This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Muhammad_Amin_Z
Explorer
‎2018-12-06 05:53 AM

CheckPoint Cluster Failover Query

Hello CP Experts -

I have 2 CheckPoints 5100 in HA. Currently firewall fail-over takes place if primary firewall gets down physically. Now I want to setup in a way that if my WAN interface IP on primary firewall gets unreachable it will shift the traffic flow on the secondary firewall, Means my primary firewall need to be up physically but just due to its WAN interface gets unreachable it should make a route of all network traffic to secondary firewall and on Secondary firewall an alternate ISP starts Natting and making the internet reachable.

I hope I cleared my question. Looking forward for positive reply in this regards.

6 Replies
PhoneBoy
Admin
Admin
‎2018-12-06 04:38 PM

Unless both gateways share the same subnet on all interfaces, have a shared IP, and can reach each other on all interfaces, you won't be able to cluster.

The shared IP would have to be reachable on both ISPs, which is not likely the case.

Also a cluster has to have exact the same policy (including NAT) on all members, which is not what you're asking for.

Bottom line: this won't work as a cluster.

PhoneBoy
Admin
Admin
‎2018-12-06 08:50 PM

Further, since this thread is in English, I am moving it to the proper space: General Product Topics

0 Kudos
Mikel_Aanstoot
Contributor
‎2018-12-07 01:22 AM

Hi, just a quick question, but if you have already an alternate ISP why not connect this to both gateways and have ISP redundancy on both gateways ? So on both gateways (active/passive) both ISP's are connected and in or load sharing mode or in Primary/Backup mode. I think that would make a bit more sense.

0 Kudos
Timothy_Hall
MVP Gold
MVP Gold
‎2018-12-07 08:17 AM

From the second edition of my book:

Question: We suffered an upstream network failure that did not occur on the network/VLAN directly adjacent to the firewall.  There was not a failover to the standby member (who had a working network path further upstream) because ClusterXL could not detect this indirect upstream network failure. Can we configure ClusterXL to monitor some upstream IP addresses, and cause a failover to occur when they can no longer be reached?


Answer: Yes! See sk35780: How to configure $FWDIR/bin/clusterXL_monitor_ips script to run automatically on Gaia / Sec....

--
Second Edition of my "Max Power" Firewall Book
Now Available at http://www.maxpowerfirewalls.com

Gaia 4.18 (R82) Immersion Tips, Tricks, & Best Practices Video Course
Now Available at https://shadowpeak.com/gaia4-18-immersion-course
0 Kudos
Muhammad_Amin_Z
Explorer
‎2018-12-10 05:02 AM

Hello everyone thank you for your responses. Further I need to design like this to have both Firewalls in active mode and need to have a failover to the cluster firewall if the WAN link gets unreachable.

0 Kudos
G_W_Albrecht
MVP Silver
MVP Silver
‎2018-12-11 01:09 AM
In response to Muhammad_Amin_Z

You can have both Firewalls in active mode and use two ISPs with ISP redundancy

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events