CPUG: The Check Point User Group

Resources for the Check Point Community, by the Check Point Community.


Tim Hall has done it yet again - That's right, the 3rd edition is here!
You can read his announcement post here.
It's a massive upgrade focusing on current versions, and well worth checking out. -E

 

Results 1 to 5 of 5

Thread: Mixing different hardware in a cluster

  1. #1
    Join Date
    2014-11-23
    Posts
    50
    Rep Power
    6

    Default Mixing different hardware in a cluster

    Hi Does anyone know of any documentation which shows whether or not Checkpoint supports using different HARDWARE in the same firewall cluster (GAIA R80.20) ?
    We have a cluster of 4 firewalls which are running on Dell 710 open servers. We want to replace them with Dell 740 open servers but we would rather not do it in a big bang approach but instead introduce the new Dell 740 servers one at a time into the cluster replacing the old Dell 710 servers.
    Many thanks

  2. #2
    Join Date
    2007-03-30
    Location
    DFW, TX
    Posts
    323
    Rep Power
    14

    Default Re: Mixing different hardware in a cluster

    I don't know about documentation, but I know it works. You need the same CoreXL and SecureXL config on all members.

    Same version down to the patch level is a good idea, but you can force cross-version sync if you're particularly unaverse to risk.
    Zimmie

  3. #3
    Join Date
    2014-11-23
    Posts
    50
    Rep Power
    6

    Default Re: Mixing different hardware in a cluster

    that's what I hoped, many thanks for your help :)

  4. #4
    Join Date
    2014-09-02
    Posts
    359
    Rep Power
    10

    Default Re: Mixing different hardware in a cluster

    Key word in your initial question is "supports". CP will tell you that ClusterXL requires identical appliances and could possibly deny support in your case (but likely would only do so if they truly thought it was causing the problem).

    In reality, the key issue is that all members need to have the same number of cores. If the active member has 16 cores, for example, it won't be able to sync it's kernels to a box with only 4. If the new/standby box has more, it's possible that things would work out OK, but things can get unpredictable and therefore are not supported.

    Of course, you should also be careful with things like RAM, interface names, and more, but core count has long been the big sticking point.

    -E

  5. #5
    Join Date
    2007-03-30
    Location
    DFW, TX
    Posts
    323
    Rep Power
    14

    Default Re: Mixing different hardware in a cluster

    Quote Originally Posted by EricAnderson View Post
    In reality, the key issue is that all members need to have the same number of cores. If the active member has 16 cores, for example, it won't be able to sync it's kernels to a box with only 4. If the new/standby box has more, it's possible that things would work out OK, but things can get unpredictable and therefore are not supported.
    It's more the CoreXL config. Last I tested, you can use a 16-core box to replace a 4-core box in a cluster as long as you change the new one from the default CoreXL config to be the same as the previous one. Once you have the whole cluster replaced, you can update the CoreXL config on the standby member to better use all the available cores, and take your outage then.

    While you still have to take an outage to get full benefit of the new hardware, I find this method useful. It lets you make changes with more distinct steps (providing stopping points if needed) and easier rollback of any individual step.

    Quote Originally Posted by EricAnderson View Post
    Key word in your initial question is "supports". CP will tell you that ClusterXL requires identical appliances and could possibly deny support in your case (but likely would only do so if they truly thought it was causing the problem).
    Yeah, "supports" is complicated. The product colloquially known as "Check Point" technologically supports it in that it will work. At a customer service level, Check Point the company may not provide support for it in that they may not help if it goes wrong.

    I know the TAC has helped with clusters like this in the past, but I also know somebody just tried to deny support on a ticket about IPS update problems because I had a Smart-1 5 in my environment some time in the past, and it was past its hardware end-of-life. Beyond the fact that IPS updates are clearly a software problem, the management giving me trouble was a CMA which isn't even running on Check Point-branded hardware. Their decisions on supportability are often arbitrary and mercurial.
    Zimmie

Similar Threads

  1. Change Cluster hardware R75.45 No IP change
    By /Jaco\ in forum About This Discussion Board
    Replies: 2
    Last Post: 2013-09-14, 08:42
  2. Mixing Nokia Hardware
    By boffy in forum Installing And Upgrading
    Replies: 6
    Last Post: 2011-03-07, 07:30
  3. Platform Hardware setting for a UTM-1 Cluster
    By banduraj in forum Clustering (Security Gateway HA and ClusterXL)
    Replies: 2
    Last Post: 2011-01-29, 12:23
  4. Mixing blade/non blade licensing?
    By ChadB in forum Licensing
    Replies: 2
    Last Post: 2010-04-06, 11:36
  5. config Cluster use non same hardware
    By dongliying2 in forum Clustering (Security Gateway HA and ClusterXL)
    Replies: 4
    Last Post: 2009-07-29, 08:58

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •