- Products
- Learn
- Local User Groups
- Partners
- More
CheckMates Fifth Birthday
Celebrate with Us!
days
hours
minutes
seconds
Join the CHECKMATES Everywhere Competition
Submit your picture to win!
Check Point Proactive support
Free trial available for 90 Days!
As YOU DESERVE THE BEST SECURITY
Upgrade to our latest GA Jumbo
The 2022 MITRE Engenuity ATT&CK®
Evaluations Results Are In!
Now Available: SmartAwareness Security Training
Training Built to Educate and Engage
MITRE ATT&CK
Inside Check Point products!
CheckFlix!
All Videos In One Space
Hello everyone.
i want to know what is the best practice of the following
we implementing "Live DR", so we connecting Main site with DR Site by Layer2 in all internal vlans. and also the cluster FW will be 3rd and maybe also 4th members at the DR Site. so Internet/Dmz Cluster will be ni Main and in DR Site.
my quesion is about the Isp's side/Default route site.
what is the best practice here?
do i have to do Layer 2 Line between Isps between sites (to my knowledge it's must for the cluster), or can i use different ISPs, or same ISPs but with different lines (and also different public IP subnets)
and let's assume i have L2 between ISPs between sites, what will happend if the Internal Sync /other vlans disconnected between sites, and GWs become active together in Main Site and DR Site, so the ISP will see the same VIP alive in both sites, and it won't work.
how it's usually implemented ?
i attached draw for general architecture.
Do you have your own ISP independent public IP addressing?
I would be using dynamic routing & routers / perhaps layer-3 switches external to the Firewall.
You are correct that regardless of the number of cluster members involved Layer-2 connectivity is required.
Redundant & diverse paths between sites are recommended in general for such a design.
Do you have your own ISP independent public IP addressing?
I would be using dynamic routing & routers / perhaps layer-3 switches external to the Firewall.
You are correct that regardless of the number of cluster members involved Layer-2 connectivity is required.
Redundant & diverse paths between sites are recommended in general for such a design.
HI
Yes i have independend ISP ip addresses.
So you are saying to strech layer 2 between sites of the network between external fw interface to a routers/link proof like.
And then use dynamic routes that will inject default route to the fws. And so each fw can also use other site isp's if it's own are down.
About CheckMates
Learn Check Point
Advanced Learning
YOU DESERVE THE BEST SECURITY