topic Re: prefer security /prefer connectivity in Firewall and Security Management

prefer security /prefer connectivity

umar7 — Tue, 13 Dec 2022 02:36:55 GMT

hello support,

may i know the scenario and what kind of scenario we can use prefer security ?

and what kind of scenario we can use prefer connectivity ? what are the benefits if we use both of the parameter?

Re: prefer security /prefer connectivity

the_rock — Tue, 13 Dec 2022 03:19:16 GMT

I assume you are referring to IPS blade setting on the gateway...there is an option there which is by default to prefer connectivity upon cluster failover even if IPS protections cant be guaranteed OR prefer security, which would close connections if IPS protections cant be guaranteed. Now, if you are speaking generally, it really depends who you ask. Of course, in todays world, more than ever before, security is way too important to overlook, but then if you think of connectivity, its literally something most companies require constantly. So, all in all, both are super important, but again, opinions might be split on this one.

Re: prefer security /prefer connectivity

umar7 — Tue, 13 Dec 2022 03:55:12 GMT

hello rock,

thanks for the update ,

correct me if i am wrong

if i select the prefer connectivity , during the failover it simply switch the connection to standby device it ensure there is no connectivity issue failover

if i select the prefer security , during the failover it simply drop the current connection it will not ensure the connectivity right

above i mentioned is correct rock ?

Re: prefer security /prefer connectivity

the_rock — Tue, 13 Dec 2022 04:03:12 GMT

I attached the screenshot for your reference, hope its helpful.

Andy

Re: prefer security /prefer connectivity

Chris_Atkinson — Tue, 13 Dec 2022 05:00:32 GMT

sk60160 provides some additional insight further to that provided by Andy.

Re: prefer security /prefer connectivity

the_rock — Tue, 13 Dec 2022 11:42:12 GMT

You sort of got it : - ). So for prefer connectivity, yes, thats correct, IF your cluster is fully functional, then when failover happens, it will work fine if that option is selected. Now, IF prefer security is selected, does not mean current connections will close, ONLY ones for which IPS signatures can not be applied to/guaranteed. Personally, I would leave it to "prefer connectivity", which is default, as lets be honest, you do NOT want people "screaming" at you because their connections are failing : - )

By the way, sk @Chris_Atkinson provided also explains that. I would listen to him, he is EXCELLENT, very smart guy!

Re: prefer security /prefer connectivity

Timothy_Hall — Tue, 13 Dec 2022 14:51:48 GMT

One interesting side effect of "prefer connectivity" is that while the connection will be continued upon ClusterXL failover, it cannot be inspected by streaming (either active or passive) anymore. As a result the connection will be offloaded into the SXL/Accelerated Path on the newly-active member.

This looks very strange when you are watching a high-speed transfer that is subject to streaming inspection and a failover occurs; the speed of the transfer doubles or triples! Interestingly if you fail back over to the original member streaming inspection resumes (assuming the member has not been rebooted or otherwise cleared its state table) and the transfer speed drops back to what it was before. Was definitely a WTF moment when I first saw this effect, as causing a failover would massively speed up big transfers!

Re: prefer security /prefer connectivity

the_rock — Tue, 13 Dec 2022 16:53:41 GMT

O wow, thanks for that Tim, thats super interesting 👍

Re: prefer security /prefer connectivity

Alexander_Wilke — Wed, 14 Dec 2022 12:14:26 GMT

What to use if you are running a 64k Scalable Plattform which is only a "Single" / "Standard" Gateway Object in SmartConsole and you can not select the options? Probably same for Maestro.

However 64k/Maestro may have failovers in the same "Chassis" or from one chassis to another. What will apply?
Prefer connectifity or prefer security?

Re: prefer security /prefer connectivity

Timothy_Hall — Wed, 14 Dec 2022 14:38:32 GMT

The default on SP/Maestro is prefer connectivity. At least in R80.30SP the command was asg_ips_failover_behavior {connectivity | security} and you could check the current state with command g_fw ctl get int fwha_ips_reject_on_failover, 0 is prefer connectivity, 1 is prefer security.

Re: prefer security /prefer connectivity

Alexander_Wilke — Wed, 14 Dec 2022 14:05:53 GMT

Thanks,

I can confirm "connectivity" at least for 64k and R80.20SP Jumbo HFA Take 331

g_fw ctl get int fwha_ips_reject_on_failover
-*- 10 blades: 1_01 1_02 1_03 1_04 1_05 2_01 2_02 2_03 2_04 2_05 -*-
fwha_ips_reject_on_failover = 0

Re: prefer security /prefer connectivity

umar7 — Wed, 05 Apr 2023 09:08:48 GMT

hello

Re: prefer security /prefer connectivity

umar7 — Wed, 05 Apr 2023 09:09:15 GMT

hello

Re: prefer security /prefer connectivity

umar7 — Tue, 20 Dec 2022 01:47:41 GMT

can i get an update from above questions?

Re: prefer security /prefer connectivity

the_rock — Tue, 20 Dec 2022 01:57:26 GMT

I cant give you answers to those, as I never tested option to prefer security, as default one is what everyone leaves it to. You would need to try it out and see the behavior.

Re: prefer security /prefer connectivity

umar7 — Tue, 20 Dec 2022 02:09:12 GMT

hello rock,

thanks for the update .

Re: prefer security /prefer connectivity

umar7 — Tue, 20 Dec 2022 02:25:15 GMT

hi all,

if any one know the behavior and above questions answer .kindly let me know .

Re: prefer security /prefer connectivity

PhoneBoy — Wed, 21 Dec 2022 01:45:31 GMT

The kinds of failures that are being discussed here are related to the clustering technology known as ClusterXL.
Many, many things outside of the control of the Check Point configuration can cause ClusterXL to “fail over” to another device.
It obviously has an impact on the IPS service, which requires the same gateway to process the connection (thus why the Prefer Connectivity/Security option exists).

3 minutes and 11 seconds doesn’t sound unreasonable if their test of “IPS service failure” was a reboot of the primary gateway.
There are other reasons a failover can occur that don’t involve a reboot (for example, disabling/unplugging a cable on a NIC, or something else that prevents the gateways from seeing each other).
I would want to know precisely how they are testing this.