This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Thabo
Participant
‎2024-07-22 07:39 AM

Cluster XL - High Availability for two checkpoint Appliances in different buildings

Good Day Community

I have not done Cluster XL - High Availability on checkpoint and i have finally met my fate where i have to configure HA for two checkpoint appliances and the complex scenario is that the security gateways are in different rooms which are located within the same building  where Data Center Room 1 is the primary room where all active equipment is hosted and Data Center Room 2 is the secondary room. The rooms have their Cisco core switches which i think its through Hot Standby Router Protocol. I am planing to create another VLAN for the sync ports and primary firewall in room 1 will be the active and in rooms 2 it will be passive there are two management servers and I have to do the same where one is primary and the other will be secondary. Currently i only have the primary firewall connected to ISP router in room 1 i am confused of the topology approach can someone please guide me especially for the WAN links the ISP has allocated a /29 network. I will answer question in an attempt to build towards the solution. I hope all makes sense.

0 Kudos
1 Reply
Bob_Zimmerman
Authority
Authority
‎2024-07-22 08:19 AM

You can set one cluster member to be higher priority than the other such that the cluster will prefer to run on that member if it is healthy. I personally wouldn't, since it makes it easier to not notice problems with the other member until it's too late and you need it to work.

I would connect both telco routers to the switches so both firewall members have the same visibility of everything. A failure of the core switch would prevent the attached firewall member or telco router from being reached, but a failure of either telco or either firewall member shouldn't necessitate a failover of any other part of the infrastructure.

If you need to conserve IP addresses, you can use off-net member IPs so you don't have to burn an address for each member. That is, you can use 2.3.4.5 as a cluster VIP, and 192.168.144.121 and .122 as the member IPs on that interface. This involves adding a local interface route to each member telling it 2.3.4.4/30 (or whatever) is out the interface so the firewall knows to send ARP requests rather than looking for a gateway address.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events