CPUG: The Check Point User Group

Resources for the Check Point Community, by the Check Point Community.


Tim Hall has done it yet again - That's right, the 3rd edition is here!
You can read his announcement post here.
It's a massive upgrade focusing on current versions, and well worth checking out. -E

 

Results 1 to 6 of 6

Thread: Full HA or distributed

  1. #1
    Join Date
    2016-09-13
    Location
    Japan
    Posts
    54
    Rep Power
    4

    Default Full HA or distributed

    Hi Checkpoint experts

    Planning to do HA ClusterXl Active Standby between two 5400s .


    I saw that are two options:

    Full HA (between two standalone devices) and HA with the management server on a different machine.

    Which one do you recommend ? How about the license for the management server for the full HA?

    My opinion is go with the distributed one, put the management server in Esxi machine in Trust side.


    Topology

    Internet >> Checkpoint 5400 >> Trust
    |
    DMZ


    Thank you.

  2. #2
    Join Date
    2014-09-02
    Posts
    357
    Rep Power
    10

    Default Re: Full HA or distributed

    That's actually a pretty easy one - distribute management on a VM as you said. This is hands-down the recommended way to go. While "Full HA" is listed as being supported up through the previous generation (I don't see mention of it being supported on the latest, like your 5400's), it's never really been a great idea. Back in the day (yes, I just used that phrase) "Full HA" wasn't supported at all. As I always saw it, Full HA was introduced as a supported feature along with the first generation of Check Point appliances, primarily as a marketing/sales tactic to reduce the number of appliances that one had to purchase.

    Standalone gateways in general are only really recommended when absolutely necessary. Usually, distributing the deployment allows greater flexibility when maintaining/upgrading, and gives better performance. One very important factor that's often overlooked is that the performance/specs on your 5400's are based on gateway only functionality. Dedicating resources to management functions will have a noticeable impact. I'd seen more than a few cases where a client had a UTM-1 130 or 270, which was properly sized, but improperly tasked with management responsibilities (by someone else, of course). Separating management would breathe new life into them. Of course, the specs of the newer boxes give a bit more overhead, but R80 will also consume a bunch more of it, especially for management.

    Of course, you mentioned one important caveat: licensing. If all you've purchased is 5400 appliances, you don't have licensing for anything but standalone. Running distributed will require either an Open Server SMS license, or a Smart-1 appliance. Unless I'm missing some information, this is how your deployment/purchase should have been architected in the first place.

    Anyone agree or disagree?

    -E
    Last edited by EricAnderson; 2017-01-02 at 00:32.

  3. #3
    Join Date
    2005-08-14
    Location
    Gig Harbor, WA, USA
    Posts
    2,494
    Rep Power
    17

    Default Re: Full HA or distributed

    Full HA should still be supported on all Check Point appliances that support local management *except* for the SMB appliances (600/700/1100/1200R/1400 series).
    That said, I always recommend running the management on a separate system from your firewall for the reasons EricAnderson said.
    The main reason people don't is cost, as it requires a separate management license.
    http://phoneboy.org
    Unless otherwise noted, views expressed are my own

  4. #4
    Join Date
    2016-09-13
    Location
    Japan
    Posts
    54
    Rep Power
    4

    Default Re: Full HA or distributed

    Thanks guys

    Simulated the following topology in Vmware workstation.
    SIC through trust , it works.


    Topology

    Internet >> Checkpoint 5400 New HA Active Standby >> Cisco L3 switch >> Trust (management server here)
    |
    DMZ

    BTW:
    Do you recommend Active Active HA(multicast or unicast) instead of Active Standby even if not an asymmetric routing environment?

    Thanks.

  5. #5
    Join Date
    2011-08-02
    Location
    http://spikefishsolutions.com
    Posts
    1,657
    Rep Power
    10

    Default Re: Full HA or distributed

    active/active is more trouble then its worth most of the time. Just keep it on active standby.

  6. #6
    Join Date
    2006-03-08
    Location
    Lausanne
    Posts
    1,030
    Rep Power
    15

    Default Re: Full HA or distributed

    Full HA will bring you some issues when migrating to distributed later on. So distributed, keep FW cluster in HA.


    Sent from my iPad using Tapatalk
    -------------

    Valeri Loukine
    CCMA, CCSM, CCSI
    http://checkpoint-master-architect.blogspot.com/

Similar Threads

  1. standalone v distributed install
    By oharek in forum Intermediate
    Replies: 6
    Last Post: 2016-02-22, 17:40
  2. R71.4 > R75.4, Standalone > Distributed
    By sjk26 in forum Installing And Upgrading
    Replies: 1
    Last Post: 2014-01-11, 05:57
  3. Distributed to Stand Alone
    By tlmedia in forum Security Management Server (Formerly SmartCenter Server ((Formerly Management Server))
    Replies: 3
    Last Post: 2011-12-20, 12:37
  4. distributed cluster
    By *tomo* in forum Clustering (Security Gateway HA and ClusterXL)
    Replies: 10
    Last Post: 2011-01-05, 09:01
  5. Distributed Install to UTM-1 (576)
    By rmeredit in forum Check Point UTM-1 Appliances
    Replies: 4
    Last Post: 2009-08-11, 17:10

Tags for this Thread

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •