redundancy Between clustered gateway

**araishee** · 2017-11-14

HI
i have 4 checkpoint firewall ( 5600 ) two will be deployed in the data center, and the other two will be deployed in disaster recovery site , we will be using clusterxl between each pair (DC-DR), both clusters will be having layer 2 line using OTV Cisco (overlay tunneling protocol) to serve our DMZ servers hosted on two ESXI server blade located on our data center and disaster recovery site , i was wondering are there any way to perform FHRP such as VRRP or HSRP between the two clusters (DC-DR) to add clusters redundancy .

**Bob_Zimmerman** · 2017-11-14

Originally Posted by araishee

HI
i have 4 checkpoint firewall ( 5600 ) two will be deployed in the data center, and the other two will be deployed in disaster recovery site , we will be using clusterxl between each pair (DC-DR), both clusters will be having layer 2 line using OTV Cisco (overlay tunneling protocol) to serve our DMZ servers hosted on two ESXI server blade located on our data center and disaster recovery site , i was wondering are there any way to perform FHRP such as VRRP or HSRP between the two clusters (DC-DR) to add clusters redundancy .

It is technically possible to sync geographically-distributed clusters. I cannot recommend doing this.

What classes of failure are you trying to guard against? There are probably better ways to solve those problems.

**araishee** · 2017-11-14

what actually i'm trying to do is making the process of shifting my DMZ servers to DR site much more seamless and automated , by simply bringing down the inside interface of the cluster gateway on data center so the cluster on DR site can take over.

**Bob_Zimmerman** · 2017-11-14

Originally Posted by araishee

what actually i'm trying to do is making the process of shifting my DMZ servers to DR site much more seamless and automated , by simply bringing down the inside interface of the cluster gateway on data center so the cluster on DR site can take over.

So you want to do whole-site failover?

I typically do that by advertising the same network block from both sites with BGP, then stopping advertisement from a site when I want to take it down. You don't get stateful failover, but with how long Internet reconvergence takes, you wouldn't be likely to get that anyway.