topic HA Failover Issues in Cloud Firewall

HA Failover Issues

Kevin_Werner — Thu, 24 May 2018 15:35:45 GMT

I just deployed a new Check Point Azure HA instance following sk110194 and deploying the HA template referenced therein. I'm having several issues with failover (namely, route tables do not update), but believe I am missing something in the documentation. Some of the confusion I'm having with the sk:

1.) It only mentions creating a cluster VIP for the eth0 (external) interface, but the sk makes several allusions to having a clustered internal interface. I'm wondering if I need to change the eth1 (internal) interface from sync to a "Cluster + Sync" interface like it has me do for the external interface. If i do need to implement a cluster vip for the internal interface, in the routing tables, should I then manually just point all traffic that is current set to go to firewall 1's eth1 to now go to the cluster VIP IP? I've been operating off of the assuming that the failover script would manually point the traffic from firewall 1's eth1 to firewall 2's eth1 upon failover, but can see a scenario where this could be handled by a VIP.

2.) Load balancers were removed from the most recent version of the CloudGuard deployment template, but will I need one in order to get failover to function correctly? The sk makes reference to setting up a load balancer, but doesn't provide any details that I can find.

Thanks for any help you can give,

Kevin

Re: HA Failover Issues

Nikhil_Deshmukh — Thu, 24 May 2018 16:41:07 GMT

Hi Kevin Werner,

Have recently deployed Check Point CloudGuard solution on Azure in April 2018. At that time there was no Internal VIP provide.

But i can see the sk was recently updated with new features provided on CloudGuard Cluster and mentions about the VIP on the Internal side.

(Assuming) I would say you to do the same config in Cluster object that is there for eth0 "Cluster + Sync" for eth1 also.

And point the route from Backend / Server subnets to this Internal VIP. On fail-over, API calling will move Internal VIP from eth1 of GW1 to eth1 of GW2. Then there would not be any requirement to update the Route Tables.

Also about Load Balancers:- They are needed when you want to Publish Web Services (Web page / Application running on any Server) over the Internet. Detach Static Public IP from Servers(Web Server / Application) if any and move them to Load Balancer then create Inbound NAT Rules on Load Balancer and do related configuration on Check Point (refer sk).

Hope this information was helpful.

Re: HA Failover Issues

Kevin_Werner — Thu, 24 May 2018 16:44:10 GMT

Perfect, thanks Nikhil, I'll give it a whirl