This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Manoj_Pallapoth
Employee Alumnus
Employee Alumnus
‎2020-01-02 09:33 PM

Bonding of physical interfaces

Dear Mates,

Is bonding of interfaces suggestible in CP firewall when it is transparent mode. 

0 Kudos
5 Replies
Wolfgang
MVP Gold
MVP Gold
‎2020-01-02 11:12 PM

Manoj,

you find the answer in your companies guide for bridge mode.

Bridge Mode on Gaia OS and SecurePlatform OS 

"Only two interfaces can be connected by a single Bridge interface. These two interfaces can then be thought of as a two-ports switch. Each port can be a Physical, a VLAN, or a Bond device."

Wolfgang

_Val_
Admin
Admin
‎2020-01-03 12:18 AM
In response to Wolfgang

@Wolfgang is saying, yes, it is possible 🙂 Two bond interfaces can be a bridge. Each bond can have multiple physical interfaces.

Manoj_Pallapoth
Employee Alumnus
Employee Alumnus
‎2020-01-03 12:55 AM
In response to _Val_

Hi,
My scenario is like this : Customer using Check Point in transparent mode to filter traffic. But few packets are missing out due to high bandwidth of traffic from the network. The interface we are using in CP for connectivity is 1 Gig. Now they wants to use 3 to 4 interfaces to as a bond to increase the pipe. Is it suggestible as I am new to Transparent mode scenarios.
0 Kudos
Maarten_Sjouw
Champion
Champion
‎2020-01-03 01:15 AM
In response to Manoj_Pallapoth

That indeed is a good reason to use bonding, high bandwidth is one of the reasons to use it. Do keep in mind that a single stream will always stick to a physical interface, LACP would be the way to go here as it will make sure that load sharing will be used on the interfaces.
Regards, Maarten
Bob_Zimmerman
MVP Gold
MVP Gold
‎2020-01-03 07:33 AM
In response to Maarten_Sjouw

LACP's transmit link selection method can result in wildly asymmetric loading. In extreme cases, all of your traffic may end up sent out a single link. For example, cluster sync on a bonded interface will only ever go out one link if you're using LACP.

Default transmit link selection is based on the layer 2 source and destination. If the firewall is being inserted into a link between two routers, you will only see two source-destination MAC pairs, so load balancing will be bad. Switching to layer 3+4 hashing may help, but can still result in weird behavior.

Other bonding styles—such as round-robin—may be more appropriate for distributing load.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events