https://community.checkpoint.com/t5/General-Topics/Running-OSPF-on-the-Security-Gateways-with-SecureXL-disabled/m-p/31794#M6662 <HTML><HEAD></HEAD><BODY><P>SecureXL does not impact the performance for OSPF in any way. OSPF is part of the OS and is not part of the traffic passing through the gateway. Impact of OSPF on the box depends on the number of path choices and the number of routes there are. I do not think you will notice more than a 1% increase of CPU usage in a very busy network with hundreds of routes and at least 4 different possible paths to a destination. The latter is something you will rarely see on a perimeter FW, so most likely there will only be updates from the network about networks being added or dropped to/from the routing table.</P></BODY></HTML> Sun, 30 Sep 2018 21:44:02 GMT Maarten_Sjouw 2018-09-30T21:44:02Z https://community.checkpoint.com/t5/General-Topics/Running-OSPF-on-the-Security-Gateways-with-SecureXL-disabled/m-p/31793#M6661 <HTML><HEAD></HEAD><BODY><P>Dear Mates,</P><P></P><P>I hope you are doing just fine.</P><P></P><P>I have taken over as the check point admin of a large telcom company. The company infrastructure is comprised of Internal and External Check Point Clusters running in <STRONG>Load-sharing unicast mode</STRONG>. Recently it was also enabled the <STRONG>Mobile Access Blade</STRONG> on the external clusters.&nbsp;</P><P>Now there is a new process of segmenting our network, and as part of the segmentation, the IP team wishes to have the Check Gateways running OSPF.</P><P>I am personally concerned about the performance of the gateways because one of the main feature that improves performance (SecureXL) is already disabled due to the ClusterXL mode, and other enabled software blades such as Mobile Access. We are using a 21800 appliance.</P><P></P><P>I would like to know the performance implications that I can encounter if OSPF is enabled taking into account that secureXL is already not working.</P><P></P><P>Any relevant contribution is welcome.</P><P></P><P>Thanks in advance</P></BODY></HTML> Sun, 30 Sep 2018 18:51:55 GMT https://community.checkpoint.com/t5/General-Topics/Running-OSPF-on-the-Security-Gateways-with-SecureXL-disabled/m-p/31793#M6661 Di_Junior 2018-09-30T18:51:55Z https://community.checkpoint.com/t5/General-Topics/Running-OSPF-on-the-Security-Gateways-with-SecureXL-disabled/m-p/31794#M6662 <HTML><HEAD></HEAD><BODY><P>SecureXL does not impact the performance for OSPF in any way. OSPF is part of the OS and is not part of the traffic passing through the gateway. Impact of OSPF on the box depends on the number of path choices and the number of routes there are. I do not think you will notice more than a 1% increase of CPU usage in a very busy network with hundreds of routes and at least 4 different possible paths to a destination. The latter is something you will rarely see on a perimeter FW, so most likely there will only be updates from the network about networks being added or dropped to/from the routing table.</P></BODY></HTML> Sun, 30 Sep 2018 21:44:02 GMT https://community.checkpoint.com/t5/General-Topics/Running-OSPF-on-the-Security-Gateways-with-SecureXL-disabled/m-p/31794#M6662 Maarten_Sjouw 2018-09-30T21:44:02Z https://community.checkpoint.com/t5/General-Topics/Running-OSPF-on-the-Security-Gateways-with-SecureXL-disabled/m-p/31795#M6663 <HTML><HEAD></HEAD><BODY><P>I agree with <A href="https://community.checkpoint.com/migrated-users/50921">Maarten Sjouw</A>‌, there should not be a major impact on the cluster due to OSPF.</P><P>Actually, since R80.20 introducing dynamic routing anti-spoofing, it should be simpler to implement and, hopefully, we'll see the routing changes in the logs now.</P></BODY></HTML> Mon, 01 Oct 2018 00:24:15 GMT https://community.checkpoint.com/t5/General-Topics/Running-OSPF-on-the-Security-Gateways-with-SecureXL-disabled/m-p/31795#M6663 Vladimir 2018-10-01T00:24:15Z https://community.checkpoint.com/t5/General-Topics/Running-OSPF-on-the-Security-Gateways-with-SecureXL-disabled/m-p/31796#M6664 <HTML><HEAD></HEAD><BODY><P>Thanks @<A _jive_internal="true" data-avatarid="1946" data-externalid="" data-online="false" data-presence="null" data-userid="50921" data-username="maart190aef73-58b6-43b8-aee6-8bbb11391e10" href="https://community.checkpoint.com/people/maart190aef73-58b6-43b8-aee6-8bbb11391e10" style="color: inherit; background-color: #ffffff; border: 0px; font-weight: bold; text-decoration: underline; font-size: 14px;">Maarten Sjouw</A>&nbsp;and <A href="https://community.checkpoint.com/migrated-users/48025">Vladimir Yakovlev</A>‌.</P><P></P><P>Since the performance impact is not a major problem, I have one additional question.&nbsp;</P><P>Does Check Point Gateways support <STRONG>Mutual Redistribution? How?&nbsp;</STRONG>I am asking this question because according to the new network design, ouur&nbsp;external Gateways will have to do mutual redistribution between <STRONG>OSPF</STRONG> and <STRONG>eBGP</STRONG>.</P><P></P><P>Thanks in advance</P></BODY></HTML> Mon, 01 Oct 2018 08:24:52 GMT https://community.checkpoint.com/t5/General-Topics/Running-OSPF-on-the-Security-Gateways-with-SecureXL-disabled/m-p/31796#M6664 Di_Junior 2018-10-01T08:24:52Z https://community.checkpoint.com/t5/General-Topics/Running-OSPF-on-the-Security-Gateways-with-SecureXL-disabled/m-p/31797#M6665 <HTML><HEAD></HEAD><BODY><P>An additional question is to know whether is it possible to create different OSPF processes on the Firewall. In such a way that networks in a specific OSPF process (for example process 1), are not advertised in another OSPF process (for example OSPF process 2)</P><P>&nbsp;Thanks in advance</P></BODY></HTML> Mon, 01 Oct 2018 11:21:06 GMT https://community.checkpoint.com/t5/General-Topics/Running-OSPF-on-the-Security-Gateways-with-SecureXL-disabled/m-p/31797#M6665 Di_Junior 2018-10-01T11:21:06Z