CPUG: The Check Point User Group

Resources for the Check Point Community, by the Check Point Community.


I'd like to thank everyone involved for making "The CPUG Challenge" a great success.
We helped a lot of people see and learn a bit more about R80.10, while having some fun.
We will be using this success to try and bring more events to more locations soon. -E

 

Results 1 to 5 of 5

Thread: High Availability OPTIONS

  1. #1
    Join Date
    2006-07-13
    Location
    Belfast
    Posts
    122
    Rep Power
    12

    Default High Availability OPTIONS

    Hello,

    I have two sites 3 miles apart. Both have a 100MB internet pipe and terminates on my Checkpoint Firewall. I have dmz services running at both sites but my two firewalls are running as stand alone devices. I am just looking for advice on what approach to take (if any) for a High Available solution so i can have the dmz services loadbalanced across both sites.

    I have bought two loadbalancers but don't see how they can handle source based NAT for incoming or outgoing traffic

    I did think about VRRP on the Checkpoints but again not sure if this is a good idea

    Has anyone successfully implemented this project - i am just looking for a nudge in the right direction

    My checkpoints are R77.30 and 4400's with a 3050 Mgr

    thanks
    Kevin

  2. #2
    Join Date
    2016-09-13
    Location
    Japan
    Posts
    53
    Rep Power
    1

    Default Re: High Availability OPTIONS

    >>> I did think about VRRP on the Checkpoints but again not sure if this is a good idea

    VRRP

    Pros:

    1. Single virtual MAC floats between cluster members, depending on which is Master; By Default.

    2. Doesn't care about CoreXL or other physical differences between cluster members.

    Cons:

    1. Decision is per interface. Am I master or backup, one interface at a time; potential for split brain.

    2. No Health checking of the cluster peer(s).

    3. If same VRRP ID is used on all interfaces, potential to confuse switch when multiple firewall interfaces connected to same switch; multiple VLANs using same VRRP MAC.

    4. Default VRRP MAC is still effected by IGMP, same as ClusterXL CCP multicast mode. VRRP hello packets are transmited using the VRRP MAC as the destination.

    5. Only the Master node transmits Hello packets. No status of backup cluster member, VRRP interfaces must be monitored individually to discern if layer 2 connectivity problem exists on one or more interfaces.





    Cluster XL

    Pros:

    1. Health checks peer on every physical interface

    2. Unified interface failover; no chance of split brain

    3. Monitors policy, daemons etc.

    Cons:

    1. Magic Numbers(ClusterXL CCP source MACs) have to be adjusted manually when multple clusters share a VLAN/subnet, or risk instability.

    2. HA New mode uses physical MAC of Active member, by default (VMAC mode now enable via R76 SmartDashboard [R76 GAIA only])



    >>> looking for advice on what approach to take (if any) for a High Available solution so i can have the dmz services loadbalanced across both sites.

    GSLB

    https://www.eukhost.com/kb/global-se...oad-balancing/
    https://wiki.appnexus.com/display/do...Load+Balancing
    https://answers.uillinois.edu/illino...e.php?id=49950

    What load balancers do you have?

  3. #3
    Join Date
    2007-06-04
    Posts
    3,221
    Rep Power
    15

    Default Re: High Availability OPTIONS

    First thing need to know is what connectivity ( if any ) is there between the two locations in terms of link and bandwidth.

    See that there is 100Mb Internet Feeds too each location but what is there between the two locations as if doing HA on the Firewalls then would need some link so that the traffic can get between the two cluster members.

    Not only would you have the Synch Traffic and the VRRP/ClusterXL but also would need to span the networks across the two sites.
    Last edited by mcnallym; 2017-02-17 at 06:05.

  4. #4
    Join Date
    2006-07-13
    Location
    Belfast
    Posts
    122
    Rep Power
    12

    Default Re: High Availability OPTIONS

    I have a 100MB dedicated fibre running between the two datacentres. I have Layer 2 connectivity between both firewalls.

  5. #5
    Join Date
    2006-07-13
    Location
    Belfast
    Posts
    122
    Rep Power
    12

    Default Re: High Availability OPTIONS

    Quote Originally Posted by Tsubasa View Post
    >>> I did think about VRRP on the Checkpoints but again not sure if this is a good idea

    VRRP

    Pros:

    1. Single virtual MAC floats between cluster members, depending on which is Master; By Default.

    2. Doesn't care about CoreXL or other physical differences between cluster members.

    Cons:

    1. Decision is per interface. Am I master or backup, one interface at a time; potential for split brain.

    2. No Health checking of the cluster peer(s).

    3. If same VRRP ID is used on all interfaces, potential to confuse switch when multiple firewall interfaces connected to same switch; multiple VLANs using same VRRP MAC.

    4. Default VRRP MAC is still effected by IGMP, same as ClusterXL CCP multicast mode. VRRP hello packets are transmited using the VRRP MAC as the destination.

    5. Only the Master node transmits Hello packets. No status of backup cluster member, VRRP interfaces must be monitored individually to discern if layer 2 connectivity problem exists on one or more interfaces.





    Cluster XL

    Pros:

    1. Health checks peer on every physical interface

    2. Unified interface failover; no chance of split brain

    3. Monitors policy, daemons etc.

    Cons:

    1. Magic Numbers(ClusterXL CCP source MACs) have to be adjusted manually when multple clusters share a VLAN/subnet, or risk instability.

    2. HA New mode uses physical MAC of Active member, by default (VMAC mode now enable via R76 SmartDashboard [R76 GAIA only])



    >>> looking for advice on what approach to take (if any) for a High Available solution so i can have the dmz services loadbalanced across both sites.

    GSLB

    https://www.eukhost.com/kb/global-se...oad-balancing/
    https://wiki.appnexus.com/display/do...Load+Balancing
    https://answers.uillinois.edu/illino...e.php?id=49950

    What load balancers do you have?
    KEMP 3400 - I am starting to think they are very limited though. I am testing with them but don't trust them to go into production

Similar Threads

  1. High Availability
    By nathang in forum Check Point SecurePlatform (SPLAT)
    Replies: 2
    Last Post: 2009-02-25, 14:43
  2. Which High Availability to Use?
    By dave_walsh in forum Check Point IP Appliances and IPSO (Formerly Sold By Nokia)
    Replies: 5
    Last Post: 2008-05-27, 09:06
  3. High Availability ? yes or no
    By switzer in forum Management High Availability
    Replies: 7
    Last Post: 2008-04-09, 11:08
  4. High Availability
    By Bongoboy in forum Clustering (Security Gateway HA and ClusterXL)
    Replies: 2
    Last Post: 2007-07-19, 06:54
  5. High Availability
    By billw in forum Clustering (Security Gateway HA and ClusterXL)
    Replies: 3
    Last Post: 2006-03-25, 22:57

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •