This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Digo11
Contributor
‎2023-05-28 10:46 PM
Jump to solution

Checkpoint Active-Active Cluster

Hello Checkmates.

 

Can I configure clusterXL in active-active load sharing and define which gateway shall process what amount of traffic?

For instance, I have two gateways configured to operate in ClusterXL active-passive mode. I want to use it in an active-active mode where GW1 could handle 70% of traffic and GW2 could handle the rest. Is it possible?

Problem Statement: If my throughput is 10GBPS and I could achieve it using an active-active with two security gateways, in case one GW fails my whole network would be impacted.

 

Thanks.

Digo.

0 Kudos
1 Solution

Accepted Solutions
PhoneBoy
Admin
Admin
‎2023-05-29 08:59 AM
Jump to solution

A ClusterXL Active/Active of two gateways will at best give you 1.5x of the performance of a single gateway…if using multicast mode.
Not to mention the various limitations of being in ClusterXL Active/Active.
R82 with ElasticXL will provide a bit closer to 2x performance (similar to Maestro).
Regardless of the clustering technology, if you’re continually running a two node cluster at above what a single gateway does on its own, you’re setting yourself up for failure since a failure of one gateway will result in overloading the other gateway…

View solution in original post

14 Replies
Blason_R
Leader
Leader
‎2023-05-29 01:14 AM
Jump to solution

Load will automatically will be decided and I doubt you will be able to control it. however understand the limitation as well. If you have VPN blade running or  mobile access - you wont be able to achieve A/A cluster.

Thanks and Regards,
Blason R
CCSA,CCSE,CCCS
0 Kudos
the_rock
Legend
Legend
‎2023-05-29 05:38 AM
Jump to solution

There are some limitations as @Blason_R advised. 

https://sc1.checkpoint.com/documents/R81/WebAdminGuides/EN/CP_R81_ClusterXL_AdminGuide/Content/Topic...

If I were you, I would not bother, active-passive is so much better...traffic handling, speed, no blade limitation.

Andy

0 Kudos
Chris_Atkinson
Employee Employee
Employee
‎2023-05-29 06:00 AM
Jump to solution

What hardware do you have?

Another option to considered here might be Maestro.

CCSM R77/R80/ELITE
(1)
the_rock
Legend
Legend
‎2023-05-29 06:08 AM
Jump to solution

Also, to add to great point @Chris_Atkinson made, consider below even when creating load sharing cluster object in smart console. Too much headache for so many limitations...

Andy

 

Screenshot_1.png

 

https://support.checkpoint.com/results/sk/sk162637

0 Kudos
Timothy_Hall
Legend Legend
Legend
‎2023-05-29 06:15 AM
Jump to solution

To let the active gateways themselves determine/balance the load assignment between them, you would need to use Load Sharing Unicast or Load Sharing Multicast (not Active/Active), which as Blason said has major issues with VPNs.  For Load Sharing Unicast there is a GUIdbedit variable called Pivot_overhead that can be adjusted to affect how assigned load is handled.  For Load Sharing Multicast I would imagine there are probably some kernel variables that can be adjusted to affect load/connection assignment, but if there are they don't appear to be documented.  But generally the Load Sharing modes are not a good idea due their complexity/limitations and I don't recommend them. 

The newer Active/Active mode introduced in R80.40 (which is completely separate from Load Sharing) allows an external entity (Maestro Orchestrator, BGP/OSPF, F5, etc.) to decide which member should handle which traffic based on its own metrics (bandwidth, delay, load, reliability, MTU, etc).  This would probably be the best way to achieve your objective but you'd have to assign/influence what the loads would be on the external device.

Gaia 4.18 (R82) Immersion Tips, Tricks, & Best Practices Video Course
Now Available at https://shadowpeak.com/gaia4-18-immersion-course
0 Kudos
PhoneBoy
Admin
Admin
‎2023-05-29 08:59 AM
Jump to solution

A ClusterXL Active/Active of two gateways will at best give you 1.5x of the performance of a single gateway…if using multicast mode.
Not to mention the various limitations of being in ClusterXL Active/Active.
R82 with ElasticXL will provide a bit closer to 2x performance (similar to Maestro).
Regardless of the clustering technology, if you’re continually running a two node cluster at above what a single gateway does on its own, you’re setting yourself up for failure since a failure of one gateway will result in overloading the other gateway…

Timothy_Hall
Legend Legend
Legend
‎2023-05-29 09:58 AM
In response to PhoneBoy
Jump to solution

The SK you linked to state the limitations for ClusterXL Load Sharing, not the newer Active/Active.  I think you meant this:

https://sc1.checkpoint.com/documents/R81.20/WebAdminGuides/EN/CP_R81.20_ClusterXL_AdminGuide/Content...

The notable limitations for Active/Active is lack of support for VSX, and the inability to do a Hide NAT behind the cluster/virtual IP because there isn't one in Active/Active mode.

Gaia 4.18 (R82) Immersion Tips, Tricks, & Best Practices Video Course
Now Available at https://shadowpeak.com/gaia4-18-immersion-course
the_rock
Legend
Legend
‎2023-05-29 10:03 AM
In response to Timothy_Hall
Jump to solution

Good catch...I think its same link I posted, but yea, thats 100% one for clusterXL active-active.

Cheers,

Andy

0 Kudos
Timothy_Hall
Legend Legend
Legend
‎2023-05-29 10:17 AM
In response to the_rock
Jump to solution

Yeah when teaching CCSE I constantly catch myself using the term "Active/Active" when I mean Load Sharing.  Doesn't help that Load Sharing was frequently referred to as Active/Active prior to R80.40.  🙄

Gaia 4.18 (R82) Immersion Tips, Tricks, & Best Practices Video Course
Now Available at https://shadowpeak.com/gaia4-18-immersion-course
the_rock
Legend
Legend
‎2023-05-29 10:19 AM
In response to Timothy_Hall
Jump to solution

Its sort of how Americans pronounce tomato and how british people say it...sounds different, but its the same thing 😂

0 Kudos
Matlu
Advisor
‎2023-09-15 06:42 PM
In response to Timothy_Hall
Jump to solution

Hello,

Following this thread, please, in your experience, have a Cluster in Load Sharing mode 30/70%.
Do you know if it also gives you "headaches" with the use of the Identity Awareness blade?

I have network users, that can only be seen on the Cluster member that is with the highest load %, but cannot be seen on the other member.

It is really becoming a terrible headache.
I inherited this architecture configured that way.
I don't know the reason why.

Is it natural, this behavior?

Greetings.

0 Kudos
Blason_R
Leader
Leader
‎2023-05-29 10:24 AM
In response to Timothy_Hall
Jump to solution

Nice catch - Yes I mean load sharing has a few limitations which I always faced.

Thanks and Regards,
Blason R
CCSA,CCSE,CCCS
0 Kudos
Digo11
Contributor
‎2023-05-30 03:27 AM
In response to Timothy_Hall
Jump to solution

Hi @Timothy_Hall, The SK describes the active-active scenario for two different geographical areas which is not required in my case.  Your other recommendation "you would need to use Load Sharing Unicast or Load Sharing Multicast (not Active/Active)" seems to be the answer I was looking for.

But looking at the complexity and limitations of implementing it by playing with kernel parameters would be a difficult task I guess. Thanks for the quick suggestion I will discuss it with my team further.

 

Regards,

Digo.

0 Kudos
the_rock
Legend
Legend
‎2023-05-30 04:05 AM
In response to Digo11
Jump to solution

Based on all the links we gave you and what guys said, I would honestly stay away from it, not worth it.

Just my 2 cents...

Andy

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events