topic Re: Setting up ClusterXL in different DCs in Firewall and Security Management

Setting up ClusterXL in different DCs

Matlu — Fri, 05 Dec 2025 02:34:58 GMT

Hey everyone,

Is it possible to set up a ClusterXL when both members are going to be located in different geographically separated data centers?

My question is how this works in terms of IP addressing, knowing that both sites will have different ISPs and therefore different public IP address blocks.

In such an environment, is it possible to set up ClusterXL?

Because I assume that a VIP is needed for the external part, but in this scenario I have doubts about how the deployment would be done and whether it would actually be possible.

Thank you for your comments

Re: Setting up ClusterXL in different DCs

emmap — Fri, 05 Dec 2025 02:44:41 GMT

For best results, a ClusterXL cluster must share layer 2 spaces on every interface. So for situations like yours it's better to have a separate internet routing layer handle your two ISPs that can then integrate with the gateway cluster via a shared switching layer. This way internet failover is handled separately to firewall failover.

An alternative is the Active-Active option outlined in the ClusterXL admin guide, where all interfaces are independent layer 3 scenarios and traffic path selection is handled at a routing layer, which functionally means you need dynamic routing happening at every interface. There are limitations here outlined in the admin guide to take careful note of.

Re: Setting up ClusterXL in different DCs

the_rock — Fri, 05 Dec 2025 02:51:21 GMT

Sounds like this would apply?

https://sc1.checkpoint.com/documents/R82/WebAdminGuides/EN/CP_R82_ClusterXL_AdminGuide/Content/Topics-CXLG/Example-of-cluster-IP-addresses-on-different-subnets.htm

Re: Setting up ClusterXL in different DCs

Matlu — Fri, 05 Dec 2025 03:04:59 GMT

So far, I only have the comment that both sites will use "dark fiber" for communication.
My question is about the public (external) interface.
I understand from your comment that for scenarios like this, it is better to have the deployment mode set to ACTIVE-ACTIVE and use a separate ROUTING layer?

Is there a practical example that could help me better understand this point?

Re: Setting up ClusterXL in different DCs

emmap — Fri, 05 Dec 2025 03:46:25 GMT

Active/Active isn't necessarily the better idea here, as it affects how every interface works. If you want it to be a more familiar layer 2 next hop redundancy situation then you're better off with the separated routing layer for the ISPs.

The way to think of the Active/Active situation is as if it is two entirely separate gateways that you want to manage with dynamic routing.

Re: Setting up ClusterXL in different DCs

Vincent_Bacher — Fri, 05 Dec 2025 11:02:43 GMT

As mentioned earlier, this is generally not a problem at all.
For example, in my hometown we operate a cluster across two data centers that are about 20 km apart.

The important requirement is (as already stated as well) to use stretched Layer-2 networks (stretched VLANs) so that the same VLAN IDs are available in both data centers.

In the sync VLAN, latency between both cluster nodes must remain below 100 ms to ensure reliable state/session synchronization.

Because a stretched VLAN is used, the internet routers also have an internal interface in the same VLAN.

We additionally run VSX with VSLS to distribute the virtual systems efficiently across both sites.

Everything else comes down to proper routing, both inside the LAN and towards the internet.

Re: Setting up ClusterXL in different DCs

Matlu — Fri, 05 Dec 2025 12:38:02 GMT

Hello,
So, does this involve VXLAN?
I understand that it does, at least to achieve L2 connectivity.

I understand that having two different ISPs at each site is not a problem?

We are not going to use VSX; we simply want to use the traditional ClusterXL modes but in geographically distant areas.

Re: Setting up ClusterXL in different DCs

Vincent_Bacher — Fri, 05 Dec 2025 13:39:26 GMT

tbh i dunno. As both DC are at same provider, this is a service provided by them and we don't have to care, which technology they use. For us, it's just "stretched VLAN" 🙂

Re: Setting up ClusterXL in different DCs

the_rock — Fri, 05 Dec 2025 14:08:59 GMT

I LOVE that term...stretched VLAN lol

Re: Setting up ClusterXL in different DCs

Vincent_Bacher — Fri, 05 Dec 2025 14:20:59 GMT

I don't even know if there's an “official” term for it, and frankly, I don't care. The provider has a name for it. And I didn't remember that either. 🤔

I could also call it a chewing gum VLAN or a rubber band VLAN. Whatever. 🤣

Re: Setting up ClusterXL in different DCs

the_rock — Fri, 05 Dec 2025 14:24:11 GMT

Copilot agrees 🙂

Re: Setting up ClusterXL in different DCs

the_rock — Sun, 07 Dec 2025 19:10:47 GMT

Hey brother,

Just for a context, though we provided best options, happen to have basic network diagram?