Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
LostBoY
Advisor

Active Active Cloudguard AWS

Jump to solution

I have a geo cluster configured on AWS in Active / Active mode.. however at a time in logs only 1 FW passes traffic.. how is this an Active/Active cluster if at a time only one Cluster member caters to all the traffic ? by design 1 member is in 1 availability zone and the other is in a different availability zone..still traffic initiated from both zones falls on one Firewall ..only when a cluster down command is issued traffic gets transferred to secondary member. Shudnt both members accept traffic from its respective zones ?

0 Kudos
1 Solution

Accepted Solutions
PhoneBoy
Admin
Admin

They are active/active in the sense they are both available to pass traffic.
However, as mentioned in the other thread, the routing is configured so it's more like active/passive.
I presume it's the script we run to monitor state that is also setting the routing so only one of the gateways is receiving the traffic.

View solution in original post

4 Replies
PhoneBoy
Admin
Admin

Technically both gateways are active and available in an active/active config.
What determines which gateway is handling the traffic? Routing.

What precise guide(s) did you follow to set this up?

LostBoY
Advisor

i followed the following 

https://sc1.checkpoint.com/documents/R81/WebAdminGuides/EN/CP_R81_ClusterXL_AdminGuide/Topics-CXLG/A...

i used cloudformation cross availability zone template to deploy this.. there are 2 external and 2 private subnets for this cluster..i looked into the routing and i can see..under vpc routing of both private subnets there is a default route pointing towards private interface of Firewall 1..so this is why all traffic goes to FW1..these routes in both private subnets were created automatically ..even if i try to modify subnet 2 routing ..it reverts back to point to FW1 automatically..

just wondering..does active-active in this geo cluster means FW is active for both zones ? hence active active  ?

0 Kudos
PhoneBoy
Admin
Admin

They are active/active in the sense they are both available to pass traffic.
However, as mentioned in the other thread, the routing is configured so it's more like active/passive.
I presume it's the script we run to monitor state that is also setting the routing so only one of the gateways is receiving the traffic.

View solution in original post

LostBoY
Advisor

i guess this is the most apt explanation as private subnet default routing is auto defined .. thanks for your help

0 Kudos