topic Re: Implementing High-Availability Firewall Clusters with Single Public IP Connectivity in Spark Firewall (SMB)

Implementing High-Availability Firewall Clusters with Single Public IP Connectivity

SallesThiago — Wed, 05 Feb 2025 14:04:52 GMT

Today, we have an internal cluster with two 9100 devices, and everything is working fine.

Now, we are planning to implement two new clusters:

Cluster Y

Two SMB 1575 devices
Only one fixed ISP IP

Cluster Z

Two 9100 devices
Only one fixed ISP IP

My question is: how can the clusters communicate using only one public IP?

Re: Implementing High-Availability Firewall Clusters with Single Public IP Connectivity

ereche — Wed, 05 Feb 2025 14:06:45 GMT

I have same issue to solve here.

Re: Implementing High-Availability Firewall Clusters with Single Public IP Connectivity

Chris_Atkinson — Wed, 05 Feb 2025 14:12:28 GMT

The traditional method:

https://sc1.checkpoint.com/documents/R81.10/WebAdminGuides/EN/CP_R81.10_ClusterXL_AdminGuide/Topics-CXLG/Cluster-IP-addresses-on-different-subnets.htm

Re: Implementing High-Availability Firewall Clusters with Single Public IP Connectivity

Chris_Atkinson — Wed, 05 Feb 2025 15:19:57 GMT

You may also wish to consider ElasticXL with R82 as another option (for non Spark) as it doesn't have the same IP address requirements as traditional ClusterXL.

https://youtu.be/Ctx9Su0y-e0?feature=shared

Re: Implementing High-Availability Firewall Clusters with Single Public IP Connectivity

sigal — Wed, 05 Feb 2025 15:43:53 GMT

Hi,
Note that on locally managed Spark appliances running R81.10.15, you can just configure routable IP as VIP and physical (private) IPs from different subnet without the need to implement Cluster IP Addresses on Different Subnets.

Thanks.

Re: Implementing High-Availability Firewall Clusters with Single Public IP Connectivity

SallesThiago — Wed, 05 Feb 2025 17:16:20 GMT

Using the R82 for non-Spark scenarios seems like the best approach. In the case of Spark with 3 valid IPs, will it work? Is this the best practice in this situation? I’m considering requesting additional IPs from the ISP.

Re: Implementing High-Availability Firewall Clusters with Single Public IP Connectivity

SallesThiago — Wed, 05 Feb 2025 17:17:30 GMT

Yes, for other customers, we handle this through local management in Spark and work fine. However, in this case, the manager will operates centrally.

Re: Implementing High-Availability Firewall Clusters with Single Public IP Connectivity

ereche — Fri, 21 Feb 2025 11:40:16 GMT

Thks Chris, it solves our problem.

Re: Implementing High-Availability Firewall Clusters with Single Public IP Connectivity

perfect4situa — Wed, 12 Mar 2025 14:07:20 GMT

Unfortunately, we recently have closed a ticket about this, and the solution is:

Quantum Spark Appliances in Centrally Managed mode DO NOT fully support the configuration with Single Routable IP and interfaces on different network even if it's confirmed by documentation (https://sc1.checkpoint.com/documents/SMB_R81.10.X/AdminGuides_Centrally_Managed/EN/Content/Topics/Configuring-High-Availability.htm?TocPath=Managing%20the%20Device%7CConfiguring%20High%20Availability%7C_____5#Configuring_a_Cluster_with_a_Single_Routable_IP_Address_in_Central_Management), this seems to be available only for Quantum Force and higher (https://sc1.checkpoint.com/documents/R81.10/WebAdminGuides/EN/CP_R81.10_ClusterXL_AdminGuide/Topics-CXLG/Cluster-IP-addresses-on-different-subnets.htm).

You can try to configure a new "local transport network" between gateway and router so you can have as many IP as you want to configure in each interface. In this case you cannot access directly each cluster member from internet, but you can do so via DNAT.

Something like that:

Router External: 1.1.1.1

Router Internal: 192.168.1.1/24

Checkpoint External: 192.168.1.2/24

Checkpoint External gateway: 192.168.1.1

Hoping to be useful