Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Di_Junior
Advisor
Advisor

Running OSPF on the Security Gateways with SecureXL disabled

Dear Mates,

I hope you are doing just fine.

I have taken over as the check point admin of a large telcom company. The company infrastructure is comprised of Internal and External Check Point Clusters running in Load-sharing unicast mode. Recently it was also enabled the Mobile Access Blade on the external clusters. 

Now there is a new process of segmenting our network, and as part of the segmentation, the IP team wishes to have the Check Gateways running OSPF.

I am personally concerned about the performance of the gateways because one of the main feature that improves performance (SecureXL) is already disabled due to the ClusterXL mode, and other enabled software blades such as Mobile Access. We are using a 21800 appliance.

I would like to know the performance implications that I can encounter if OSPF is enabled taking into account that secureXL is already not working.

Any relevant contribution is welcome.

Thanks in advance

0 Kudos
4 Replies
Maarten_Sjouw
Champion
Champion

SecureXL does not impact the performance for OSPF in any way. OSPF is part of the OS and is not part of the traffic passing through the gateway. Impact of OSPF on the box depends on the number of path choices and the number of routes there are. I do not think you will notice more than a 1% increase of CPU usage in a very busy network with hundreds of routes and at least 4 different possible paths to a destination. The latter is something you will rarely see on a perimeter FW, so most likely there will only be updates from the network about networks being added or dropped to/from the routing table.

Regards, Maarten
Vladimir
Champion
Champion

I agree with Maarten Sjouw‌, there should not be a major impact on the cluster due to OSPF.

Actually, since R80.20 introducing dynamic routing anti-spoofing, it should be simpler to implement and, hopefully, we'll see the routing changes in the logs now.

Di_Junior
Advisor
Advisor

Thanks @Maarten Sjouw and Vladimir Yakovlev‌.

Since the performance impact is not a major problem, I have one additional question. 

Does Check Point Gateways support Mutual Redistribution? How? I am asking this question because according to the new network design, ouur external Gateways will have to do mutual redistribution between OSPF and eBGP.

Thanks in advance

0 Kudos
Di_Junior
Advisor
Advisor

An additional question is to know whether is it possible to create different OSPF processes on the Firewall. In such a way that networks in a specific OSPF process (for example process 1), are not advertised in another OSPF process (for example OSPF process 2)

 Thanks in advance

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events