This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Vladimir
Champion
Champion
‎2017-11-04 07:39 AM

Using bonded interface on management appliances?

I observe this situation pretty much every time I am on client's premises:

There are clustered gateways or VSX appliances in separate racks.

There is typically a single management appliance per-site with single Mgmt interface connected to the network, (not counting LOM and Console).

Is there any downside to creating a bonded interface, connecting it to two clustered switches located in separate racks and using it for administration?

This approach should help with the situation when connectivity to one of the switches is interrupted or if one of the switches is offline.

Your thoughts?

0 Kudos
6 Replies
Jerry
Mentor
Mentor
‎2017-11-05 03:11 AM

as long as it uses L2 not L3 bonding ... and 803.2ad (proper lacp) it all works. have had lots of scenarious with it inc. R80.10 where round-robin on L3 bonding collapsed. thats a big topic mate ... lots to mention too much for a single line Smiley Happy

Jerry
Vladimir
Champion
Champion
‎2017-11-06 05:36 AM
In response to Jerry

Thanks,

I am talking strictly about HA capability for management appliances, so active/standby only, no need for round-robin.

0 Kudos
Timothy_Hall
MVP Gold
MVP Gold
‎2017-11-05 04:43 AM

All of Check Point's SMS code is user-space processes, and thus has no direct visibility into how the underlying interfaces are configured at the Gaia OS level, as the kernel provides a layer of abstraction between processes and the underlying hardware.  The gateway is a different story though since most of Check Point's inspection code resides in kernel space and can directly touch the underlying hardware.

Bonded interfaces should be no problem for a SMS assuming the bond itself is set up correctly in Gaia, and the bonding settings match the attached switches.

--
My book "Max Power: Check Point Firewall Performance Optimization"
now available via http://maxpowerfirewalls.com.

Gaia 4.18 (R82) Immersion Tips, Tricks, & Best Practices Video Course
Now Available at https://shadowpeak.com/gaia4-18-immersion-course
Vladimir
Champion
Champion
‎2017-11-05 06:14 AM
In response to Timothy_Hall

Thanks.

I've done it before using LACP HA mode, but not ever seeing it elsewhere was trying to see if there were any downsides to it.

0 Kudos
Danny
MVP Platinum
MVP Platinum
‎2017-11-06 01:04 AM
In response to Vladimir

DOWNSIDES

One 'downside' I see is the advanced planning, configuration and troubleshooting efforts required for LACP bonded interfaces. Another 'downside' is the perceived redundancy resulting from bonded interfaces, redundant PSUs, hard disk RAID.., while it's still only one chassis meaning no physical redundancy (separate racks, rooms), no harddisk dd dumps, no instant fallback solutions, limitations on redundant hard disks and PSU's that are only available on expensive high-end Smart-1 Appliances (225, 3050, 3150), and so on.

VIRTUALIZATION

I prefer running the SmartCenter as a VM host within VMware ESXi instead of maintaining a physical appliance. This allows for easy VM snapshots and reverts making it easy and safe to quickly test a new hotfix, migration, whatever.

MANAGEMENT HIGH AVAILABILITY

In cases where a physical management appliance has to meet advanced redundancy requirements, I recommend adding a secondary management appliance to get a real Management-HA solution.

Vladimir
Champion
Champion
‎2017-11-06 05:34 AM
In response to Danny

Danny,

The advanced planning is hardly a downside: have you seen the T-Shirt with "Four weeks of coding can save two days of planning" sign on it:)

The bonded interfaces on management appliances by no means are the substitute for full Management HA, but simply are a means to improve per-site redundancy in case of the switch or connectivity failure.

I'm just looking at it from perspective of people investing in gateway redundancy and fail over capability on per-site basis, and helping them to achieve the same with management.

Personally, I am also a big fan of the flexibility afforded by VM implementation of management and in most instances it is also what I recommend.

But in cases where the client invests in 3050s with 256GB of RAM and other bells and whistles, the use of bonded interfaces may be warranted.

Thank you,

Vladimir

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events