a_security
Explorer

Checkpoint Azure setup- Difference over VSRX

Hello Team,

We have a customer who is looking for a VPN Solution - both Site to Site IPSEC  and for Remote Users( Client vpn)

 

They are evaluating Vsrx  and cloudguard . 

 

 

Does anyone provide the Differences . I know VSRX does not provide High Availability . But Checkpoint solution does.

 

But What is the real benefit of HA over Autoscaling ? 

 

I know Juniper has no Remote VPN Solution which is a strong point for Checkpoint in this case .

If someone has Battlecard , please provide

 

 

0 Kudos
6 Replies
PhoneBoy
Admin
Admin

Autoscaling is about creating more resources as needed to handle the demand/load.
High Availability has active/standby nodes and is meant for availability only (not necessarily to handle more load).
We do have an autoscaling Remote Access solution also (at least in Azure): https://supportcenter.checkpoint.com/supportcenter/portal?action=portlets.DCFileAction&eventSubmit_d... 

 

0 Kudos
a_security
Explorer

Hi @PhoneBoy  Thanks

 

What i am trying to say here is - how much time it takes to failover if we go for HA ? I have read in various forums that it takes 3-4 minutes . So this mean it is not a stateful failover ?

And Autoscaling also takes approx same time ; so is there a benefit of using HA ?

 

Also does the HA Solution support both Site to Site VPN and Client to Site VPN ?

 

or Autoscaling is the only option for Client to site ?

 

0 Kudos
PhoneBoy
Admin
Admin

For HA, the issue isn't with the lack of state, it's an issue with the amount of time it takes for the various APIs to respond and affect traffic flow.
For Autoscaling, there is no synchronization taking place, but it might take that long to recognize a particular node in the VMSS "failed" and route around/restart it.

HA works with Client-to-Site VPN and Site-to-Site VPN.
Autoscaling doesn't support Site-to-Site VPN.

0 Kudos
a_security
Explorer

Thanks a lot @PhoneBoy  : Glad to have you here to answer and clearing all the doubts . I have seen all other posts and you have been awsome .

Last thing , this means if API take time to respond , it will  be an issue and we will never have stateful failover ? 

and if it recognize quickly like 15-20 seconds , state synchronisation takes place ?

Kindly clarify these 2 points please

0 Kudos
PhoneBoy
Admin
Admin

The cluster synchronization process happens between the two gateways continuously.
There are some limitations to what is synced, but nothing specific to operating in public cloud here.

In a regular, physical environment, gateways can affect failover themselves by changing who responds to a given MAC address.
Public Cloud does not operate on this premise and requires API calls to the relevant cloud provider to effectively move the traffic flow from one gateway to the other.
The timing of responding/reacting to these API calls can vary and is not in our control.
However, when the failover is affected, the gateways will be in sync.

0 Kudos
a_security
Explorer

This means if API takes time - it will be a stateless failover or no failover at all  ?

0 Kudos