CPUG: The Check Point User Group

Resources for the Check Point Community, by the Check Point Community.


Tim Hall has done it again! He has just released the 2nd edition of "Max Power".
Rather than get into details here, I urge you to check out this announcement post.
It's a massive upgrade, and well worth checking out. -E

 

Results 1 to 12 of 12

Thread: Checkpoint VRRP - new install

  1. #1
    Join Date
    2006-07-13
    Location
    Belfast
    Posts
    128
    Rep Power
    14

    Default Checkpoint VRRP - new install

    Hello,

    I have 2 x Checkpoints running Gaia R77.20 and both sit on different sites. I have a smart appliance on one of the sites to push the rulebase to both of them. Everything is working ok. I have got a stretched dmz connection installed between the two sites so I can do High Availability between the checkpoints. The reason for this is that if one checkpoint is down the users can still access their dmz servers via the other site (I will have the servers replicated on both sites)

    So - what is the best way to Cluster these Checkpoints

    I want to use VRRP?
    Is this a good idea and does anyone know of any issues good/bad to be aware of


    thanks
    Kevin

  2. #2
    Join Date
    2009-04-30
    Location
    Colorado, USA
    Posts
    2,251
    Rep Power
    14

    Default Re: Checkpoint VRRP - new install

    Quote Originally Posted by oharek View Post
    Hello,

    I have 2 x Checkpoints running Gaia R77.20 and both sit on different sites. I have a smart appliance on one of the sites to push the rulebase to both of them. Everything is working ok. I have got a stretched dmz connection installed between the two sites so I can do High Availability between the checkpoints. The reason for this is that if one checkpoint is down the users can still access their dmz servers via the other site (I will have the servers replicated on both sites)

    So - what is the best way to Cluster these Checkpoints

    I want to use VRRP?
    Is this a good idea and does anyone know of any issues good/bad to be aware of


    thanks
    Kevin
    The main use case for VRRP over ClusterXL is the ability for VRRP to present more than one cluster IP address (also sometimes called a VIP) on the same physical or logical (tagged) interface. This can be needed when the firewall must present a secondary cluster IP address or there is more than one IP subnet in use on the same segment/VLAN (this is not common). VRRP also sends far fewer cluster control/advertisements and as such tends not to infuriate switches that don't work well with high-rate multicast traffic. ClusterXL has far more internal "moving parts" and can exhibit strange behavior on some customer networks, while VRRP tends to be less sensitive to the setup of attached networks.

    Other than those three things though, VRRP is considerably more difficult to set up properly than ClusterXL since VRRP must be initially set up in the Gaia web interface, and then even more setup must be performed in the SmartDashboard. If the two setups don't match exactly cluster split brains can easily occur. In ClusterXL all the setup is done in the SmartDashboard which makes split-brains far less likely. VRRP definitely has its adherents though, and I'm sure they will be chiming in on this thread shortly. In general though I almost always recommend ClusterXL.
    --
    Second Edition of my "Max Power" Firewall Book
    Now Available at http://www.maxpowerfirewalls.com

  3. #3
    Join Date
    2006-09-26
    Posts
    3,194
    Rep Power
    17

    Default Re: Checkpoint VRRP - new install

    Quote Originally Posted by ShadowPeak.com View Post
    In general though I almost always recommend ClusterXL.
    here are my thoughts of VRRP and clusterXL: clusterXL is generally for dummies who don't understand the network well, it is easy to setup. VRRP has more features than clusterXL, especially with VRRP running on IPSO. There are many things that you can do with VRRP that you can not do with clusterXL.

    The way I see it, clusterXL is like driving a Toyota Camry. It will run well but you will not much performance from the Camry. VRRP is like driving a Porsche. Porsche runs much faster and have much more features than the Camry. At the same time, porsche also requires much more maintenance than Camry.

    like the old saying "you get what you pay for". It is very true in the case of clusterXL vs. VRRP.

  4. #4
    Join Date
    2014-09-02
    Posts
    356
    Rep Power
    10

    Default Re: Checkpoint VRRP - new install

    Quote Originally Posted by ShadowPeak.com View Post
    The main use case for VRRP over ClusterXL is the ability for VRRP to present more than one cluster IP address (also sometimes called a VIP) on the same physical or logical (tagged) interface.
    I would add that the ability to control interface deltas can be a major benefit. Overall, VRRP offers more granularity and control.


    Quote Originally Posted by cciesec2006 View Post
    The way I see it, clusterXL is like driving a Toyota Camry. It will run well but you will not much performance from the Camry. VRRP is like driving a Porsche. Porsche runs much faster and have much more features than the Camry. At the same time, porsche also requires much more maintenance than Camry.
    I like this comparison, but I'd add that the Camry we're talking about has an automatic transmission, and the Porsche is manual. That clutch gives you much more potential, but it's not for everyone (and it's hard to eat fast food while shifting).


    Quote Originally Posted by cciesec2006 View Post
    like the old saying "you get what you pay for". It is very true in the case of clusterXL vs. VRRP.
    Used to be literally true, as VRRP was only available (easily) in IPSO. With Gaia, the hard cost has been eliminated, and now it's just the cost of educating yourself and doing a bit extra config.

    -E

  5. #5
    Join Date
    2014-09-02
    Posts
    356
    Rep Power
    10

    Default Re: Checkpoint VRRP - new install

    While the above replies are helpful in comparing VRRP and ClusterXL, my impression of the original question was that the OP is asking if either is viable in his scenario.

    In short, oharek, it sounds like you are talking about a disaster recovery setup with two separate physical/geographical locations. Generally, Check Point's firewall clustering (whether VRRP or ClusterXL) is intended for same-site high availability or [cringe] load sharing. This would mean that all clustered/monitored interfaces are connected to the same networks.

    If indeed you are talking about different locations (interfaces aren't on the same switches), then clustering isn't going to do it for you (at least not in the standard sense).

    Do I understand you correctly?

    -E

  6. #6
    Join Date
    2014-09-23
    Location
    Austin, TX
    Posts
    136
    Rep Power
    6

    Thumbs up Re: Checkpoint VRRP - new install

    Quote Originally Posted by cciesec2006 View Post
    here are my thoughts of VRRP and clusterXL: clusterXL is generally for dummies who don't understand the network well, it is easy to setup. VRRP has more features than clusterXL, especially with VRRP running on IPSO. There are many things that you can do with VRRP that you can not do with clusterXL.

    The way I see it, clusterXL is like driving a Toyota Camry. It will run well but you will not much performance from the Camry. VRRP is like driving a Porsche. Porsche runs much faster and have much more features than the Camry. At the same time, porsche also requires much more maintenance than Camry.

    like the old saying "you get what you pay for". It is very true in the case of clusterXL vs. VRRP.
    thumbs up for the analogy

  7. #7
    Join Date
    2005-11-25
    Location
    United States, Southeast
    Posts
    857
    Rep Power
    14

    Default Re: Checkpoint VRRP - new install

    Quote Originally Posted by cciesec2006 View Post
    here are my thoughts of VRRP and clusterXL: clusterXL is generally for dummies who don't understand the network well, it is easy to setup. VRRP has more features than clusterXL, especially with VRRP running on IPSO. There are many things that you can do with VRRP that you can not do with clusterXL.

    The way I see it, clusterXL is like driving a Toyota Camry. It will run well but you will not much performance from the Camry. VRRP is like driving a Porsche. Porsche runs much faster and have much more features than the Camry. At the same time, porsche also requires much more maintenance than Camry.

    like the old saying "you get what you pay for". It is very true in the case of clusterXL vs. VRRP.

    These analogies are not even remotely accurate.

    VRRP is a dumb protocol. VRRP was created for routers that have no need for statefulness and in fact do not do access control what so ever. RFC based VRRP is a per segment failover. Simple and stupid.
    IPSO adds some insect intelligence. If interfaces 1 loose link state, then make a calculation as to whether interface 2 and 3 should lower themselves. Simple and stupid. Many failure conditions not taken in consideration in it's design or operation.


    ClusterXL however, accounts for many additional failure conditions. With ClusterXL, if one interface determines a failure is required, then all interfaces failover.. as is appropriate for a stateful access control device.

    Network Visibility - ARP sweeps of directly connected subnets are compared among cluster members.
    Transmit Failure - ClusterXL reports to other Cluster member whether it can see it's peers on all interfaces. tcpdump on any cluster interface and you'll see UDP port 8116; ClusterXL health checking.
    Receive Failure - (If the higher priority VRRP router can transmit, but not receive, the lower priority units will remain in Backup state; ClusterXL detects and reports this failure)
    Lack of firewall policy checking - Hacked into IPSO's VRRP
    Failure of fwd process - Not detected by IPSO's VRRP; witnessed this recently

    VRRP uses a Master only hello. The standby unit transmits nothing. The hello packet is transmitted once a second; and requires 3 lost packets to disappear before a failover takes place. By contrast, ClusterXL transmits 16-32 query/responses a second.

    ClusterXL, sub-second failover with multiple failure conditions accounted for and reported (action taken and logged to Tracker).
    VRRP, multi-second failover and only one failure condition accounted for, by design.. and not reported.

    The only advantage that VRRP has, with default configuration, is the the Cluster MAC moves when failover takes place; helps primitive TCP/IP stacks that don't accept GARPs. This advantage was undone when ClusterXL VMAC was introduced.

    For pure routers, VRRP is fine.. for firewalls, VRRP and all it's derivatives (NSRP etc.) are shit.
    and VRRP 'simplified' is even worst.. good luck on predicting which box will be master with that horribly designed monstrosity.

    Better analogy.. VRRP is Hodor while ClusterXL is the three-eyed raven.

  8. #8
    Join Date
    2014-09-02
    Posts
    356
    Rep Power
    10

    Default Re: Checkpoint VRRP - new install

    Quote Originally Posted by alienbaby View Post
    VRRP is a dumb protocol.
    I don't want to start (or fan the flames of) a debate here (especially when I still think the OP was asking if clustering was a viable solution, not VRRP vs. ClusterXL), but while I think you have some good points, I think you're off-base in a couple ways. Let me also state right up front, however, that I far more often will use/recommend ClusterXL. I'll also add, for perspective, that my appreciation for VRRP dates back to pre-ClusterXL days, when the offering of Nokia/IPSO/VRRP was a godsend, and meant we could ditch StoneBeat.

    Remember, we're not talking about generic, standard VRRP on routers. We are, indeed, referring to VRRP as used by Check Point (and Nokia) on IPSO and Gaia. In this case, VRRP actually works in conjunction with ClusterXL to provide the clustering solution. When properly configured, there are very few functional differences, and most users would never notice a difference in behavior. Timings and communication methods/requirements are probably the most significant.

    Specifically in regards to your comments:
    - Even when employing VRRP, ClusterXL is responsible for sync (and other Check Point specific functions), including failover due to non-VRRP issues/problems. VRRP can't/won't "do it all", and therefore some of it's limitations are non-issues
    - VRRP will fail over the entire device (not just individual interfaces). As you conceded, in the Check Point scenario (RFC be damned), it is not "per segment".

    I find it a bit humorous that people can be so strongly against one or the other. Comments like "ClusterXL is generally for dummies" or "VRRP and all it's derivatives (NSRP etc.) are shit" make me think that someone is either looking for a fight, or needs to fix some of their own misconceptions.

    Quote Originally Posted by alienbaby View Post
    These analogies are not even remotely accurate.
    ClusterXL fans shouldn't be offended by the initial analogy: I'd bet there are far more Camry's on the road than every model that Porsche makes combined. I would add (to alienbaby's point) that VRRP "Simplified" would be like a Porsche with an automatic running in "eco" mode. I also prefer my analogies to be non-fiction (but that's just me). Makes it a bit easier for people who don't read/watch Game of Thrones .

    On an off-point note:

    I will go out on a limb here and state that I'd guess VRRP's days are numbered. Just as we've seen with most of the features/options/capabilities of both SPLAT and IPSO, Gaia will eventually/soon be the way to go. In order to unify and simplify platform support, "features" from each (like VRRP) have continued to be incorporated into Gaia, with the eventual goal of eliminating the elder two. For now, that eases migrations and keeps from forcing conversion from VRRP to CLusterXL (and loss of any benefits, perceived or real). Eventually, I would speculate that CP will expant ClusterXL to incorporate these features/benefits (like granular interface-specific failure deltas), and reduce or eliminate the need for VRRP. We're already seeing this with VMAC support. Anyone agree?

    -E

  9. #9
    Join Date
    2006-07-28
    Location
    San Francisco, USA
    Posts
    2,494
    Rep Power
    16

    Default Re: Checkpoint VRRP - new install

    Quote Originally Posted by EricAnderson View Post
    Anyone agree?
    Yes - the future direction is clear to me. There's a lot of large customers running VRRP, so they won't get rid of it in a hurry, but you'll see a continued shift of resources towards Gaia + SecureXL. After a while, running any other combination starts getting painful. Eventually it becomes impossible.

  10. #10
    Join Date
    2005-11-25
    Location
    United States, Southeast
    Posts
    857
    Rep Power
    14

    Default Re: Checkpoint VRRP - new install

    Quote Originally Posted by EricAnderson View Post
    when the offering of Nokia/IPSO/VRRP was a godsend, and meant we could ditch StoneBeat.
    Granted.. Solaris and/or Stonebeat were operational nightmares.


    Quote Originally Posted by EricAnderson View Post
    In this case, VRRP actually works in conjunction with ClusterXL to provide the clustering solution. When properly configured, there are very few functional differences, and most users would never notice a difference in behavior. Timings and communication methods/requirements are probably the most significant.
    VRRP, even in GAIA, is separate from ClusterXL.
    ClusterXL is not aware of VRRP.
    VRRP on GAIA operates separate from ClusterXL. VRRP has a process that checks whether a policy is installed and maybe a few other checks.


    Quote Originally Posted by EricAnderson View Post
    Specifically in regards to your comments:
    - Even when employing VRRP, ClusterXL is responsible for sync (and other Check Point specific functions), including failover due to non-VRRP issues/problems. VRRP can't/won't "do it all", and therefore some of it's limitations are non-issues
    - VRRP will fail over the entire device (not just individual interfaces). As you conceded, in the Check Point scenario (RFC be damned), it is not "per segment".
    It is per-segment. Just to check whether CheckPoint had added some new intelligence, I setup an R77.20 cluster using GAIA VRRP. The decision to become master is still made per-segment/per-interface, just as IPSO VRRP is/was.

    Scenario:

    A cluster with 3+ interfaces.
    Lose of link on one interface on cluster member 1; lets say eth2.
    Lose of link on one interface on cluster member 2; different interface; say eth3.

    Cluster member 2 will remain Backup on all interfaces except the interface that cluster member 1 lost link, eth2, where cluster member 2 will become Master... Hence, the decision to become Master is made on an interface by interface basis. Network problems do not result in a whole box decision.

    This scenario is an odd one, sure.. but it does demonstrate the decision process in VRRP.

    A better one, and more likely real world is a switch stack, or switch infrastructure becoming split, with no loss of link state to the firewalls.

    In this scenario, which could be caused by a switch stack module going bad or a bad inter-switch trunk cable or many others, VRRP would go split brain.
    ClusterXL would recognize that the other cluster member were not visible on the affected interface and begin ARP sweeping to determine the level of connectivity in the directly connected subnets.
    ClusterXL would determine which cluster member has the better network connectivity, and make a fail-over decision accordingly.


    Quote Originally Posted by EricAnderson View Post
    ClusterXL fans shouldn't be offended by the initial analogy: I'd bet there are far more Camry's on the road than every model that Porsche makes combined. I would add (to alienbaby's point) that VRRP "Simplified" would be like a Porsche with an automatic running in "eco" mode. I also prefer my analogies to be non-fiction (but that's just me). Makes it a bit easier for people who don't read/watch Game of Thrones .
    VRRP is a simple protocol. Akin to a 1960's VW bug.
    ClusterXL is much more robust. More like a modern car with anti-lock breaks etc.
    But it's not overly complicated. If you ever tried to make NSRP robust, you know complicated.

    But in the end, as a good security professional should.. We list the potential failures, and work to mitigate each of them.
    In my experience, which is not small, ClusterXL mitigates the most real world failure conditions, with the least amount of hassle or manual configuration.

    And Seriously.. Game of Thrones is the most Pirated TV show in the world. Everybody watches Game of Thrones.
    Last edited by alienbaby; 2015-09-01 at 01:33.

  11. #11
    Join Date
    2011-08-02
    Location
    http://spikefishsolutions.com
    Posts
    1,652
    Rep Power
    10

    Default Re: Checkpoint VRRP - new install

    ok i can't stand it any longer. As someone who watched the series, read all the books, got no more books depression then watched all the series again and then got no more series depression i feel i have to correct something here.

    VRRP is CLEARLY Ned Stark. Its a simple protocol, it does it job well and doesn't require knowing a damn thing about multicast/IGMP/IGMP snooping to make work thanks to use of Local subnetwork range (224.0.0.0/24). And yeah if you tell it to ignore the firewall state it won't care what the state of the packet filter is or critical processes. Just like Ned Stark would! Its also clearly going to die and the there will be blood shed when it does as there are larges groups of people that like Ned Stark for clustering.

    Winter clustering is coming!

    now...

    Cluster XL is without a doubt a Lanster. CLusterXLanster. Its just meant to be. Sure it does some really ..ehem... unethical things, but its also the ruler of the Checkpointeros, like it or not.

  12. #12
    Join Date
    2009-04-30
    Location
    Colorado, USA
    Posts
    2,251
    Rep Power
    14

    Default Re: Checkpoint VRRP - new install

    Quote Originally Posted by jflemingeds View Post
    ok i can't stand it any longer. As someone who watched the series, read all the books, got no more books depression then watched all the series again and then got no more series depression i feel i have to correct something here.

    VRRP is CLEARLY Ned Stark. Its a simple protocol, it does it job well and doesn't require knowing a damn thing about multicast/IGMP/IGMP snooping to make work thanks to use of Local subnetwork range (224.0.0.0/24). And yeah if you tell it to ignore the firewall state it won't care what the state of the packet filter is or critical processes. Just like Ned Stark would! Its also clearly going to die and the there will be blood shed when it does as there are larges groups of people that like Ned Stark for clustering.

    Winter clustering is coming!

    now...

    Cluster XL is without a doubt a Lanster. CLusterXLanster. Its just meant to be. Sure it does some really ..ehem... unethical things, but its also the ruler of the Checkpointeros, like it or not.
    And it goes without saying that Check Point's biggest competitor is the WhiteWalkers (or "Others" for the book purists). Animating wight armies of customers beyond the (fire)Wall with their chilly blue boxes...Winter is coming indeed...

    StoneBeat is Stannis Baratheon. Nokia was Robb Stark, betrayed by the Lanisters with their ClusterXL...

    Come on now, we can keep this going! I smell an opportunity for a new book...
    Last edited by ShadowPeak.com; 2015-09-01 at 12:38.
    --
    Second Edition of my "Max Power" Firewall Book
    Now Available at http://www.maxpowerfirewalls.com

Similar Threads

  1. checkpoint cluster and router with vrrp
    By networkuser in forum Check Point SecurePlatform (SPLAT)
    Replies: 1
    Last Post: 2014-02-04, 11:28
  2. VRRP and checkpoint ngx
    By charliey_2000 in forum Clustering (Security Gateway HA and ClusterXL)
    Replies: 5
    Last Post: 2007-12-29, 00:37
  3. HFA Install on IPSO 4.0 with VRRP
    By jparnell in forum Check Point IP Appliances and IPSO (Formerly Sold By Nokia)
    Replies: 6
    Last Post: 2006-10-30, 10:38
  4. VRRP e SmartDashboard CHeckpoint
    By mniob in forum Check Point IP Appliances and IPSO (Formerly Sold By Nokia)
    Replies: 1
    Last Post: 2006-08-29, 14:42
  5. Checkpoint Express and VRRP
    By F1LL82 in forum Miscellaneous
    Replies: 1
    Last Post: 2006-02-14, 12:51

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •