https://community.checkpoint.com/t5/Firewall-and-Security-Management/Configuration-Sync-Across-Gateways-Maestro-Light-using-3rd-party/m-p/207764#M39338 <P>This seems like a lot of effort for a topology which is unlikely to ever work very well.</P> <P>You can use a ClusterXL cluster object for a cluster without state sync. Under the ClusterXL and VRRP section, uncheck Use State Synchronization. I <EM>think</EM> High Availability &gt; VRRP should make all cluster members effectively active, so they'll process whatever traffic is sent to them. You could use Active-Active clustering, but it has some topology concerns.</P> <P>You might need to tweak the cluster monitoring config to get it to stop the members from trying to talk to each other on their clustered interfaces.</P> <P>&nbsp;</P> <P>A multicast load sharing cluster is likely to work much better, and would actually be supported.</P> Mon, 04 Mar 2024 17:23:28 GMT Bob_Zimmerman 2024-03-04T17:23:28Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Configuration-Sync-Across-Gateways-Maestro-Light-using-3rd-party/m-p/207203#M39154 <P>Hello All -</P> <P>I'm collecting data on various gateway architectures for customer for unique use case. </P> <P>General Requirements:</P> <OL> <LI>Large outbound traffic.</LI> <LI>No need for state and session failover (ie. clusterXL)</LI> <LI>Prefer full use of throughput for each gateway comprising "cluster".&nbsp;</LI> <LI>Potentially use more than 2x gateway devices for "cluster".&nbsp;&nbsp;</LI> <LI>Easy add/remove of devices (assume same make/model).</LI> </OL> <P>&nbsp;</P> <P>It's unclear if customer needs cost and associated technical training for Maestro.</P> <P>Customer does have existing relationship with Packet Broker vendor (example: &nbsp;&nbsp; Garland Technologies or Niagra Networks).</P> <P>The packet broker device would operate like a much-simplified Maestro controller.</P> <P>Questions:</P> <OL> <LI>Is there a way to treat N-number of CP gateway objects as ONE device for mgmt simplicity? &nbsp;&nbsp;&nbsp;&nbsp; Example: if we leverage ClusterXL and somehow turn OFF state and session sync, there is typically ONE layer2 MAC address owned by clusterXL service.&nbsp;&nbsp;</LI> <LI>I perceive we simply need to have N-number of separate CP gateway objects created -- all receiving same security policy.&nbsp;&nbsp; The "upstream" packet broker will be handling the inbound client connection, distribution to CP gateway, and persistence of connection based on various session properties.</LI> </OL> <P>&nbsp;</P> <P>Any obvious problems with this approach?&nbsp;&nbsp; Thanks -GA</P> <P>&nbsp;</P> <P>&nbsp;</P> Mon, 26 Feb 2024 17:43:18 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Configuration-Sync-Across-Gateways-Maestro-Light-using-3rd-party/m-p/207203#M39154 Garrett_DirSec 2024-02-26T17:43:18Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Configuration-Sync-Across-Gateways-Maestro-Light-using-3rd-party/m-p/207607#M39308 <P>You may want to consider ElasticXL in R82, which gives you the single management object for up to 3 members.<BR />Scalability numbers haven't been published yet.</P> <P>Otherwise, you'll have to create N number of gateways and use a packet broker, as you've suggested.</P> Fri, 01 Mar 2024 21:41:19 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Configuration-Sync-Across-Gateways-Maestro-Light-using-3rd-party/m-p/207607#M39308 PhoneBoy 2024-03-01T21:41:19Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Configuration-Sync-Across-Gateways-Maestro-Light-using-3rd-party/m-p/207610#M39309 <P>Hello&nbsp;<a href="https://community.checkpoint.com/t5/user/viewprofilepage/user-id/7">@PhoneBoy</a>&nbsp;-- thanks for your insight.&nbsp; &nbsp;very much appreciated!!&nbsp; &nbsp;&nbsp;</P> <P>Yes -- Elastic XL looks super interesting.&nbsp; &nbsp;Heiko has posted some very helpful information threads.&nbsp;</P> <P>posted here simply to benefit others ...&nbsp;</P> <P><A href="https://community.checkpoint.com/t5/General-Topics/R82-Install-ElasticXL-Cluster/m-p/206235#M34208" target="_blank" rel="noopener">ElasticXL - Installation&nbsp;</A></P> <P><A href="https://community.checkpoint.com/t5/General-Topics/R82-ElasticXL/m-p/192459#M32247" target="_blank" rel="noopener">ElasticXL - Overview</A></P> <P>&nbsp;</P> <P>&nbsp;</P> Fri, 01 Mar 2024 21:56:17 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Configuration-Sync-Across-Gateways-Maestro-Light-using-3rd-party/m-p/207610#M39309 Garrett_DirSec 2024-03-01T21:56:17Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Configuration-Sync-Across-Gateways-Maestro-Light-using-3rd-party/m-p/207764#M39338 <P>This seems like a lot of effort for a topology which is unlikely to ever work very well.</P> <P>You can use a ClusterXL cluster object for a cluster without state sync. Under the ClusterXL and VRRP section, uncheck Use State Synchronization. I <EM>think</EM> High Availability &gt; VRRP should make all cluster members effectively active, so they'll process whatever traffic is sent to them. You could use Active-Active clustering, but it has some topology concerns.</P> <P>You might need to tweak the cluster monitoring config to get it to stop the members from trying to talk to each other on their clustered interfaces.</P> <P>&nbsp;</P> <P>A multicast load sharing cluster is likely to work much better, and would actually be supported.</P> Mon, 04 Mar 2024 17:23:28 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Configuration-Sync-Across-Gateways-Maestro-Light-using-3rd-party/m-p/207764#M39338 Bob_Zimmerman 2024-03-04T17:23:28Z