    Posts
    857
    Rep Power
    15

    Default Re: Active-Active Failover

    Add point 5 to my arguments above.

    5. Causes interoperability issues between the Active/Active cluster and Layer 2 sticky devices (Cisco ASA, Cisco WLC, Cisco CSM, most Load Balancers) within directly connected VLANs.

Similar Threads

  1. SPLAT NGx R65 2.4 kernel Active/Active Multicast mode
    By cciesec2006 in forum Check Point SecurePlatform (SPLAT)
    Replies: 0
    Last Post: 2008-09-17, 15:03
  2. Urgent: ClusterXL Active/Active Unicast mode and icmp issue
    By cciesec2006 in forum Check Point SecurePlatform (SPLAT)
    Replies: 14
    Last Post: 2008-09-04, 13:51
  3. SecurePlatform 2.4 kernel in Active/Active mode
    By cciesec2006 in forum Check Point SecurePlatform (SPLAT)
    Replies: 5
    Last Post: 2008-08-03, 12:35
  4. ClusterXL Active/Active multicast and Unicast mode
    By cciesec2006 in forum Clustering (Security Gateway HA and ClusterXL)
    Replies: 2
    Last Post: 2008-05-05, 13:35

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •