This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Timothy_Hall
Legend Legend
Legend
‎2022-08-13 08:53 PM

Layer 4 Distribution - Yes or No?

So it would appear that Layer 4 Distribution is enabled by default but the overall consensus seems to be to disable it unless you need it.  Is that still true in R81.10 or is that an outdated recommendation?  The issues that lead to that recommendation seemed to involve messing up the availability of SGM-offered web portals like UserChecks and the Captive Portal/Identity Awareness.  Looks like at one point L4 would mishandle fragmented traffic but that got fixed recently.  

Assuming this recommendation to disable L4 unless needed still holds true, would these scenarios be an accurate and complete representation of why you would need L4 in R81.10:

      • There is a small amount of diverse source and destination IP addresses traversing the Security Group, but there are large amount of source ports in use by protocols such as HTTP, HTTPS, and possibly DNS. This results in the Security Group’s load becoming heavily unbalanced between the SGMs.

      • The Security Group is NATting a very high percentage of traffic passing through it which is typical of a perimeter gateway, but not for a gateway inside the internal network or located in a Data Center.

Thanks!

Attend my online "Be your Own TAC: Part Deux" CheckMates event
March 27th with sessions for both the EMEA and Americas time zones
0 Kudos
8 Replies
RickLin
Advisor
Advisor
‎2022-08-14 07:02 PM

Interesting topic, I also would like to know what is recommended setting(enable or disable), and if R&D will try to change the mechanism in the roadmap?

0 Kudos
Lari_Luoma
Ambassador Ambassador
Ambassador
‎2022-08-15 08:33 AM

Hi Tim,

Current recommendation is to keep L4 distribution disabled unless there is a specific reason to enable it. The first scenario you mentioned is usually the case when you should consider enabling it. In a network with diverse IP-address space, L4 distribution doesn't give much benefit anyway.

In the second scenario the question is about the distribution mode. In the perimeter environment you should use auto-topology (default) and in internal gateway general mode.

 

 

0 Kudos
Timothy_Hall
Legend Legend
Legend
‎2022-08-15 11:10 AM
In response to Lari_Luoma

That's what I thought, thanks.  Just seems a little odd that L4 is enabled by default but the recommendation is to disable it.

Attend my online "Be your Own TAC: Part Deux" CheckMates event
March 27th with sessions for both the EMEA and Americas time zones
Lari_Luoma
Ambassador Ambassador
Ambassador
‎2022-08-15 11:44 AM
In response to Timothy_Hall

I agree, seems odd to me too. 🙂

(1)
the_rock
Legend
Legend
‎2022-08-15 10:27 AM

I think what @Lari_Luoma said makes perfect sense. If you think about it logically, really, even in complex environment, there is probably no need to enable this unless really necessary. 

0 Kudos
JaAnd
Participant
yesterday
In response to the_rock

Maybe in a dual site active-active configuration (not multi room, nor dual site active-backup) which was promised to us about 4 years ago, when Maestro was implemented, it could be beneficial to use L4.

In our case, as far as I understand, it would, as we could preferably process traffic on a source network basis - we use different networks for end user's access layer in two separate, but very well interconnected DCs.

Nevertheless still It's not officially supported, but was promised to us on a stage (!) on last's year CPX 😞

alexgnunez2
Participant
5 hours ago
In response to JaAnd

You're absolutely right—this is something that has been promised for quite some time, and it’s understandable that there’s anticipation for a dual site active-active configuration with Maestro. As you mentioned, using L4 in such a setup could indeed be beneficial, especially for processing traffic based on source networks in environments with well-interconnected data centers. This approach could optimize traffic distribution and improve redundancy, which is critical for high-availability architectures.

That said, I trust that Check Point is taking the time to ensure this feature is truly robust and functional before releasing it to the public. Implementing an active-active dual site configuration is inherently complex, and it’s crucial to avoid potential pitfalls that could arise in production environments. Rushing such a feature could lead to instability or unexpected issues, which would be far more detrimental in the long run.

From what I understand, Check Point has been working diligently on this, and while it’s not officially supported yet, it’s possible we might see progress or even a release next year. The complexity of synchronizing state tables, ensuring seamless failover, and maintaining performance across two active sites requires thorough testing and validation.

In the meantime, it’s worth keeping an eye on updates from Check Point, as they’ve been gradually improving Maestro’s capabilities. Hopefully, the wait will result in a solution that meets the high expectations of the community and delivers the reliability we need for such critical deployments.

0 Kudos
the_rock
Legend
Legend
4 hours ago
In response to JaAnd

Yea, sounds in case you described, it would be beneficial.

Andy

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
 
Upcoming Maestro Events

    CheckMates Events