https://community.checkpoint.com/t5/Firewall-and-Security-Management/Firewall-cluster-interface-design-question/m-p/143975#M22385 <P>Hi.&nbsp; Ive got the opportunity to replace an old existing appliance cluster with another new appliance cluster (way faster hardware).&nbsp; The old cluster has a configuration that looks like this:</P><P>&nbsp;</P><P>fw1</P><P>bond1 on switch 1 -&gt; internal vlans, cluster sync vlans</P><P>bond2 on switch 1 -&gt; external vlans/interfaces</P><P>&nbsp;</P><P>fw2</P><P>bond1 on switch 2 -&gt; internal vlans, cluster sync vlans</P><P>bond2 on switch 2 -&gt; external vlans/interfaces</P><P>&nbsp;</P><P>Performance has been fine and we dont come close to saturating a gig.&nbsp; The load on this cluster is low and the projected growth of the traffic in the next few years is low as well.&nbsp; Anyone have suggestions on a different design or am I good?</P> Wed, 16 Mar 2022 19:40:56 GMT PIAndre 2022-03-16T19:40:56Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Firewall-cluster-interface-design-question/m-p/143975#M22385 <P>Hi.&nbsp; Ive got the opportunity to replace an old existing appliance cluster with another new appliance cluster (way faster hardware).&nbsp; The old cluster has a configuration that looks like this:</P><P>&nbsp;</P><P>fw1</P><P>bond1 on switch 1 -&gt; internal vlans, cluster sync vlans</P><P>bond2 on switch 1 -&gt; external vlans/interfaces</P><P>&nbsp;</P><P>fw2</P><P>bond1 on switch 2 -&gt; internal vlans, cluster sync vlans</P><P>bond2 on switch 2 -&gt; external vlans/interfaces</P><P>&nbsp;</P><P>Performance has been fine and we dont come close to saturating a gig.&nbsp; The load on this cluster is low and the projected growth of the traffic in the next few years is low as well.&nbsp; Anyone have suggestions on a different design or am I good?</P> Wed, 16 Mar 2022 19:40:56 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Firewall-cluster-interface-design-question/m-p/143975#M22385 PIAndre 2022-03-16T19:40:56Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Firewall-cluster-interface-design-question/m-p/144029#M22391 <P>Different design would depend partly on the switch capabilities, are they fully independent or clustered / stacked in some way?</P> <P>Most importantly it comes down to requirements... maybe Sync / DMZ on separate ports etc but would depend on hardware constraints.</P> Fri, 18 Mar 2022 14:08:41 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Firewall-cluster-interface-design-question/m-p/144029#M22391 Chris_Atkinson 2022-03-18T14:08:41Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Firewall-cluster-interface-design-question/m-p/144084#M22403 <P>Its a modern switch stack.&nbsp; If there arent any issues with how the old cluster is configured I guess Ill continue to do the same thing.</P> Thu, 17 Mar 2022 16:26:14 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Firewall-cluster-interface-design-question/m-p/144084#M22403 PIAndre 2022-03-17T16:26:14Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Firewall-cluster-interface-design-question/m-p/144090#M22404 <P>So long as you are using multiple bonds in a cluster, I'd recommend keeping Sync on a separate one, if there are ports available on a switch stack to accommodate it. That said, I am prone to over-engineering for redundancy to cover even for low-probability events.</P> Thu, 17 Mar 2022 17:39:54 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Firewall-cluster-interface-design-question/m-p/144090#M22404 Vladimir 2022-03-17T17:39:54Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Firewall-cluster-interface-design-question/m-p/144123#M22410 <P>Do you want things deterministic i.e. switch 1 fails then firewall 1 fails ?&nbsp;</P> <P>Otherwise some might mesh the bond slaves to try and protect against switch failure.</P> Thu, 17 Mar 2022 23:19:23 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Firewall-cluster-interface-design-question/m-p/144123#M22410 Chris_Atkinson 2022-03-17T23:19:23Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Firewall-cluster-interface-design-question/m-p/144138#M22414 <P>fully agree, also our preferred setup:</P> <P><A href="https://sc1.checkpoint.com/documents/R81/WebAdminGuides/EN/CP_R81_ClusterXL_AdminGuide/Topics-CXLG/Working-with-VLANs-in-Cluster.htm" target="_blank" rel="noopener">https://sc1.checkpoint.com/documents/R81/WebAdminGuides/EN/CP_R81_ClusterXL_AdminGuide/Topics-CXLG/Working-with-VLANs-in-Cluster.htm</A></P> <P>&nbsp;</P> <P>&nbsp;</P> <P><FONT size="2">fw1</FONT></P> <P><FONT size="2">bond1 on switch 1 -&gt; internal vlans</FONT></P> <P><FONT size="2">bond2 on switch 1 -&gt; external vlans/interfaces</FONT></P> <P><FONT size="2">bond3 -&gt;&nbsp;cluster sync vlan</FONT></P> <P>&nbsp;</P> <P><FONT size="2">fw2</FONT></P> <P><FONT size="2">bond1 on switch 2 -&gt; internal vlans</FONT></P> <P><FONT size="2">bond2 on switch 2 -&gt; external vlans/interfaces</FONT></P> <P><FONT size="2">bond3 -&gt;&nbsp;cluster sync vlan</FONT></P> <P>&nbsp;</P> <P>Best regards</P> Fri, 18 Mar 2022 09:01:51 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Firewall-cluster-interface-design-question/m-p/144138#M22414 S_E_ 2022-03-18T09:01:51Z