Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Ihenock1011
Advisor
Jump to solution

MHO cluster

Hi Team,

We currently have three Check Point Maestro MHO-140 appliances. Two are deployed in an active-active cluster at our main data center for redundancy, while the third serves as a spare.

We'd like to explore the possibility of utilizing the spare MHO appliance at our Disaster Recovery (DR) site. Since all three appliances are the same model, we'd like to confirm if it's feasible to:

  1. Deploy one MHO at the DR site: Can we establish a cluster between the active MHOs in the main data center and the MHO deployed at the DR site?
  2. Cluster configuration: Is it possible to configure this cluster in either active-active or active-standby mode for optimal redundancy at both locations?

Please advise on the supportability and recommended configuration for this scenario.

Thanks,

0 Kudos
2 Solutions

Accepted Solutions
emmap
Employee
Employee

MHOs are not clustered like gateways are. They provide a form of active/active high availability when architected appropriately (all uplinks bonded across both MHOs) but they are functionally independent devices who sync a bit of configuration, and pass packets down to the SGMs / out to the network switches as they come in and out. 

When looking to set up a Dual-Site architecture, you need the same amount of MHOs on both sites. So you'd have to add a fourth MHO to your setup if you wanted to move to this. You would then also have to move/add SGMs to that site before you can use that second site. A dual-site Security Group should have the same amount of SGMs on both sites in order to achieve HA, as they form an Active/Standby setup across the two sites. All SGMs in site 1 are active and all SGMs in site 2 are standby, until a failover event occurs. 

View solution in original post

Dario_Perez
Employee Employee
Employee

MHO have to be mirrored on both sites, if you are planning to have dual site, the site two must have the same set up on MHO as primary have, if you have 2 MHO on site 1 you need 2 on site 2, you can't have 2 on site 1 and 1 on site 2. that is not supported. 

View solution in original post

4 Replies
emmap
Employee
Employee

MHOs are not clustered like gateways are. They provide a form of active/active high availability when architected appropriately (all uplinks bonded across both MHOs) but they are functionally independent devices who sync a bit of configuration, and pass packets down to the SGMs / out to the network switches as they come in and out. 

When looking to set up a Dual-Site architecture, you need the same amount of MHOs on both sites. So you'd have to add a fourth MHO to your setup if you wanted to move to this. You would then also have to move/add SGMs to that site before you can use that second site. A dual-site Security Group should have the same amount of SGMs on both sites in order to achieve HA, as they form an Active/Standby setup across the two sites. All SGMs in site 1 are active and all SGMs in site 2 are standby, until a failover event occurs. 

Dario_Perez
Employee Employee
Employee

MHO have to be mirrored on both sites, if you are planning to have dual site, the site two must have the same set up on MHO as primary have, if you have 2 MHO on site 1 you need 2 on site 2, you can't have 2 on site 1 and 1 on site 2. that is not supported. 

Ihenock1011
Advisor

@emmap @Dario_Perez Does the SGMs must be the same model for example if we have 7K series in site 1 SG-01 and in site 2 the same model must be used ?

0 Kudos
emmap
Employee
Employee

It is recommended that the same models are used so that you have the same capabilities on both sides and full HA. but mix&match rules apply if you want to use different models.