Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted
Advisor

Check Point Clustering between two Datacenters

Dear Mates

 

We are currently experiencing routing assymetry on our infrastructure, and we are trying to find possible solutions that could help us solve the problem.

I would like to know whether there is a limitation in terms of creating a Check Point cluster over two geographically separeted Datacenters (Few Kilometers away from each other). Is there any distance constraints? 

If there is no a distance constraint, since the current version of GAIA we are using (R80.20) does not support Load-sharing, we do not intend to have 4 appliances in a cluster while only one is taking all the traffic.

Can Maestro be used in order to take advantage of the 4 appliances?

The rationale for this question is because we are thinking of turning the 4 Check Point Appliances into a single cluster.

 

Thanks in Advance

0 Kudos
17 Replies
Highlighted
Champion
Champion

For the main question, answers can be found in Advanced Technical Reference Guide (ATRG) for ClusterXL R6x, R7x and R8x

Concerning Maestro - this currently only works using 6500, 6800 and 23800 appliances...

 

Highlighted
Advisor

Hi G_W_Albrecht

 

Thanks for your help.

 

Looking at point 2.3 Restrictions on the recommended document it says: latency on synchronization network is less than ~30 milliseconds and packet loss is less than ~2-3%.

So there should be no problem as long as I can assure that this recommendation is met. Let´s say I have fiber cable that links both Datacenters.

 

Thanks once again

0 Kudos
Highlighted
Leader
Leader

Di,
You‘re right. We too running a cluster over 15km distance on a darkfiber without problems.
With Maestro you can have your four appliance running as one system. But you too need more orchestrators and now there is no support for a long distance solution with Maestro. Will be available in the future.
And like G_W_Albrecht wrote, only a few appliance are supported by Maestro.
If you can more then one firewall instances running in your cluster, maybee VSX in VSLS is a solution for you.

Regards
Wolfgang
Highlighted
Champion
Champion

There are quite a lot more appliances (5600 and up) that work with Maestro, the support for the model is depending on the availability of a 10GB card for the model. An RFE can be requested to get yourappliances approved. What I have been told so far 2012 and 2016 series that support a 10GB card will work, supported only when the RFE is done, the 5800 and 5900 should already be on the list ATM
However they all need to be at the same location as there is no multi room, nor multi site support at this moment.

We run multiple cluster spread across the country, for 20 to 120 KM apart, as long as the underlying network is properly supporting it, you should be just fine.
Regards, Maarten
Highlighted
Advisor

Hi Maarten

Thanks for your help.

Would you kindly share which clustering mode are you using HA or Load-sharing?

The distance between our Datacenter is from 15Km to 55KM but we have 10G links between the sites.

Regards

0 Kudos
Highlighted
Champion
Champion

As an MSP we do not use load sharing on normal clusters other than VSX. It makes troubleshooting much harder when you do not manage the switch layer, which in our case is rarely the case.
In VSX we run VSLS on almost all our clusters, this allows us to evenly share the load while still allowing for enough power when a failover occurs.
Regards, Maarten
Highlighted
Advisor

Thanks. I will definetly explore VSX and how it could be implemented on our infrastructure. We are currently using the 21000 Series, and we have 4 appliances (two on each site operating in HA).
0 Kudos
Highlighted
Advisor

Hi Maarten

Just a quick question. When using VSX, does asymetric routing also applies to different VSX , or traffic from one VSX is also accepted by another VSX.
0 Kudos
Highlighted
Champion
Champion

When you use multi-site clustering all VLAN's need to be stretched over the 2 sites, otherwise you will get problems with asymmetric routing,. This does not change when you use VSX.
VSX is only useful when you can separate traffic streams over different virtual gateways. Each virtual gateway can reside on either of the physical boxes and is mostly used to make sure the traffic is taken care of on the site it is passing thru.
Regards, Maarten
Highlighted
Advisor

Thanks Maarten, I am reading up on VSX.
Just one last question, How can check whether my firewall supports VSX (we are using 21000 series)? Do you need a special license in order to enable VSX?
0 Kudos
Highlighted
Champion
Champion

The 21000 supports VSX, you do need a license when you want to run more than 2 virtual gateways on it.
A lot of people will tell you more than 1 but technically you can use vs0 as well.
Regards, Maarten
Highlighted
Advisor

Hi Wolfgang

Thanks for your help.

Which clustering mode are you using HA or Load-Sharing? 

I will read up on  VSX.

 

Thanks once again

0 Kudos
Highlighted
Leader
Leader

have you got Layer 2 low-latency dark fiber in between DCs ?

if you do - CCP should fly across just fine as others mentioned.

regardless of the build, whether it is R77x, R80.xx - it will work as long as you've got proper layer 2 tunned and in relatively 1-10GB/s spanning.

Jerry
Highlighted
Advisor

Hi Jerry

We have 10G link between the Datacenters with an observed delay of 2 to 3ms.

0 Kudos
Highlighted
Leader
Leader

Maestro then would be your dream solution though 🙂 good luck!
Jerry
0 Kudos
Highlighted
Leader
Leader

Jerry,

I think this isn't possible. Maestro does not support Multi-Site environment.

Have look at the Maestro FAQ sk147853:

How many orchestrators are supported in a cluster?

Currently, two orchestrators can work together. MultiSite support for 2x2 orchestrators is planned for a future release. 

What throughput is needed between MHOs for sync?

MHO-170 requires a 40GB DAC cable or a 100GB DAC cable. MHO-140 requires a 10GB DAC cable.

 

regards

Wolfgang

0 Kudos
Highlighted
Admin
Admin

Maestro will support multi-site in a near future. Stay tuned

0 Kudos