CPUG: The Check Point User Group

Resources for the Check Point Community, by the Check Point Community.

Tim Hall has done it again! He has just released the 2nd edition of "Max Power".
Rather than get into details here, I urge you to check out this announcement post.
It's a massive upgrade, and well worth checking out. -E


Results 1 to 2 of 2

Thread: Checkpoint VSX cluster in HA

  1. #1
    Join Date
    Rep Power

    Default Checkpoint VSX cluster in HA

    Hey Guys,

    This is a general question in regards to VSX deployment with VSLS versus VSX deployment with HA.

    If I have VSX deployed in a cluster of 4 gateways running in HA mode,would there be 1 member holding all the active VSI's, and the other three members in the Standby state? Will the other three members be in an actual standby state actively receiving Sync traffic?

    This is noted in the admin guide for R80.10:

    When the convert_cluster command finishes, there should be only one active member on which all Virtual Systems are in the active state, and one standby member on which all Virtual Devices are in the standby state. Any additional members should be in standby mode and their Virtual Devices in the down state.

    This makes me think that there is only really one standby gateway in a cluster that consists of more than 2 gateways.

  2. #2
    Join Date
    DFW, TX
    Rep Power

    Default Re: Checkpoint VSX cluster in HA

    Typically, you will get one active, one standby, and any other members become "backup". To the best of my knowledge, backup members don't sync. When the active member fails, the standby replaces it immediately. When there is an active member and no standby (including if the active member failed and the standby replaced it), a backup member is selected to become standby, and a full sync is performed with that member.

    The only difference between HA and VSLS is the distribution of active contexts. In HA, all active contexts are on one physical member. With VSLS, they (and the standby and any backup contexts) are distributed between the members, vaguely round-robin:

    Virtual Devices Status on each Cluster Member
     ID    | Weight| Chicago-Co| Chicago-Co| Chicago-Co
           |       | rp-VSX-1  | rp-VSX-2  | rp-VSX-3  
           |       | [local]   |           |           
     2     | 10    | Active    | Standby   | Backup
     3     | 10    | Backup    | Active    | Standby
     4     | 10    | Standby   | Backup    | Active
     5     | 10    | Active    | Standby   | Backup
     6     | 10    | Backup    | Active    | Standby
     7     | 10    | Standby   | Backup    | Active
     8     | 10    | Active    | Standby   | Backup
     9     | 10    | Backup    | Active    | Standby
     10    | 10    | Standby   | Backup    | Active

Similar Threads

  1. VPN From Checkpoint R75.40 Cluster
    By Gingerwerewolf in forum IPsec VPN Blade (Virtual Private Networks)
    Replies: 5
    Last Post: 2014-07-01, 03:32
  2. On What Conditions the Checkpoint Cluster will go down
    By Kevin_27 in forum Management High Availability
    Replies: 1
    Last Post: 2012-05-30, 12:25
  3. cluster checkpoint ip 397
    By duyen in forum Check Point IP Appliances and IPSO (Formerly Sold By Nokia)
    Replies: 0
    Last Post: 2011-12-05, 09:15
  4. Problem with CheckPoint cluster
    By pawel73 in forum Clustering (Security Gateway HA and ClusterXL)
    Replies: 3
    Last Post: 2011-05-12, 12:22
  5. Secure OWA with Checkpoint FW1 Cluster
    By ppayne in forum Clustering (Security Gateway HA and ClusterXL)
    Replies: 4
    Last Post: 2008-08-12, 13:35


Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts