https://community.checkpoint.com/t5/General-Topics/Cluster-over-differnt-geo-location-with-different-ISPs/m-p/138550#M24676 <P>Hello everyone.</P><P>i want to know what is the best practice of the following</P><P>we implementing "Live DR", so we connecting Main site with DR Site by Layer2 in all internal vlans. and also the cluster FW will be 3rd and maybe also 4th members at the DR Site. so Internet/Dmz Cluster will be ni Main and in DR Site.</P><P>my quesion is about the Isp's side/Default route site.&nbsp;</P><P>what is the best practice here?</P><P>do i have to do Layer 2 Line between Isps between sites (to my knowledge it's must for the cluster), or can i use different ISPs, or same ISPs but with different lines (and also different&nbsp; public IP subnets)</P><P>and let's assume i have L2 between ISPs between sites, what will happend if the Internal Sync /other vlans disconnected between sites, and GWs become active together in Main Site and DR Site, so the ISP will see the same VIP alive in both sites, and it won't work.&nbsp;</P><P>how it's usually implemented ?</P><P>i attached draw for general architecture.</P> Sun, 16 Jan 2022 14:57:19 GMT Amir_Arama 2022-01-16T14:57:19Z https://community.checkpoint.com/t5/General-Topics/Cluster-over-differnt-geo-location-with-different-ISPs/m-p/138550#M24676 <P>Hello everyone.</P><P>i want to know what is the best practice of the following</P><P>we implementing "Live DR", so we connecting Main site with DR Site by Layer2 in all internal vlans. and also the cluster FW will be 3rd and maybe also 4th members at the DR Site. so Internet/Dmz Cluster will be ni Main and in DR Site.</P><P>my quesion is about the Isp's side/Default route site.&nbsp;</P><P>what is the best practice here?</P><P>do i have to do Layer 2 Line between Isps between sites (to my knowledge it's must for the cluster), or can i use different ISPs, or same ISPs but with different lines (and also different&nbsp; public IP subnets)</P><P>and let's assume i have L2 between ISPs between sites, what will happend if the Internal Sync /other vlans disconnected between sites, and GWs become active together in Main Site and DR Site, so the ISP will see the same VIP alive in both sites, and it won't work.&nbsp;</P><P>how it's usually implemented ?</P><P>i attached draw for general architecture.</P> Sun, 16 Jan 2022 14:57:19 GMT https://community.checkpoint.com/t5/General-Topics/Cluster-over-differnt-geo-location-with-different-ISPs/m-p/138550#M24676 Amir_Arama 2022-01-16T14:57:19Z https://community.checkpoint.com/t5/General-Topics/Cluster-over-differnt-geo-location-with-different-ISPs/m-p/138568#M24677 <P>Do you have your own ISP independent public IP addressing?</P> <P>I would be using dynamic routing &amp; routers / perhaps layer-3 switches external to the Firewall.</P> <P>You are correct that regardless of the number of cluster members involved Layer-2 connectivity is required.</P> <P>Redundant &amp; diverse paths between sites are recommended in general for such a design.</P> Mon, 17 Jan 2022 03:42:05 GMT https://community.checkpoint.com/t5/General-Topics/Cluster-over-differnt-geo-location-with-different-ISPs/m-p/138568#M24677 Chris_Atkinson 2022-01-17T03:42:05Z https://community.checkpoint.com/t5/General-Topics/Cluster-over-differnt-geo-location-with-different-ISPs/m-p/138704#M24691 <P>HI</P><P>Yes i have independend ISP ip addresses.</P><P>So you are saying to strech layer 2 between sites of the network between external fw interface to a routers/link proof like.</P><P>And then use dynamic routes that will inject default route to the fws. And so each fw can also use other site isp's if it's own are down.</P><P>&nbsp;</P> Tue, 18 Jan 2022 08:20:49 GMT https://community.checkpoint.com/t5/General-Topics/Cluster-over-differnt-geo-location-with-different-ISPs/m-p/138704#M24691 Amir_Arama 2022-01-18T08:20:49Z