topic Re: Hardware Compatibility for Adding a gateway to Existing VSX Cluster. in Firewall and Security Management

Hardware Compatibility for Adding a gateway to Existing VSX Cluster.

rozkie20 — Mon, 23 Jun 2025 16:47:06 GMT

Hi Everyone,

My customer is currently running a Check Point 15400 cluster with VSX, and they are planning to add a new Check Point 9400 appliance to this cluster.

From my understanding, it is technically possible to add a different model to the cluster if we reduce the number of CPU cores on the 9400 to match the 15400, ensuring resource compatibility. However, I have some concerns regarding interface compatibility.

The existing 15400 appliances are using SFP+ port cards, while the new 9400 appliance only has the default 4 onboard ports (fiber). My question is:

If we want to integrate the 9400 into the current cluster, do we need to install a matching SFP+ port card on the 9400, so that VSX can properly recognize and sync the interfaces between members?

Any clarification or experience regarding this type of mixed-model VSX cluster deployment would be highly appreciated.

BR,

Re: Hardware Compatibility for Adding a gateway to Existing VSX Cluster.

G_W_Albrecht — Tue, 24 Jun 2025 11:21:54 GMT

I would suggest to contact CP TAC for this question - your customer relies on having a supported deployment, so this is necessary !

Re: Hardware Compatibility for Adding a gateway to Existing VSX Cluster.

Chris_Atkinson — Tue, 24 Jun 2025 12:06:00 GMT

This is not a "supported" configuration the ClusterXL admin guide documents that the hardware & software should be aligned between members. I would also advise against reducing core counts in a VSX environment.

Re: Hardware Compatibility for Adding a gateway to Existing VSX Cluster.

G_W_Albrecht — Tue, 24 Jun 2025 13:01:08 GMT

Also VSX Admin Guide tells us: A VSX Cluster has two or more identical, interconnected VSX Gateways for continuous data synchronization and transparent failover. (https://sc1.checkpoint.com/documents/R81.20/WebAdminGuides/EN/CP_R81.20_VSX_AdminGuide/Content/Topics-VSXG/VSX-Clusters.htm?tocpath=VSX%20Architecture%20and%20Concepts%7C_____8)

Identical means that SW & HW is the same...

Re: Hardware Compatibility for Adding a gateway to Existing VSX Cluster.

PhoneBoy — Tue, 24 Jun 2025 15:24:50 GMT

Traditional clustering (either with ClusterXL or VSX) requires all cluster members to have identical hardware.
You might be able to make it work with unlike hardware, but it is not supported.

Note that we are planning to add support for cluster members of different hardware types in ElasticXL (requires R82).

Re: Hardware Compatibility for Adding a gateway to Existing VSX Cluster.

Bob_Zimmerman — Tue, 24 Jun 2025 17:10:58 GMT

Exactly this question was asked in another post at around the same time you posted. Are you both posting about the same environment?

It's possible to do this, but the 15400s and the 9400 won't be able to sync. There will be a hard outage when you move traffic from the 15400s to the 9400.

As I described in the other thread, I would recommend using vsx_util change_interfaces to replace all uses of eth[whatever] with bonds. Then in the future, swapping hardware becomes much easier, since the only prep work you need to do on a new member is building the bonds. You'll still have to take the outage when moving between non-identical boxes, but it should be relatively quick.