Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Satyam1
Explorer

Does Active-Active HA supports more users?

Jump to solution

Hi Guys,

My company bought a Checkpoint Firewall a few months back. At that time we had around 85 users and Fortigate technical person suggested that it will handle up to 100 users in our environment. Now, we have around 70 more people who joined our company, so total employees will be around 160. Now I have few questions -


1) If we buy one more Checkpoint firewall (same model) and use it in Active-Active HA mode, will it be able to handle the extra employees we have now? Meaning, (one firewall can handle 100 users), if we have two firewalls, will 200 users will be able to work?


2) Will the VPN users connecting to the firewall will also increase after adding the second firewall?

0 Kudos
1 Solution

Accepted Solutions
PhoneBoy
Admin
Admin

In general, yes, adding another box in active-active will increase the number of users supported.
It will not be double (maybe 1.5x, but it depends on a number of factors), and it also introduces limitations as documented in the SK @RamGuy239 pointed to.

In general, I advise against ClusterXL active/active and instead to purchase something that is able to handle future expected load (3-5 years depending on the company) versus buying precisely what will solve the need today.
This accounts for both future user growth but also additional overhead for additional security functions down the road.
If you need something that can quickly scale up by adding more appliances, look at a Maestro solution, which will give you nearly linear performance gains by simply adding another appliance.

Of course, all of that is general advice based on the very general information you’ve provided so far.
If you want specific advise, we need to know in more detail what you actually have and are using today.
It might also be a better conversation to have with your Check Point SE or partner.

View solution in original post

0 Kudos
(1)
6 Replies
PhoneBoy
Admin
Admin

What appliance are we talking about running what code version with what blades active?
Also how is it being managed (ie as standalone or with a separate management server)?
What is the precise throughput requirement?
How utilized is the current system?

You may not even be fully utilizing the hardware you have.
Adding another appliance in an active/active configuration will NOT increase your through by a factor of two as Active/Active clustering has overhead.

0 Kudos
RamGuy239
Advisor

You have to take into consideration that scaling will never be 100%. Furthermore, there are quite a few limitations when running Check Point GAiA in a load balancing (active-active) cluster. You can use sk101539 as a reference:

https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...


IP-sec site-to-site VPN is not supported. Mobile Access will enable Sticky Decision Function which disables Check Point SecureXL acceleration resulting in a huge reduction in overall performance.

Normally the recommended approach for having an active-active cluster would be to run VSX in VSLS mode. But then you will have added overhead as a result of the virtualisation so your performance wouldn't be close to a 100% scale.

Going with Maestro might be the best in terms of scaling and not run into a lot of limitations. But that will require Maestro Orchestrator to add to the cost.

Then again there have been so many performance improvements over the latest major releases so it's hard to say what to really expect here without knowing what version you are currently running. By going R80.10 to R80.40 you will most likely gain a lot of performance do they move to 3.10 kernel, multi-queue and various other improvements. If you are moving from R77.30 there are tremendous improvements to VPN as it's no longer limited to a single core. R81.10 bring even further improvements to how VPN traffic is being handle within the GAiA software.

0 Kudos
PhoneBoy
Admin
Admin

Yeah, lots of variables here that can determine what the best answer is.
However, at the level of scale you're talking about, it may be more cost-effective to simply buy a larger appliance.
But again: we need to know the starting point is so we can suggest the optimal solution.

0 Kudos
Satyam1
Explorer

Hi, Thanks for your time.

Let's start fresh. My company currently have now 280  employees (almost 110 added last week because of merging of two offices) and we will have more than 1500+ employees in the coming 2 years. We have 3 Internet lines.

What will be the best option -

1) we buy a small firewall that suffice current user demand or go with the projection of 2 years and buy big firewall?

2) In case we go for smaller device for now, so after 1 or 2 year, is there any way to utilize the small one or it will be useless cause the number of users will increase.

Sorry for my english 🙂

 

0 Kudos
Satyam1
Explorer

Hi, Thanks for replying.

I got most of my points cleared by looking and reading over the internet.

Just one point that is still unclear is "will adding one more firewall of the same model in HA doubles the performance"?

0 Kudos
PhoneBoy
Admin
Admin

In general, yes, adding another box in active-active will increase the number of users supported.
It will not be double (maybe 1.5x, but it depends on a number of factors), and it also introduces limitations as documented in the SK @RamGuy239 pointed to.

In general, I advise against ClusterXL active/active and instead to purchase something that is able to handle future expected load (3-5 years depending on the company) versus buying precisely what will solve the need today.
This accounts for both future user growth but also additional overhead for additional security functions down the road.
If you need something that can quickly scale up by adding more appliances, look at a Maestro solution, which will give you nearly linear performance gains by simply adding another appliance.

Of course, all of that is general advice based on the very general information you’ve provided so far.
If you want specific advise, we need to know in more detail what you actually have and are using today.
It might also be a better conversation to have with your Check Point SE or partner.

View solution in original post

0 Kudos
(1)