topic Re: Checkpoint Azure setup- Difference over VSRX in Cloud Firewall

Checkpoint Azure setup- Difference over VSRX

a_security — Mon, 23 Nov 2020 22:25:43 GMT

Hello Team,

We have a customer who is looking for a VPN Solution - both Site to Site IPSEC and for Remote Users( Client vpn)

They are evaluating Vsrx and cloudguard .

Does anyone provide the Differences . I know VSRX does not provide High Availability . But Checkpoint solution does.

But What is the real benefit of HA over Autoscaling ?

I know Juniper has no Remote VPN Solution which is a strong point for Checkpoint in this case .

If someone has Battlecard , please provide

Re: Checkpoint Azure setup- Difference over VSRX

PhoneBoy — Tue, 24 Nov 2020 00:38:20 GMT

Autoscaling is about creating more resources as needed to handle the demand/load.
High Availability has active/standby nodes and is meant for availability only (not necessarily to handle more load).
We do have an autoscaling Remote Access solution also (at least in Azure): https://supportcenter.checkpoint.com/supportcenter/portal?action=portlets.DCFileAction&eventSubmit_doGetdcdetails=&fileid=108408

Re: Checkpoint Azure setup- Difference over VSRX

a_security — Tue, 24 Nov 2020 08:10:32 GMT

Hi @PhoneBoy Thanks

What i am trying to say here is - how much time it takes to failover if we go for HA ? I have read in various forums that it takes 3-4 minutes . So this mean it is not a stateful failover ?

And Autoscaling also takes approx same time ; so is there a benefit of using HA ?

Also does the HA Solution support both Site to Site VPN and Client to Site VPN ?

or Autoscaling is the only option for Client to site ?

Re: Checkpoint Azure setup- Difference over VSRX

PhoneBoy — Tue, 24 Nov 2020 18:33:41 GMT

For HA, the issue isn't with the lack of state, it's an issue with the amount of time it takes for the various APIs to respond and affect traffic flow.
For Autoscaling, there is no synchronization taking place, but it might take that long to recognize a particular node in the VMSS "failed" and route around/restart it.

HA works with Client-to-Site VPN and Site-to-Site VPN.
Autoscaling doesn't support Site-to-Site VPN.

Re: Checkpoint Azure setup- Difference over VSRX

a_security — Tue, 24 Nov 2020 18:56:40 GMT

Thanks a lot @PhoneBoy : Glad to have you here to answer and clearing all the doubts . I have seen all other posts and you have been awsome .

Last thing , this means if API take time to respond , it will be an issue and we will never have stateful failover ?

and if it recognize quickly like 15-20 seconds , state synchronisation takes place ?

Kindly clarify these 2 points please

Re: Checkpoint Azure setup- Difference over VSRX

a_security — Tue, 24 Nov 2020 19:16:36 GMT

This means if API takes time - it will be a stateless failover or no failover at all ?

Re: Checkpoint Azure setup- Difference over VSRX

PhoneBoy — Tue, 24 Nov 2020 19:32:37 GMT

The cluster synchronization process happens between the two gateways continuously.
There are some limitations to what is synced, but nothing specific to operating in public cloud here.

In a regular, physical environment, gateways can affect failover themselves by changing who responds to a given MAC address.
Public Cloud does not operate on this premise and requires API calls to the relevant cloud provider to effectively move the traffic flow from one gateway to the other.
The timing of responding/reacting to these API calls can vary and is not in our control.
However, when the failover is affected, the gateways will be in sync.