CPUG: The Check Point User Group

Resources for the Check Point Community, by the Check Point Community.


Tim Hall has done it again! He has just released the 2nd edition of "Max Power".
Rather than get into details here, I urge you to check out this announcement post.
It's a massive upgrade, and well worth checking out. -E

 

Results 1 to 8 of 8

Thread: Load balancing capabilities?

  1. #1
    Join Date
    2015-06-04
    Posts
    14
    Rep Power
    0

    Default Load balancing capabilities?

    Hi all,

    Im running a 12600 with all the blades licensed, just wondering if there is any basic load balancing abilities? I just really want the ability to have a 1:2 NAT with 50/50 load sharing between the two Internal IP addresses. Is there anyway to do this on the CP without having to get another device in to do this?

    Regards

  2. #2
    Join Date
    2007-03-30
    Location
    DFW, TX
    Posts
    253
    Rep Power
    12

    Default Re: Load balancing capabilities?

    Check out the documentation on "Logical Server" objects. They have an IP address, a server group, a persistency mode, and a balancing method. They are still possible to create in R80.10, but I don't know how widely used they are. Less-widely-used features can break without anyone immediately noticing.
    Zimmie

  3. #3
    Join Date
    2015-06-04
    Posts
    14
    Rep Power
    0

    Default Re: Load balancing capabilities?

    Quote Originally Posted by Bob_Zimmerman View Post
    Check out the documentation on "Logical Server" objects. They have an IP address, a server group, a persistency mode, and a balancing method. They are still possible to create in R80.10, but I don't know how widely used they are. Less-widely-used features can break without anyone immediately noticing.
    thank you! exactly what I was looking for.

  4. #4
    Join Date
    2006-07-28
    Location
    San Francisco, USA
    Posts
    2,492
    Rep Power
    15

    Default Re: Load balancing capabilities?

    Pay attention to those caveats though: you're using a feature that goes back a very long way, and is little-used.

    You're better off using a proper load-balancer (ADC). There are free options these days, you don't have to buy F5 if you have simple needs.
    Last edited by northlandboy; 2018-05-14 at 14:46. Reason: minor grammar fix

  5. #5
    Join Date
    2007-03-30
    Location
    DFW, TX
    Posts
    253
    Rep Power
    12

    Default Re: Load balancing capabilities?

    It might be little-used, or it could be that the users donít have problems with it, so we never hear about it. The biggest limitation is Logical Server objects donít do any sort of health checking. They also canít terminate TLS, but that is a slightly less common concern.

    Even for complex needs, I would recommend trying a pair of OpenBSD boxes in a CARP cluster running relayd. Use rsync to synchronize the config filed for pf and relayd and any certificates, then pfsync to sync the internal state. It takes a bit of existing knowledge to set up quickly, but itís free, extremely secure (I mean, itís OpenBSD), and it performs decently.
    Zimmie

  6. #6
    Join Date
    2006-07-28
    Location
    San Francisco, USA
    Posts
    2,492
    Rep Power
    15

    Default Re: Load balancing capabilities?

    Quote Originally Posted by Bob_Zimmerman View Post
    It might be little-used, or it could be that the users donít have problems with it, so we never hear about it.
    I don't think I've ever seen it used outside the classroom in all the CP shops that I've worked in. Those have tended to be bigger places though, the sort that could invest in dedicated load balancers.

    Depending on the service, I would probably just use haproxy instead, but each to their own, according to internal preferences & capabilities.

  7. #7
    Join Date
    2005-08-14
    Location
    Gig Harbor, WA, USA
    Posts
    2,480
    Rep Power
    16

    Default Re: Load balancing capabilities?

    Quote Originally Posted by Bob_Zimmerman View Post
    Check out the documentation on "Logical Server" objects. They have an IP address, a server group, a persistency mode, and a balancing method. They are still possible to create in R80.10, but I don't know how widely used they are.
    vSEC/CloudGuard makes use of these objects, actually.
    http://phoneboy.org
    Unless otherwise noted, views expressed are my own

  8. #8
    Join Date
    2007-03-30
    Location
    DFW, TX
    Posts
    253
    Rep Power
    12

    Default Re: Load balancing capabilities?

    The biggest reason I like relayd is the OpenBSD team audits their code extensively. Their response to CVE-2014-0160 is an excellent example of this. Also, they're the same team which gave the world OpenSSH.

    HAProxy definitely isn't a bad option, I just don't think its developers are as thoroughly security-focused.
    Zimmie

Similar Threads

  1. VPN and ISP Load Balancing
    By sroghen in forum IPsec VPN Blade (Virtual Private Networks)
    Replies: 0
    Last Post: 2009-07-24, 10:52
  2. How to perform Two WAN Load Balancing
    By vicky in forum Check Point UTM-1 Appliances
    Replies: 1
    Last Post: 2008-12-05, 23:13
  3. Load balancing for SecureClient
    By rpotvin in forum SecureClient/SecuRemote
    Replies: 4
    Last Post: 2008-05-16, 17:49
  4. Load balancing
    By MBreve in forum ISP Redundancy
    Replies: 1
    Last Post: 2007-04-04, 02:14
  5. Load balancing
    By giumi in forum ISP Redundancy
    Replies: 2
    Last Post: 2005-08-19, 03:58

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •